Trusted vendors - CIS 3.8

In the CIS 3.8, the ‘trusted vendors’ list is expanded, but except ‘Comodo CA & Comodo CP’ every other vendor is shown as ‘defined by ME and not Comodo’… I first thought CIS may have ‘learnt’ them from my computer but some of the vendors like PGP corporation are unknown to me and vendor like ‘Alwil’ (Avast), Skype, ESET etc. was never installed in my computer (though I know it is safe).

So why CIS show this as defined by ‘ME’ and not by ‘Comodo’?

Hey there,

I think it was because the users reported the stuff they wanted here

https://forums.comodo.com/beta_corner_cis/please_place_your_digital_certificate_company_here_to_be_trusted_closed-t33333.0.html

Xan

As a regular visitor of Comodo Forum I am aware of that contribution from users. But, a new person downloading CIS may not be aware of it and since Comodo has added them by ‘default’ to CIS… it won’t be fair to show them as defined by ‘user’.

BTW, that list has a lot of vendors, whereas with the CIS I see only a dozen of them. So, IMHO Comodo must have verified them before adding…

Any way, any user can delete them as and when he want… so no problem… I was just bringing it to notice.

Well, I didn’t really take notice of it, but now you say so, it seems a little odd…

Xan

It is confusing for the uninitiated. I had seen it but not quite noticed it…

I agree…to make this more clear, Comodo should have all the default Trusted Software “defined by Comodo” and not “defined by the user.” Only venders added to the list by the user should be listed as “defined by the user”

Plus they haven’t included all the vendors that we took time and submitted them :frowning: What’s the point if nothing gets included. Adding those takes like 30 minutes with downloading included.

Hey all,
… so from the Help file:

[b]"Note - The ‘My Trusted Software Vendors’ list displays two types of software vendors:

User defined trusted software vendors - As the name suggests, these are added by the user via one of the two methods outlined earlier. These vendors can be removed by the user by selecting and clicking the ‘Remove’ button. All software created by user certified vendors is automatically added to the Comodo safe list.

Comodo defined trusted software vendors - These are the vendors that Comodo, in it’s capacity as a Trusted CA, has independently validated as a legitimate company. Comodo certified vendors are hard coded into the firewall and cannot be removed. All software created by Comodo certified vendors is automatically added to the Comodo safe list."[/b]

So from this context I take it that the user is in control of said User defined vs Comodo defined and the naming convention helps to differentiate the two.

As to the question of not having included all user submitted software, could be timing in some cases.
But if the submitted software isn’t from vendors that fulfill the signing requirements I wouldn’t hold my breath as I wouldn’t expect Comodo to trust on everyones behalf on the basis of what we have as idividuals decided to trust.

Again from Help file:

“Comodo Internet Security can validate digitally signed applications from trusted vendors. Trusted Vendors are those companies that digitally sign 3rd party software to verify it’s authenticity and integrity. This signature is then counter-signed by an organization called a Trusted Certificate Authority. By default, Comodo Internet Security will detect software that is signed by a software vendor and counter-signed by a Trusted Certificate Authority. It will then automatically add that software to the Comodo safe list.”

But the design of CIS allows us to indulge and add to trusted as we freely choose whom to trust.
Working through this leads to the root of another issue that has arisen before here.
That is the one of pop ups after I have added “xyz” vendor to trusted list.
If “xyz” vendor isn’t digitally signing their apps, no sig = no automatic trusting or learning going on.

Later

Yes, I know this…and this is exactly why the default trusted vendors should be “Defined by Comodo.”

Sorry I don’t follow.

Comodo is only identifying the one’s where they themselves are the CA.
They are hard coded into the firewall so users can’t break their own apps.

The others they can check with their CA’s and say these check out and they are what they say.
But you are free to remove or add as you see fit.
Suppose I just don’t like a vendor and I don’t want any of their software on my machine, whether
they are certified or not I can remove them from the safe list know that I won’t get their software
installed without warning through any means, surreptitious or otherwise.

Later

I personally think that all venders should be capable of being removed from the trusted list, including Comodo products. Deleting the comodo entry from the trusted list will not “break” anyone’s apps, it will just cause CIS to generate alerts for comodo apps. And if the user wants to add Comodo back to the list, they can do so.
The point is…the entries that are added by Comodo should be “defined by Comodo” and the entries that are added by the user should be “defined by the user.” These designations should have nothing to do with which entries can be added or deleted from the list, they should apply only to who placed the app on the list.

If you want to preserve the default comodo trusted vendors, they can put an option in the window “restore Comodo’s default list of trusted vendors.”

OK, by “break their apps” that was what I meant. How do you know if you removed Comodo
it would still function properly, generate pop ups for itself etc. or even boot up?

It seems to me it would be borderline ■■■■■■■■ to build a security app and then not trust yourself.
Or let some noob accidentally neuter the software they are depending on.

All the non Comodo entries are there because Users wanted them.
So they are the Users list entries to do with as they wish.
If you don’t like it you can delete them.

Hi,

I also would vote for leaving complete freedom to user to even delete the Comodo installed ‘hardcoded’ approved applications or rules, even CIS itself.

If it would endanger the proper functioning of CIS, it should be possible to install warning pop-ups to warn user he might cause a problem, no? Pop-ups are so common to CIS (no pun intended)

Always have found it annoying not to have 100% control but only 99%. Makes we wonder why the 1 percent is hidden.

For instance, I would like to know not only a ‘cleaned’ list of allowed/blocked in/out coming communications, but the full one. Also with communications from CIS itself in and out…

Bgrds,
mack

Hi Mack,

In your case of 100% control just uncheck the box in D+ settings:
Trust the applications digitally signed by trusted software vendors
Then the entire list becomes irrelevant.AFAIK.

Later

I understand your point. Currently, CIS does not allow the user to delete the “defined by Comodo” entries. Perhaps a more clear design would be to do one of the following:

Option 1
List all entries added by Comodo as “defined by Comodo.” Do not allow the user to delete “Comodo CA Limited” and “Comodo CP, Inc” but still allow them to delete the other entries. When the user selects either “Comodo CA Limited” or “Comodo CP, Inc”, the remove button would grey out (become inactive) indicating to the user that these entries cannot be deleted.

Option 2
List “Comodo CA Limited” and “Comodo CP, Inc” as defined by “Comodo (fixed entry)”, and list the other entries added by Comodo as defined by “Comodo.” When the user selects a “Comodo (fixed entry)”, the remove button would grey out (become inactive) indicating to the user that these entries cannot be deleted.

I think option 2 is the most intuitive and clear way to combine our two opinions on this issue.

Hey… its getting into an argument, I think.

I just brought out only a simple thing

Default ‘trusted vendors’ of CIS 3.8 should be shown as defined by ‘Comodo’

All the trusted vendors that are defined by the ‘user’, once it is installed in their computer should be shown as defined by ‘user’.

I think that strategy is fair than the present one.

Of course, we can delete the names from the list… Also, there may not be any difference between trusted vendors added by Comodo or User, as far as functionality for CIS Defense+ is concerned. But, the fact is all the default trusted vendors may not be known to all the users. (I have deleted two to three vendors, about whom I haven’t heard before).

We, as members and frequent visitors of the forum know of this… and the big list provided by users… but… the competitors or reviewers may flak this decision (of adding default trusted vendors as that of ‘user’). Also, somebody who use this software, but is not a visitor of this forum, may become sceptic of this strategy, as he may think that those vendors software can have free hand on their computer, especially if that vendor is unknown to him… though actually those softwares could be trusted.

Rather than criticizing Comodo my intention was just to bring to notice that it could happen outside this forum, thus, maligning Comodo. Rightly so, as due to the high quality products of Comodo being offered free… I think there could be many of them.

Any way, let the developers of Comodo decide what is best… Since, I am the OP, may I please lock this now, so that it does not get into a bigger argument.

CIS is a great product and let us enjoy its quality… Cheers.

Not sure why you think there was an argument. It seemed like a civilized discussion to me. Not to mention that a compromise was proposed to help unify the different opinions:

Anyhow…I hope no one else felt these posts were argumentative because I think they were meant to be cordial and respectful.

Yes Whoop… I appreciate that… You may please continue… I know it was peaceful and respectful… but I thought it may… just may… go that way… so I only proposed that…

… and yes … I liked your options also… please carry on. BTW thanks for the contribution.

Hi layman,

Sorry you feel like we are arguing, I’m certainly not feeling ill will and I seriously doubt that
Whoop does either.
The issue you raised certainly deserves some debate and resolution.

The two sides clarified:

Position one - User opens list and goes WTF, I never added any of this. So they should state
clearly that Comodo added them.

Position two - If Comodo labels them all as Comodo entries then it implies that Comodo is
promoting, recommending or somehow endorsing these other vendors. Which
they are not.

I imagine the issues arising if one of these certified vendors decides to slip you
a tool bar or some other unwanted app and D+ quietly lets it go. Then who ya gonna blame?
Comodo can only verify the authenticity of the apps, no more no less.
The same as when they verify the authenticity of a website. Yes what you see is real.
If that website goes bad and rips you off, well a real site really ripped you off.
You can’t hold Comodo or whoever responsible. They said it was who it was, not that they
were good guys.

So the solution lies somewhere in between the camps.
Identifying the entries so it’s clear what did I add?, which were default? without labeling them as Comodo entries.

I agree…this is going to happen.

Excellent point…I did not think of that.

Taking your comments into account, here is what I proposed in the Usability forum:

  • Some users have been confused by the fact that CIS indicates the default entries as “defined by user”, when the user did not define any of these entries. I think a good way of eliminating this issue is:
    List “Comodo CA Limited” and “Comodo CP, Inc” as defined by “Comodo”, and list the other entries added by Comodo (e.g. Apple Inc., adobe, etc.) as defined by “Default.” When the user selects a “Comodo” entry, the remove button would grey out (become inactive) indicating to the user that these entries cannot be deleted. All of the “default” entries could be removed (the remove button is active when these are selected). It may also be nice to have a button that will “Restore Default Entries.”