This is why Domain Validation certificates MUST not be trusted!

and This is why Comodo Dragon protects the end users by alerting the user these inferior certificates

Melih

There are sites, such as https://ssl.scroogle.org, https://help.ubuntu.com/ (both DV) and zillion others, where verification of authenticity of proprietor of certificate is not needed because of relative insignificance of transferrable information. For example, are there sane cybercriminals out there who would need such garbage as searching queries of internet users or logins/passwords for the site of Ubuntu’s documentation?

And meantime, Domain Validation certs allow to save money in such cases. In fact without them organisations behind these sites may would not spend money on OV or EV certificates, renouncing to use certificates in general (removing end-to-end encryption from a site) OR switching to the use of “home-made” certificates. And who is in a loss in the case of refusal of these organisations to use encryption? End users. In fact for end users https is always better then its absence.

Why protect it if its not worth anything?

If they are protecting it, then it must be worth something to someone, if so then its worth something to some fraudster!

Actually: Self signed certs that you refer to as “home made certificates” DO offer encryption, but no trust. So if they don’t need users to trust them, then its perfectly legit for them to use self signed certs and its free! The reason why don’t they use these is because it gives a warning by the browser saying, this cert is not trusted. So they buy a “trusted cert”, but wait…there is no trust in DV… DV is a way to cheat browsers to think the site is trusted…

How about the phishing sites that use DV that cheats end users millions of dollars every year? What do you suggest browser people should do? Continue the use of DV allowing fraudsters easy access to this “trust indicator”?

FYI: DV or OV…u can have access to both at similar price range…And as I said, if the site doesn’t care about “trust” value, they can always use a self signed certificates for free! Why don’t they?

Melih

Why protect it if its not worth anything?

If they are protecting it, then it must be worth something to someone, if so then its worth something to some fraudster!


Private information of any sort (even posts on a gardening forum) must be protected by means of https from the third party (for example, from ISP).

Private emails may not worth anything, too. But Comodo invented SecureEmail not for the sake of “inventing”.

Case not so much in necessity to provide security there where it is really needed, but more in necessity to provide privacy.

Self signed certs that you refer to as "home made certificates" DO offer encryption, but no trust. So if they don't need users to trust them, then its perfectly legit for them to use self signed certs and its free! The reason why don't they use these is because it gives a warning by the browser saying, this cert is not trusted. So they buy a "trusted cert"
Is it correct by Your opinion, when browsers "frighten" a user by a separate page with the "red" warning like "Warning! Proprietor of site can not be verified. Continue anyway?" in the case of self signed certs (SSC)?

According to this logic browsers must show a separate page with the “red” warning on EVERY http page: “Attention! Any data, such as logins/passwords, the ■■■ on forums etc will be delivered to your internet provider and, possibly, to other third party in plain text. Continue anyway?”

As an alternative: instead of separate warning page for SSC a browser shows the piece of text of certain color in an address line. For example, instead of “Verified: Comodo CA Limited” and green color, “NOT verified. Self signed certificate” and orange color. If color area is pressed information window is shown which educates that encryption is present, but a proprietor of a site can not be verified.

It is better and more honest than DV. And at the same time, SSC will begin to oust DV, because main reason, because of which sites yield up SSC (plus to everything, free of charge) in behalf on DV – it is inferiority of SSC “by browser’s opinion”, as a result users are imbued with browser’s warning and leave SSC guarded page.

How about the phishing sites that use DV that cheats end users millions of dollars every year? What do you suggest browser people should do? Continue the use of DV allowing fraudsters easy access to this "trust indicator"?
I suggest to "sink" DV on all directions, as it is done by You, AND to remove separate warning page for SSC, which "frightens" the enormous amount of users... As SSC DO offer encryption.
if the site doesn't care about "trust" value, they can always use a self signed certificates for free! Why don't they?
Because of the warning in every major browser that SSC is inferior. Remove the separate warning page for SSC and get a reasonable help in violence over DV.

That’s how i think.

By selling Domain Validated Essential SSL Certificates Comodo takes part in deception of end users and gives possibility to the fraudsters to get easy access to the “trust indicator”.

This does not combine categorically with the crusade against DV

I have answered this very issue many times before…

Its better for customers to buy DV from Comodo as at least they get an education about better quality certs. Whereas with other providers, they don’t get that. Also Comodo has a browser and other tools that identifies DV certs as unvalidated certs. Just letting people go and buy DV from other providers servers noone! At least we get a chance to educate them when they buy it from us.

Melih

Then i missed :stuck_out_tongue: Thanks for “replay” :slight_smile:

Do you consider the stuff you are posting on a forum as “private information”? :stuck_out_tongue: :-TU

Do you have a better suggestion?? Personally I see little problems with it, for https to be a indicator of trust it must hold some sort of standard and not just… buysuperantivirus dot com in house certificate.

I disagree, the http page never claim to ensure a “secure connection”, wile https does! And when a https connection isn’t properly identified by a trustworthy source I believe a warning should be presented.

Frighten or educate the user? What would you say to that guy who bought fake antivirus 2010 from the new, now trusted in-house SSC certificated page? There is already a problem that fake antivirus makers, and people doing different kinds of frauds gets hold of certificates, do you suggest that all browsers should just trust any certificate all of a sudden?

Do you have a better suggestion?? Personally I see little problems with it, for https to be a indicator of trust it must hold some sort of standard and not just.. buysuperantivirus dot com in house certificate.
https is an indicator of end-to-end encryption. "Trust", "authentication" and other beautiful words follow after.
Frighten or educate the user? What would you say to that guy who bought fake antivirus 2010 from the new, now trusted in-house SSC certificated page? There is already a problem that fake antivirus makers, and people doing different kinds of frauds gets hold of certificates, do you suggest that all browsers should just trust any certificate all of a sudden?

Sorry but this is irrelevant wandering of thoughts.
My opinion: browser should provide end-to-end encryption (https) without profound “trust”-related warnings.
Besides browsers’ warnings for SS certs are ridiculous. They do not prevent users from getting into trap. Because it’s user (not browser) who should think before and try to recognize social engineering and similar occurrences.

are you saying: “Https” should be the only indicator for DV certs? If so I agree 100%.

Melih

Let so.

I would agree 100%.

So now you understand my frustation with DV :wink:

DV should not have the trust indicator.

Melih

I did not expose this to the doubt :wink:

Where can we find OV of similar price range of …let’s say GoDaddy Standard SSL
. Even Comodo’s DV and OV have rather perceptible difference in price: 109 VS 149. :-\