Shame on you, Comodo!

It just came to my attention that Comodo is trying to steal “Let’s Encrypt” brand:

Do you really need this, Comodo? Stealing brand someone else made up?
:-TD :-TD :-TD

“We urge Comodo to do the right thing and abandon its “Let’s Encrypt” trademark applications”

It sounds like to me that Comodo is in possession of trademarks applications that gives it use of “Let’s Encrypt”.

“These trademark applications were filed long after the Internet Security Research Group (ISRG) started using the name Let’s Encrypt publicly in November of 2014, and despite the fact Comodo’s “intent to use” trademark filings acknowledge that it has never used “Let’s Encrypt” as a brand.”

From a legal standpoint (ISRG) should have trademarked this when they started using it publicly in November of 2014. There negligence to have done so is why this debate is happening. Then they want to cry foul because of their failure to follow the simplest of product protections. Registering your trademarks. The one who is in possession of the registered trademark is the owner, and that is the law.

If I’m a small developer and make a product called Windows Perfect PC Repair and have been working on and distributing it for years, and did not bother to trademark the brand name. Then another company comes along and uses the same name for their product but has the common sense to trademark it. Then who owns it? The company with the trademark. It’s the law.

This goes as far back as McDonald’s brothers and Ray Kroc. The brothers owned the original restaurants but he owned the trademarked name. So that’s why he took over the chain and the rest is history.

I always feel slightly bad for the underdog but business is business.

How can Comodo steal what it basically already possess ? If they have filed trademark applications.

I’m sure it will be settled in a court of law but since Comodo has filed the applications the odds are well in their favor.

How can you prove it was them who made it up?

Isn’t this why we have Trademark laws and courts? If they have right to it then more than happy to comply. But these kind of Intellectual copyrights can’t be decided over a forum post or twitter account or trying to get your loyal but “blind” followers to bully another enterprise via their tweets. It won’t work! This is not wild west and there are legal framework and courts for these kind of disputes. So lets all stop being the judge and jury and follow the law!

One a separate note, since we are talking about protecting intellectual property, there is no law protecting business models. When Lets Encrypt copied Comodo’s 90 day free ssl business model, we could not protect it. Lets encrypt could have chosen 57 days, 30 days or any other number for the lifetime of their certificates. But they chose to use Comodo’s 90 day Free SSL model that we established in the market place for over 9 years!!! We invented the 90 day free ssl. Why are they copying our business model of 90 day free ssl is the question! Comodo has provided and built a Free SSL model that give SSL for free for 90 days since 2007! Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical. They clearly wanted to leverage the market of Free SSL users we had helped create and establish and that’s why they created exactly same 90 day free ssl offering. So why did they choose 90 day??? That is the question!

What they have is nothing new. We have been giving 90 day free certificates since 2007. Unlike them, our certificates are managed, even the free ones, so that consumers are protected. If a certificate is being used maliciously we revoke it. They don’t! How is that making internet safer??? Actually consumer are less safe with their certificate because if it is used maliciously they don’t revoke (Unmanaged)!

Lets get the facts right guys! We are the good guys that have been giving free SSL certificates since 2007 and managing them!

How is certificates’ lifetime a business model? The certificates can be renewed at no cost, even automatically.

Why ninety-day lifetimes for certificates? (2015-11-09)

Once automated renewal tools are widely deployed and working well, we may consider even shorter lifetimes.

ACME is new, and in the process of being standardised.

ISRG is a bad guy?

thanks for that JoWa,
this is what they say Why ninety-day lifetimes for certificates? - Let's Encrypt

“Ninety days is nothing new on the Web. According to Firefox Telemetry, 29% of TLS transactions use ninety-day certificates. That’s more than any other lifetime”

so whose certs are these? Of course Comodo’s!!! So they are admitting they are copying our innovation of 90 day free ssl certs!

I should of stayed out of the entire thread, but as a paralegal I have a firm grasp of copyright and fair use law. In these cases the law is clear and will be decided on subject matter and scope of copyright, copyright notice, deposit, and registration. If ISRG has not followed these guidelines then they simply have no legal basis. I hope Comodo prevails, but then again I’m biased.

I guess the only thing they can do is use forum posts and social media to spread rumors and misinformation towards/about Comodo in order to gain sympathy and try to force Comodo’s hand.

Either way really none of my business. On my way to see what else is interesting in the forum today. :stuck_out_tongue:

With LE now being an operational business, we were never going to take the these trademark applications any further. Josh posted a link to the application and as of February 8th it was already in a state where it will lapse.

Josh was wrong when he said we’d “refused to abandon our applications”. We just hadn’t told LE we would leave them to lapse.

We have now communicated this to LE.

Its important to re-state that certificate lifecycle management of these LE certs deserve a serious scrutiny. Maliciously used certs must be revoked in a timely manner!

The problem is the ability to revoke in a timely manner. Unfortunately we cannot as CAs know the intent of the applicants at the time of application. That is why it is very important for CAs to react promptly with revocation. ISGR claimed (afaik) that because they are a non-profit and don’t have money they might not able to revoke malicious certs reported to them in a timely manner. So that is yet another reason why I am outspoken about this issue. As if DV certs weren’t bad enough, ISGR didn’t want to own up to managing certs used by malicious actors. That is NOT acceptable. I hope ISGR have changed or will promise to change their ways and they will start revoking these maliciously used certs in a timely manner.

A lifetime of a certificate is hardly an innovation. With automatic renewal, the lifetime doesn’t matter much to the user, and it may be shorter in the future, which is good. Ninety days is a compromise.

Personally I think disputes of this type are better settled in the courts. If I was Melih I’d let the lawyers handle it and keep my powder dry…

Comodo may feel a bit threatened by “Let’s Encrypt”

Also, if Comodo is legally entitled to the “Let’s encrypt”, they should pursue it

but it may look to people like Comodo is ganging up on the Open Cert.

It is a tricky situation.

But considering the number of Anti-opensource companies backing “Open Cert Let’s Encrypt”, it doesn’t look that bad. These companies like HP, Akamai, CISCO may want to avoid paying fees to their certs rather than want to encrypt the web.

Anyway, in a few years, the cert business may not be that profitable unless Comodo can distinguish itself from open certs. Just some thoughts.

I think disputes of this type should be avoided. Courts are not the place to deal with competitors.

If this is the best defense you can provide, then Comodo has already lost the PR war here. Sure, you can legally stomp and troll trademarks allover plenty of people with enough lawyerbucks, but people will rightfully hate you, and then not want to do business with you.

This thread is a great example. A CEO is eating his foot by simultaneously blaming his target and pretending to a victim of cyberbullying by a new, free, and open cert authority. Hey, here’s an idea, you could have just released the trademarks and played nice, since supposedly you don’t need them and don’t plan to use them, but instead you decided to be an equivalent patent troll, and your getting the negative press associated with those businesses. Hopefully, you’ll learn from this experience. The CEO in particular needs to suck up his ego and better his own products before trying to set us all back.

Since im here, when are you guys going to stop making your security software worse? I had to bail on it last year because every update crippled functionality in favor of iterating out the last 10 years in UI design fashions in the span of a year, who made that brilliant decision?

Its unfortunate that you chose to belittle an idea without first understanding the implications and value it brought to people when it was launched.

Lifetime of the cert matters, if you are not revoking a malicious certificate…that means end users are being harmed for the duration of that certificate.

sorry but no.

reading about your “free” SSL cert is is quote on quote: “limited to one issuance per domain”, in other words it’s nothing more than a trial to get customers to buy your certs.

sorry but this is absurd, do you have proof for that?
unless your cloudflare certs are running 90 days this number is something that cannot be believed, because the “free” certs, as as I’d rather call them, TRIAL certs or test or demo certs, whatever, can only be used once so you cannot get a high percentage of your trial certs in the statistics in the long run.

somebody could say you have taken the business model of common shareware but tripling the usually 30 days testing period to 90 because it’s more practical with webservers.

by the way google also uses 3 months, and they might probably take a much larger chunk of the 39% than you guys because google is everywhere, there’s youtube, google analytics etc.

you might have had 90 day certs longer but yours was just a trial, while Google was one of the players who made it popular.

unlike you guys LE is making the certs REALLY free, meaning you can renew them and so on.

I do agree that they should be revoked but then again take a read at this:
many browsers have a SOFTfail for the certificate revocation checks, UNLESS an EV cert is used, meaning if the revocation server cannot be reached , the site will still load, in comparison EV has hard fail, meaning that the site will NOT be loaded and you cannot get around it.
also mobile browsers tend to take this to an even higher extreme not checking revocation of non-EVs in the very first place.

and before you (or anyone) says that you’d rather ave everyone buy an EV cert I have another piece of text.

  1. EVs are hard to get, you have a lot of paperwork and may also need to have a source for their registration by a non-gov source as Dun & Bradstreet where they also need to register.
  2. EVs are expensive. EVs cost a lot of money. I can understand that there is quire a verification but not everyone needs an EV.
  3. EVs arent available for everyone. most importantly, I could throw as much money as I want, as an individual (normal person) I couldnt get an EV no matter how much you would want me to buy one.

great insight My1…

Before start discussion…which thought process do you subscribe to please?

1)Encryption without knowing who you are encrypting for
2)Encryption with authentication (knowing who you are encrypting for)


Generally with authentication, but nobody says you need an ev for that.
Especially mostly online companies are known primarily by their domain gives less value to ev in such cases, Google, fb and Amazon all don’t use ev.
Also as stated individuals CANNOT get an ev, at best and, depending on the ca they can get an ov but without the company stuff (some call this iv, identity validation) but the sad thing is that for the normal person these dont add anything in https because unless one looks at the cert details and which uneducated person does that?

Generally you also can do do authentication with dnssec, dane and a self signed cert which is, for pure domain validation even safer than a ca (but sadly browsers don’t do that yet) because unlike cas where technically Anyone can sign anything in dnssec you have a clear tree structure. Even if. Us signs a cert for let’s say it won’t work because of the branching structure nobody can sign something that is either above or on another branch, which makes misissuance a lot harder and we know that that happened in the past, and no matter who done it, all cas are affected by this huge problem.

Also evs can sometimes be misleading and lead to confusing stuff. I read of a case where one bank was owned by another and the owning bank was listed in the ev where people could easily thought that a rival took over the website coz not everyone knows who owns who…

Great. in which use you don’t need it with authentication? (i am not talking about commercial products, EV etc…merely on Encryption and Authentication, I do appreciate your input as you seem to understand background, so thank you)

No matter what your lawyers might have convinced you of, what your doing is trying to steal your competitor’s name brand. It’s immoral and unethical. For a company who’s business is dealing in trust validation, that raises serious concerns.

The people at ISRG created Let’s Encrypt in 2014, it was their trademark then, registered or not. You know that. You knew it when you filed fraudulent trademark applications in Q4 2015.

The folks at ISRG are doing good things to improve the quality of the internet and life on planet earth. You are doing sleazy things to try and squeeze a few more undeserved dollars from users who don’t know better.

well here we get to the tricky point about what do we count as authentication. even a self signed cert is technically a kind of authentication since the server authenticates that he possesses this cert, the question is where it is recognized.
depending on how far we spread the definition we could say that authentication is almost everywhere (okay not in DNS but we will see more DNSSec in the future)

also the question is how far you need to do authentication. for my private server a self signed cert would be enough if I know my checksums, for example.

and yeah I have an IT job that is called “Computer Science expert - Subject Area: System integration” on the translation of my german graduation sheet (in german it’s called Fachinformatiker für Systemintegration)

generally in the internet my idea everything should be HTTPS’ed and authenticated to a reasonable level
my personal computer which also runs as server has (mostly just for fun) a 16k RSA key for it’s HTTPS stuff which might be a lot but when I have there direct access to my personal cloud I rather play it safe rather than that I would be sued because my music and stuff lied in the internet because of bad security.

but looking at it a bit more realistically I would say everywhere where I leave more or less personal data (even if it’s just a throwaway password) I want that I know that the stuff goes to the site I want.

a part where authentication might NOT be so important are (obviously for example point to point connections (for example when I connect PC and laptop directly together for quicker file transfer there is pretty much nobody that can do anything bad so authentication wouldnt be needed there (well at least the “who” part, I still would want some checksums to check for transfer corruption and stuff but that gets us back to the first sentence), so in short when you can be otherwise sure that nothing bad can happen.

a pure read only page like a blog without comments or whatever could easily be without authentication because 1) nobody enters anything there and 2) there are probably not a likely MITM target because there is nothing to get. the worst someone could do is trying to insert ads of their (=the attacker’s) own 2) do stuff that will damage the site and/or the owner’s reputation, and let’s get serious this isnt NEAR as profitable than going after creditcard data or other stuff.