But Guess what… Something so very funny happened!!! Actually Hillaroious!!!
This blogger complained about Comodo issuing a cert to http://www.windowssecuritysuite.com/ and went and blogged about it… within few minutes of us finding out we revoked the cert…
then our beloved security Guru Donna (ok ok we all know she ain’t the security guru she thinks she is) so wisely recited what Verisign said in their statement against Comodo:
re: Comodo continues to ignore Malware warnings
Saturday, July 25, 2009 5:41 PM by donna
Melih,
…
Comodo seems to not to apply what other cert vendors can do in protecting their own service so that end-users will not become victim. They seems to know how to implement “creating trust online” than you do. Verisign said:
“Yes, we can revoke a cert whenever we want. But more importantly we have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place.”
“The system we have in place automatically rejects obviously fraudulent sites and kicks anything questionable to a manual approval. And if anyone flags a site as malicious, we have a team that investigates these and revokes the certificate if found to be malicious/fraudulent.”
“For GeoTrust and RapidSSL we have the ability to revoke a cert issued to a malicious or rogue site instantaneously. The cert will then show up on our CRLs immediately.”
But guess what whose cert http://www.windowssecuritysuite.com/ is using now?
Yup you guessed it Geotrust (A Verisign Company) cert :). This is just too funny, honestly…ROFL
Once again Donna looks a total fool! Any CA who makes a statement claiming that they “have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place.” is lying! Cos no system is 100%! And the proof is in the pudding
“You said those fraudsters are professionals which is true but as you can see Melih, other cert vendors do not care whether the cert offender is professionals or not. That is not an issue for them.”
or
“Comodo seems to not to apply what other cert vendors can do in protecting their own service so that end-users will not become victim. They seems to know how to implement “creating trust online” than you do.”
when later replied “I said ‘no one here has said that other certs don’t issue certs to other fraudsters’.”
But it looks like someone else issued a cert to the “same” (supposedly easily identifiable) fraudster whenever a little backpedaling, red herring and begging the question should have been expected after all there is only one target.
“Double standard” comments are really something…
Whenever it might look like one CA has to act an “example” despite being issuer of single digit percentage of DV SSL whereas the rest can do otherwise.
Obviously this will not solve anything when above 90% of DV SSL are issued by other CAs.
Besides it looks like there are plenty of people willing to leverage on each issue to negate any effort vocally performing “not enough” tunes…
I really find this quite amusing. There seems to be a nice little ‘self appreciation society’ hanging out at various places, doing their utmost to badmouth Comodo. I have to wonder why…
Not once, in all the blogs/forums I read, did one of these people criticise godaddy or verisign, yet they still issue certs to anyone who asks.
I used to have respect for my fellow MVP’s but now I have to wonder just what their agenda is…
Well, at least Paul Wilders provided a few somewhat rational and reasonable responses on their site.
I do find it very amusing though that these individuals are happy to ramble on about financial motivations while proudly proclaiming they were recipients of awards from one of the most ruthless profit-driven companies the world has ever known, lol.
88)
Obviously he also provided some reason – in his view – to focus only on Comodo, maybe in a seemingly less extreme and somewhat reasonable fashion if compared to some other comments, nevertheless I guess everyone could perceive differently how much the spoiled apple was cast away from the tree.
After all things said and done I would still be interested to possibly have some of those unwavering individuals put money where their mouth is and bring forth something real like a new CA with no relation to existing ones…
…because I got the impression they could possibly make it immune from such issues or, in case I’ve been misleading myself, at least provide a clear and realistic representation of what “good enough” or “better” could possibly mean.
Agreed.
The twisted logic from these security “professionals” appears to be:
1). Comodo should set an example by not providing DV certs, even though this will not prevent the general availability of DV certs.
2). Comodo setting this example will make for reduced revenue to throw at CIS development, forcing Comodo to provide either:
a. poor free security.
b. good security for a price.
3). Either a. or b. from 2). above will lead to hundreds of thousands, if not millions without adequate security.
So these avatars of virtue would rather see millions of potential bots just so that Comodo specifically does not provide DV certs, lol.
I can’t believe this Donna girl…She is either a liar or Fool…
She first quotes a statement from Verisign:
Verisign said:
“Yes, we can revoke a cert whenever we want. But more importantly we have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place.”
Then the malware site they were blogging about goes and gets a cert (paid for) from a Verisign Company
then she says:
Don’t say I’m a total fool because “no one here including myself” has said that other cert vendors has not issued cert to malware domains.
errr…
Donna, pls choose… you are either a liar denying what you posted or a fool for posting it!
Hint: If I were you I would go with the fool Donna
Considering the tension, maybe she is just upset that she wasn’t given a lunch invitation, lol.
Too bad she doesn’t know that Daisy is the apple of your eye, heheh.
[b] # re: Comodo continues to ignore Malware warnings
Sunday, July 26, 2009 6:39 AM by Paul Wilders
–quote–“Why don’t YOU (Comodo)set the example?”–end quote–
Easy one. Setting an example > big revenue loss plus a grinding halt from all security software(s) developed.
Business wise that boils down to a disaster. This is a roller coaster with virtually no way out. Anyone who fails to understand this never ever has been involved in high staff level business situations and decisions.
In all fairness it should be a good thing to imply GoDaddy, Verisign(!) and all others into this issue as well. The only reason to focus only on Comodo is - in my view - the impossible connection as for developing security software(s).[/b]
Well done Paul! Comodo is a huge player in not only CA (Comodo being 2nd largest Certification Authority) but also in the End users Security World. Many Companies are losing money Fast from COMODO, Because products like CIS (Free) Are taking the revenue from likes of Symantec, McAfee etc. And yes, All CA’s are in the same boat period, If Comodo would to stop what other CA’s are also doing (Selling DV’), Comodo will lose money fast, And that means: Comodo’s Free products will come to a halt, A HEAP of Comodo Developers will lose jobs because of this loss too, And so on, So I agree with Paul again… high staff level business situations and decisions needs to be understood promptly.
Likes of Donna with this blog, is a total joke and yet still funny. Donna needs to understand “how stuff works” - Respectfully, Certificates and why Comodo is still issuing them to Malware Domains! And this has been explained COUNTLESS of times by Melih! Reading from Donna’s last posts, It’s seems she really is stuck and has no where to go.
While Paul has made some biased comments on his site previously, I agree that overall he has acted responsibly here.
IMO dignified responses are critical to sending a clear message that these outrageous allegations will not be taken quietly, either today or at any time in the future.
And she makes all these statements without even realising the %age of Certs used by malware… Does she even have a slightest of idea how many % of the maliciously used certs belong to Comodo vs others? No she doesn’t! Cos if she did, she wouldn’t be talking silly as she is. Does she have any idea about stats as to how long it takes Comodo to revoke a cert once we know about it compared to other CAs? No she doesn’t! Cos if she did, she wouldn’t be so foolish as she is with her statements.
I mean how silly does she look when she quotes Verisign statement saying “But more importantly we have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place.” and then going ahead and issuing one to the one they have been blogging about!!
Then Donna says: “Don’t say I’m a total fool because “no one here including myself” has said that other cert vendors has not issued cert to malware domains.”
erm… Dear Donna, if you didn’t believe what Verisign said, why did you post it? It is clear what Verisign said and it is clear that you posted it!
So you are either a fool for posting it, cos they went and issued the cert to malware guys…
or
You are liar denying that you posted that statement from Verisign…
or
You post statements from people that you don’t believe (which is pretty much same as 1 and you would still be called a fool)
Donna, you still don’t have a clue, you are way above your head, you just are not getting it!
Indeed…however one area Paul has emphasized is the Free/Trial SSL. However that didn’t stop the windowssecuritysuite guys from paying a Verisign company to acquire the new SSL cert. Whether free or not, if the Validation process was good for DVs then it wouldn’t happen. But as we all know, there is no ■■■■ validation for DV. So whether you give it for free as a trial or charge for it, a fraudster can get it.
First things first, Comodo or Verisign are not to blame for issuing certificates to those who are eligible within current legislation and/or standards, unless knowingly issuing certificates to known recalcitrants.
Attacking only Comodo regarding this is very short sighted indeed.
The real issue here is that it appears to be a bit too easy to obtain an SSL certificate and even easier to obtain a domain name. Both these issues have to be resolved to offer better protections to the end-user.
It works better in some countries than other. For example, it is a lot more involved in getting a .com.au domain than it is getting a .com. Domain Validation may be where efforts should be directed.
