Secure if recipient does *not* use CSE? No more free certs (separte of CSE)?

CSE using Comodo’s server to decrypt doesn’t seem secure at all

Thawte (owned by Verisign) is dropping their free personal e-mail certificates. They stopped issuing them this October and all of them will expire this November. So I started to look around for other free e-mail certs. I ran across Comodo’s offering with their CSE product and got interested but it seems their scheme is only secure if both sender and recipient are using CSE (so certs can be distributed or generated locally to prevent the cert issuer from being able to decrypt an encrypted e-mail).

I was reading through the locked FAQ thread “How does CSE EXACTLY work?” at which described 3 scenarios of A sending an encrypted e-mail to B, which were:

CSE not needed:

  • A already has B’s digital certificate. This is without using CSE and the normal means of using e-mail certs. A simply uses B’s public key to encrypt their e-mail and sends it to B who uses their private key to decrypt.

  • A already has B’s digital certificate.
    o CSE not needed.
    o This is the normal (old) means of using e-mail certs.
    o A simply uses B’s public key to encrypt their e-mail.

  • A does not have B’s digital certificate.
    o A uses CSE to encrypt their e-mail and can choose how B will read it.

    • Option 1: B installs CSE to read the encrypted e-mail.
      • Supposed fully secure. B is nuisanced with a CSE install.
    • Option 2: B forwards the e-mail to Comodo’s server (web reader)
      • B uses a password given by A (via telephone or letter).
      • Not as secure as B using CSE.
    • Option 3: B forwards the e-mail to Comodo’s server.
      • No password needed by B.
      • Not as secure as using a password. Even less secure than using CSE.

Understand that I see “not as secure” as insecure and “even less secure” as not secure. A having to give B a password harkens back to when A would create a password-protected file (like a .zip file although there are more secure means of encrypted a file) and attach it to an e-mail. Then A would have to somehow separately send the password to B so B could extract the file. However, only A and B were involved an no web reader at a server. I don’t know how the “no password” scheme works since I haven’t yet used CSE but it appears not a secure scheme, anyway. When A doesn’t have B’s certificate, Comodo’s web reader or server gets involved. Since the decryption is being handled up on the server, that means the document is not secure because a 3rd party (Comodo) can read it. The decryption is occuring up on Comodo’s server. That Comodo doesn’t read the contents is their self-imposed choice, not a restriction.

So it appears the only means of actually securing an encrypted e-mail is:

  • B sends A a digitally signed e-mail so A can save the public key in it. Then A uses B’s public key to encrypt an e-mail. Only B can decrypt that e-mail using their private key. This is the old x.509 cert scheme. CSE isn’t involved.

  • Both A and B must be using CSE which assumably generates keys from Comodo’s server but they are stored locally. The old x.509 scheme is still employed by both A and B (i.e., encryption AND decryption are handled at the clients) and CSE is only involved in the initial process of assigning the keys to sender and recipient. CSE is merely used to automate the key assignment process.

Any other scheme that employs Comodo’s web reader or server to decrypt the e-mail means the e-mail isn’t secure. Comodo is given the encrypted e-mail and Comodo does the decryption so Comodo could retain a copy of the decrypted e-mail. Yes, Comodo is probably trustworthy but a proper encryption scheme don’t rely on someone promising that they won’t peek. Even for those that trust Comodo not to peek, hopefully the insecure or not secure decryption schemes for CSE still employ https to secure the traffic between B and Comodo’s server so the decrypted document is sent to B over a secured connection; otherwise, not only is the document not secured against Comodo’s interrogation but it would also be sent as plain text that could be sniffed out in a host anywhere in the route for the connection between B and Comodo.

No more free e-mail certs from Comodo?

With Comodo not (or no longer) providing free personal e-mail certificates (separate of CSE), is CSE still a viable secure e-mail product? I ask because the description of CSE at mentions the following:

How do I get a free Comodo certificate?
You can either use the Sign-Up Wizard on the Certificates tab of the SecureEmail main window, or signup for one at [our website]"

The [our website] link goes to There is no mention of a free e-mail certificate on that web page; however, that web page is also under a “business-security” web path and under the “Medium to Small Business” category of product offerings. Even if I visit the Products page, click on “Free Products” which scrolls the supposedly free offerings into view, there is no offering for free digital certificates. So if users cannot separately obtain free personal e-mail certificates, can they still do so using CSE? I actually did not come to Comodo looking to involve more software (CSE) in the e-mail cert scheme but instead to find a free e-mail cert to replace those that are getting dropped by Thawte. As I recall, users could get free certs from Comodo (just the cert, and no software required, like CSE). Guess that got discontinued, too. Perhaps now the only way to get a free personal e-mail cert from Comodo is by using their CSE software. However, I don’t always want to encrypt my e-mails but simply want to digitally sign them (so the recipient knows who sent the e-mail and that it did not get altered during transport). Since CSE seems to be all about encryption, I don’t now that I could use it to just digitally sign my e-mails.

In my searching for a replacement free e-mail certificate, I hit which is owned by Comodo. It has a “Free Secure Email Certificates” link but notice the button says “Try”. I already saw the 90-day cert trial at Comodo’s site and wasn’t interested. I’d have to get another one after just 3 months had elapsed. It was bad enough that I had to renew them once a year with Thawte. I clicked on the “Try” button to see what conditions were mentioned for Comodo’s free cert. Sectigo makes no mention of when the free cert will expire. So I clicked on the “Get it free now” button and read through all the terms but still saw no mention of expiration. It mentions “Certificate Period” but never actually states that time interval.

So I cannot find a free e-mail cert at Comodo’s site ( except for some 90-day trial stuff. I had to accidentally hit upon their site to find one but the Try button leads me to believe that I’m just looking at another web page for the same 90-day trial certificate.

Hi VanguardLH,

Here’s the support link for the “What is the process for getting a Free Digital Email Certificate?”,96,32

This should work.

That takes you to the Sectigo page that I mentioned finding before (as part of a Google search to find free e-mail certs). The links at don’t go there so I had to find it via Google.

By the way, in one of the e-mail cert registrations for one of my 5 e-mail accounts, their confirmation e-mail didn’t show up. Turned out the server-side spam filter was set to immediately delete spam mails. Changed it to hold them in the Junk folder for 10 days. However, Comodo provides no means of re-issuing a cert (by resending their confirmation e-mail). When trying to generate a new cert for the same e-mail address, a popup appears telling me that a cert has already been issued for that e-mail address. However, it provides no means to re-issue their confirmation e-mail or to revoke that cert (so I can create a new one). I hunted around their sites for an hour trying to find out how to revoke a cert. There isn’t a web page. Instead, and even according to their own help, you have to submit a trouble ticket to have someone at Comodo waste their time performing revocations. So I’ll have to wait until someone gets back from Comodo to see if they revoke my old cert before I can yet try again in a one-time chance to get a new cert issued to me for that same e-mail address.

When I had them generate the cert, they asked for a password to supposed let me to issue a revocation. Nope, no reason to ask for a password because they don’t have a page to issue revokes. Maybe the rep that has to respond to my trouble ticket will ask for it. So I’m stalled for awhile to get a free Comodo cert for one of my e-mail addresses.

They don’t tell you beforehand in their web page how long their free cert is good for (i.e., how long before it expires). Even when you registrer for a cert, they don’t tell you how long it is good for. When they send their confirmation e-mail, they still don’t tell you. Not until you install their free cert can you inspect its properties to see that it expires after a year.

So Comodo does still have free personal-use 1-year e-mail certificates available but their registration and revocation processes need work. Now to find out if using CSE is actually secure when the recipient does NOT have it installed. I’m not going to pressure any recipients into installing additional software.

So I cannot find a free e-mail cert at Comodo's site ( except for some 90-day trial stuff. > Free Downloads (Internet Security Software for Business from Comodo | PC Security) > Free Email Certificate (

See also: Comodo to Continue Free Email Certificates for Personal Use - Comodo: Cloud Native Cyber Security Platform :slight_smile:

Ah, that path works to take me to their “home & home office” category of web pages. The other link they gave describing the free cert in their CSE article took me to their “medium & small business” set of web pages. That takes me to a registration web form that is identical to the one that I found at Comodo’s site (except using a different domain for the HTTPS connection). I had been clicking on the Products link (at the top left of their image instead of at the bottom right), select “Free Products” and didn’t see the free e-mail cert listed there.

Since I already received 4 free e-mail certs from their site, I’ll try to get my last (5th) one from there, too. That way, the domain listed in the cert will be the same for all of them: UTN-UserFirst-Client Authentication and E-mail,, The USERTRUST Network, Salt Lake City, UT, US. Uffda! They couldn’t just use Comodo (and given the contract and location info for them)? Although shows “InstantSSL from Comodo” on their home page, I’m starting to think that they are just a reseller of Comodo’s certs. As a test, I tried issuing a cert using Comodo’s web form for the same e-mail address for which I already got an e-mail cert from It said I already had a cert for this e-mail addres so obviously Comodo and their site are sharing the same CA database.

So, at this point, I need to find out just how secure (or insecure) is using Comodo’s Secure E-mail product when the recipient doesn’t have CSE installed (and I don’t want to bother them with installing it, either). The recipient having to give Comodo the received encrypted e-mail to do the decryption means having to trust a 3rd party with the content of your encrypted e-mail that only the recipient was supposed to see.