SSP

Up to no good again :cry:

http://msmvps.com/blogs/hostsnews/archive/2009/07/22/1705234.aspx

Old news now and the issue was sorted.

The problem here as far as I can see it, is the protocols /procedures associated with issuing certs, not anything vendor specific.

Crooks can be clever at times.

:-TD

This is a new report… I was never really involved with the argument with comodo selling certificates to malware hosting sites.

Just wondering… Does Comodo inspect the people they sell their selling certs to? or just hand them out for cash regardless of who?

I think (from what happened last time) is that checking is limited to ownership of a domain only. Which means that as long as a crook lies about their intentions for a domain/website, they will get a cert.

Ideally, certs would be issued after vetting of all their current products and repeated periodically for the life of the cert. Of course, this is nigh on impossible. :wink:

Thus, melih’s previous comments (posted elsewhere here) regarding the problems of issuing of these certs.

I wonder who else (ie cert issuers) has been caught out by crooks requesting certs?

I doubt we will every find that out as the report is most probably done the correct way.
Dennis

Verification of identity for those requesting certs is necessary for OV certs and the more recent EV certs which require additional authentication.

By providing reliable third-party verified identity and address information regarding the owner of a Web site, Identity authentication is likely a deterrent for fraud schemes because the subjects cannot retain their anonymity and thus cannot evade legal actions or law enforcement whereas authenticating the Organization will likely provide a way to counter impersonation attempts.

DV certs on the other hand can do not validate the organization thus providing not much more than encryption which in some case may not be enough.

Frequently Asked Questions - Extended Validation SSL

Well, this is how you lose your “trust” faster than you gained it…

Well obviously it does to those willing to cast it around :smiley:

Now I ask you … how many times do I have to report the same group being issued a certificate from Comodo, before they take the necessary steps to prevent the general public from being ripped-off by these bad actors?
I’ve been reporting on Comodo’s lack of concern since
LimeLight Networks and connecting the dots (12-07-07) all we get is excuses and spin on how everyone else is doing it (issuing certificates)

This guy is becoming boring and quite tiresome; he reminds me of one of those little chihuahuas.
One would think that he would get a clue by now.
Maybe he is overwhelmed by his own sense of self-worth?

Give someone a Microsoft mvp award and suddenly they are a Universal Defender of the Light.
88)

It would be fine to have them build a CA to have some other “security expert” analyze the real outcomes of such vaguely implied “necessary steps”…

Who knows maybe they could actually make responsible reporting something unnecessary and irrelevant and efficiently address any concerns.

But it does look like that a site mentioned in a screen-shot in one of the latest report links to another site which got a cert from another CA in the past months.

Did anybody read something about that?
And besides wasn’t “that group” supposed to be widely know and so easily identifiable since '07?

[attachment deleted by admin]

Whats with the smear campaign.

Why is their a special group of people that go through such great lengths to point out that some crook conned comodo, not once, but twice :slight_smile: and run a Public Relation campaign on it. <—(it reminds me of the PAID political ads that you see on tv every election year)

Does the same group of people go through the same lengths when some other crook get a Extended Validation SSL or any other forum of validation

How about verisign or godaddy??? IS it possible for a crook with the capacity(using stolen identification and/or any other such methods) to con their way through verisign or godaddy. Why not put a smear campaign on them too! It would go great with their website Although they’ll make an exception for the vender that hired them. Why bite the hand that feeds them

They basicly make it sound like comodo is nothing but cybercrooks. If someone did the same thing to me. I’d be recording everything thier doing, track their ip’s(basicly following the trail), do some intelligence gathering and then hit them up with a lawsuit. For the harm their causing

Yes, I agree it is quite mysterious the frenzied intensity that some “professionals” display in their targeting of Comodo.

One can only question their true motives.

here is my post to them (i posted it on their site too)


Avoiding the issue of DV and pretending that it doesn’t exist and as long as Comodo doesn’t issue it everything will be fine is not going to solve the DV problem.

The problem with these fraudsters is that DV process is too easy for them to take advantage of. DV only checks if the site owner owns the domain or not. There is no other check. Verisign and Godaddy own around 90% of this market. I have been very vocal in www.cabforum.org to bring higher standards so that end users can be protected. It has met with resistance with people from Verisign and Godaddy. But I am continuing to push for better standards as DV gives a trust indicator to fraudsters hands.

As to some basic checks like, IP etc etc… been there and done it…doesn’t work! These people are professional criminals! They know how to change their IP when applying for a cert, how to create a new identity etc etc. We are coming up with different defense mechanisms but we’ll see how it will work.

To people who claim we profit from these:

Fact 1) These are all FREE SSL certs… we don’t get money from them (notice the duration of the cert is 90 days, these are trial certs we issue)

Fact 2) we issue over 300,000 certs a year getting some fraudsters getting a free cert or two costs us money in reality!

So what can we do to fight this?

1)We need to get a standard (yep… there is NO STANDARD for issuing DV certs today) that mitigates fraudsters having access to this yellow padlock (nothing ever is 100%)

2)We all need to work together and report these sites so that they can be revoked quickly again limiting the damage. Common Computing Security Standard Website has a reporting form where this is fed to all CAs quickly. http://www.ccssforum.org/report.php . Please use this to report any maliciously used certificate so that it can be acted upon quicker.

Pls feel free to engage in a discussion (here or in Comodo forums) as to how we can make it safer for the end user. Again, Comodo stopping issuance doesn’t make it safer, it might even end up with other CAs who might take much longer to revoke maliciously used certs. And a DV is a DV, yellow padlock indicator does not differentiate between vendors… Users just see the yellow padlock and trust it.

Melih

Melih,

Yes, I know that usually CAs only check if the site owner owns the domain or not, but why don’t you change the standard for yourself?

If you are pushing for better standards, why don’t you use them instead of waiting for others to?

Is there some “rule” prohibiting you from doing so? If not, why don’t you set the example?

That’s OV and EV certs that we issue. So we do already provide better certs…
the only question here is: Should Comodo issue them (DV certs) or not?

If Comodo didn’t issue them, will these fraudsters go away? Or simply go get it from some other CA? Is the other CA will have as stringent Revoking policy as Comodo at reacting so very quickly to help protect users?

It was a long and hard decision for us, but I think end users would be more secure if Comodo was offering DV certs as long as other CAs also offered it.

DV is a dangerous tool, would you have a Rogue country control the Nuclear Weapons we have? Of course not! DV is a weapon and its not going away, who do you want controlling it? I say Comodo because we have shown ourselves to be caring, responsible and responsive to our user’s security!

Melih

We did a manual check to see how many of the malware related sites (sites that are pushing rogue AV products or other malicious activities, not including fake investment scams etc offered by fraudsters) use SSL certs to create legitimacy in an attempt to dupe end users.

The site is called www.malwareurl.com which has a list of malware related URLs (this is just one of many sources) We checked the last 2000 entries from http://www.malwareurl.com/rss.xml?n=1&limit=2000
for malware websites with certificates. The list and the corresponding certificates are attached.

https://secureoem.com/shop/order/ Equifax
https://secure.signupsecurity.com/p05/(S(4xghlr45eyy5dd45f33jqub4))/join2.aspx GoDaddy.com, Inc.
https://secure.yclinks.com/p05/(S(r02vzt55hmnxlh45vy5dvj55))/join.aspx?siteid=freemovienow_cm&product=30&cli=7&descriptionid=new-movies&lng=en GoDaddy.com, Inc.
https://secure-plus-payments.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=avplus3&advert=1 Thawte Consulting cc
https://secure.cc-process24.com/ Equifax
https://secure.mpsjoin.com/join/index.php Equifax Secure Inc.
https://secure.payment-cc24.com/payment/?sku_name=PCSEC_EN,PCSEC_EN_01,ACTF_EN&sku_checked=1&affid=020c990db04ea0196e1af96bdae2e508LCw=&nid=431ae3a42aa877d0d3ac816da0e4b772 Equifax secure.payment-cc24.com.p7c Session-based link. Redirected from: http://pcsecurity09.com/buy.html
https://1-vscodec-pro.com Thawte Consulting cc
https://secure.onlineinternetpayments.com/billpav/? Thawte Consulting cc
https://secure.innovagest2000.com/ GoDaddy.com, Inc.
https://secure.paysecorder.com/order?agree=on&prodid=2&r=1.0&■■■■= Equifax Secure Inc.

You see, wouldn’t it be better for the end users if all the above certs were from Comodo? They would have been revoked by now!!! DV is a dangerous tool!

Melih

Please add this lastminute about the “that group” featured in some blogs as well.

Just in few hours the same parent site linked to two different https ones…

Besides the same “that group” apparently bear countless of individuals as the involved domains are registered by different persons.

[attachment deleted by admin]

Endymion

can you pls report these to http://www.ccssforum.org/report.php asap.
PS: I reported the ones i posted.

thank you.

Thanks for pointing out the submission form.

I submitted the info at that form without the urging need to put up a blog as well. :smiley:

The previous cert was already expired though when was active I’ve not read about it somewhere :-La
(How could it be that some “google expert” missed that? :o)

Obviously in both cases the involved CA was not Comodo.

I made a post there responding to herbert but still didn’t show up? :(, Lets hope it will show, cos if it did, then donna wouldn’t have made her misguided statements.

Melih