SSL certificate checks

I was recently reading a post comparing Comodo Dragon to SRWare Iron on the following site:

A comparison point that caught my eye was one that said that Iron ‘never reports back site related metadata to mothership’ and that Dragon does, in the form of SSL certificates being checked against Comodo Cloud.

I’m curious: what does this ‘site related metada’ include? Does Comodo store this metadata? Is it used to track and analyse usage to improve Comodo’s products?

I understand that, in order to provide its SSL certificate checking service, it’s necessary for site-related metadata to be sent to Comodo Cloud, but I’m wondering how this sending of information compares to the information-collecting features that are turned on by default in Google Chrome. I’d appreciate help in understanding this better.

That thread is pretty old and the statement is pretty vague, so without knowing exactly what he’s referring to, it’s difficult to comment. However, I’ll take a guess and assume it’s something to do with Certificate Revocation Lists.

If this is correct, it’s not specifically related to Comodo, it’s something used by all modern browsers and Operating Systems. To understand more anout CRL/OCSP you could do worse than take a look at How Certificate Revocation Works

You might also post in that thread and ask exactly what he means…

Thanks for the reply.

If certificate revocation lists are something all modern browsers use, then I don’t think that that’s what the poster in the link was referring when they mentioned the reporting of metadata to the mothership in the form of SSL certificates against Comodo Cloud, because Iron is a modern browser and apparently doesn’t report.

Regardless of whether that’s what the poster was referring to, though, I was just wondering if the SSL certificate checks give Comodo access to user information, and if it does, if they use it. I was wondering if Google’s information-gathering features that are removed from Dragon are replaced by Comodo’s information-gathering features.

I assume Comodo Secure DNS can be used in such a way, right? That is, used for finding out information about internet usage that Comodo might find useful in developing their browser. But I suppose that such information wouldn’t be as useful to Comodo as it would be to a company like Google. And Comodo is well known for its internet security products, so gathering and using information in this way would probably be considered especially inappropriate, and, so, particularly unwise :-. So I doubt that’s the case. Maybe a Comodo representative can clarify.

I just tested this behavior on the lastest CD 10.x beta and I can’t find any “illegal” traffic during the setup of a session on SSL, so no metadata traffic was seen on the wire… maybe it was a bug or a feature :wink: not sure and hard to say based on this one-liner without explanation or included packet capture.

This is the same user as ‘sometimes’, the thread creator. I forgot my old account’s password and I seem to have entered my email incorrectly when signing up for it, so I had to create a new account.

Thanks for letting us know your finding, Ronny.

Thinking about the privacy of Comodo’s SSL checks and the whole reporting back to the mothership thing has got me thinking about privacy in Comodo Secure DNS. Wikipedia describes the privacy of Google Public DNS like this: ‘It is stated that for the purposes of performance and security, only the user’s IP address (deleted after 24 hours), ISP, and location information (kept permanently) are stored on the servers.’ Any idea how this compares to Comodo Secure DNS?

But they seem more general then specific to the Secure DNS.