Yes, Bad… you have a real point… I have failed to anticipated ‘position two’.
In Comodo also I think the problem lies between these two… In CIS I know there were only three trusted vendors… Comodo CA, CP and MS… Of course I only kept Comodo removing MS… not because I don’t trust MS but due to the thought that in case if a malware injects something into an MS software… defense+ may not alert me as I was not sure whether Defense+ will read the digital certificate cleverly in that occasion or not.
But, I think the usability factor, which, a lot of people are bringing up time and again, is the root cause trigering this ‘trusted vendor’ list as CIS will give lesser pop ups.
PS … Thanks Whoop for your proposal at Usability forum.
“List “Comodo CA Limited” and “Comodo CP, Inc” as defined by “Comodo”, and list the other entries added by Comodo (e.g. Apple Inc., adobe, etc.) as defined by “Default.” When the user selects a “Comodo” entry, the remove button would grey out (become inactive) indicating to the user that these entries cannot be deleted. All of the “default” entries could be removed (the remove button is active when these are selected). It may also be nice to have a button that will “Restore Default Entries.””
Now we feelin’ the love. (:CLP)
layman,
I agree, watching the usability thing play out over time. And seeing what some people expect, full auto,
no pop ups, idiot proof. With hardcore total security and full control. (IMHO these are at odds)
I sure don’t envy the devs. and sometimes I worry that they will usability CIS to death.
It would be so sad to lose the qualities that drew many of us to Comodo in the first place.
I don’t mind a few or even a lot of pop ups at first during training.
What I really don’t like is the idea that any vendor could automatically decide for me that I should have xy or x installed and foist it on me because somebody’s grandma or preschooler or idiot cuzin can’t or won’t RTFM. Or they figure a HIPS program should be as quiet and useless as the old school AV’s and fake security to which they have become accustomed.
This is the real problem when designing a single interface for the mass market while still trying to retain access to lower level functions. Either the interface isn’t simplistic enough or the power get too hidden.
To me, the obvious answer is to create multiple UIs and let the users decide what level of complexity suits the way they work and their level of experience. In reality, there only needs to be one UI, but could operate with user selectable filters to control the options presented to the user. The downside is that the simpler the UI presented to the user, the greater the degree of interlligence that has to be built in to compensate.
This is complete and utter Bullpoo, with a capital “B”. Of course it is Comodo’s fault, the same as it would be if a Privilege escalation vulnerability was present in their software. It IS NOT the User’s responsibility to audit the code of a “SECURITY” and “PRIVACY” (Ha. Ha. Ha. Chuckle… GOOGLE, trusted? LMAO) software from a “REPUTABLE” (again, ha. ha. ha. This company is no longer reputable in my book.)
I DO NOT CARE that Comodo lusers asked for this Software to be added. SECURITY is not the business of the TYRANNY OF THE MAJORITY, or democracy. It is the business of the educated elite. The user is STUPID, and insecurity occurs BETWEEN THE CHAIR AND THE KEYBOARD. This way, you are putting MANY OPINIONS on what software is “safe” beyond my own into MY COMPUTER WITHOUT MY KNOWLEDGE. If an individual wants their data harvested by GOOGLE or APPLE, let them. DO NOT MAKE IT THE DEFAULT OPTION TO ALLOW IT ON MY PC. This is why I have stopped using Comodo software - you are letting the IGNORANT, UNWASHED MASSES of INEPT USERS who cannot PROPERLY CONFIGURE a piece of security software decide how it should be configured for ME, a less inept user WHO CAN PROPERLY CONFIGURE SAID SOFTWARE.
I will hold Comodo responsible, because, THEY DECIDED WHO I SHOULD TRUST FOR ME. By adding these applications to the Trusted list and RE-ADDING THEM AFTER EVERY UPDATE, they are IMPLICITLY STATING these applications ARE FROM THE GOOD GUYS and ARE TO BE TRUSTED. If Comodo DID NOT ADD THESE APPS to the Trusted list, THEY WOULD NOT BE ABLE TO RIP ME OFF. Thus, it is COMODO’S poor design decision, and NO FAULT of my own, the USER. For these reasons I have stopped using Comodo Firewall. It is NOT a product designed for privacy by adding the vendors of DATA MINING SOFTWARE into the “TRUSTED” software vendors list.
I have switched to Outpost Pro, which DOES NOT MAKE decisions for the User. Take a page from their book if you don’t want to fail among the technically-minded… But then again, profitable business does not come from that demographic. I would gladly have paid for any of your software, $49.99 USD up until these decisions were made for the User.
It is the user’s responsibility to audit their own systems. No one else.
This list was created and added due to user request. Obviously there is a desire for its existence.
If you do not wish to make use of the Trusted Vendors List, turn it off and/or remove the vendors from the list. Don’t complain that it can ruin/destroy your security when you yourself have the option to turn it off / not use it.
It is not forced on you to keep.
Defense+/Advanced/Defense+ Settings/General Settings tab. Uncheck the option to use Trusted vendors.
I think Whoop’s idea to resolve the matter to everyone’s satisfaction is a good one.
I have no problems with the list itself. The problem I have is that Comodo keeps putting things I don’t want on it. Certain companies like Comodo and Microsoft are a good choice for the list. Not that I trust Microsoft all that much, but since I’m using their OS, I’m kind of powerless against them.
However… Skype, Paltalk, Apple, etc… I don’t see any reason to be on my list just because some users trust them.
My trust isn’t a community job… As you said, it is my responsibility to audit my system. No one elses.
If some people like the list, that’s completely fine with me. Just let me have the ability to tell Comodo not to put anything there.
That works for me also (although I am happy with the list, just having the option to control what is on this list during an install is a big plus).
If not during the installation process, then as a run-once module when CIS is first run after an installation (this can be a separate module that is called by CIS, thereby not adding to system resources under normal use.)
I think the list makes a lot of sense for certain companies, I’d just like to have control over who gets put there. I don’t think that’s too much to ask, as it is my system. Going through after every update and removing the same companies over and over is a mini-game I’d rather not play.
And why would you remove any of these known companies from the list? Especially big ones like Adobe and other similar ones. If they are verified, there is absolutely no reason not to use the digital signature.
A few companies that should be on their list because most have used their products at some time is Logitech and Logitech Inc (same co. but they have two signatures.) and Microsoft Windows Hardware Compatibility Publisher (for the drivers and their GUI e.g. Realtek audio drivers and HD Audio Manager).
You don’t need to base your trust solely on whether or not you use the software. The fact that there is a digitally signed certificate that is co-signed, and therefore verified, by a Trusted Certificate Authority, such as Comodo or Verisign, should be all you need to “trust” the software vendor. These Trusted Certificate Authorities don’t countersign third-party software without investigating the company thoroughly. That Certificate of Trust means a lot, to both the software vendor and the people who purchase their software. It carries much more weight than an individual’s opinion of the software or the software vendor. You might have a high opinion of a software program, but if the vendor doesn’t have a co-signed digital signature, the trust they have gained will be limited to users of their software. Their software would have more widespread trust if it were digitally co-signed by a Trusted Certificate Authority.
I know there are exceptions to that statement, such as Kodak, whose software I have some of, that I can’t find a signed executable to add them to the My Trusted Software Vendors list. But Kodak is a well-established name in the camera and software business that I can trust, even though, for whatever reason, they have not gotten their software digitally co-signed. That, however, is the flip-side of this argument. Companies that you aren’t that familiar with, that do have a digitally co-signed executable, CAN be trusted. They earned that co-signature from the Trusted Certificate Authority. That is the whole point of a co-signed digital signature. It creates trust in the software vendor’s product by letting the public know that the software vendor can be trusted, because the company has been verified by an independent certifying authority.
Not the software is countersigned, but the digital certificate of the software vendor!
In fact the digital signature tells you nothing about the quality of the software, the software vendor may sign anything he want to with his certificate!
A valid countersigned signature tells you, that the software wasn’t modified by any third party since it was signed and that the identity of the signing company was checked (to a certain degree…) by the countersigner. Nothing more!
So it’s still up to you to decide, if you trust the signing company or not. The digital countersignature gives you only a certain security, that the signer is, who he claims to be.
It’s pretty sad - but I think, you’re right in this point - because people don’t know what digital certificates are for!
Simply the fact, that there’s a list to put “Trusted Software Vendors” should tell you, that you shouldn’t trust any software vendor who owns a countersigned certificate.
The approach of Comodo to put some known vendors on this list is just a try to decrease the number of popups. I’m not a fan of this approach and I already stated in another thread, that I think it’s a very bad idea.
What on earth has Safari to do with Quicktime and all the above to be trustworthy? It’s just dumb Apple’s policy to install stuff you don’t need it or want it. However in the end technically speaking both Safari and Quicktime are trustworthy applications. Who really cares if you don’t trust them even though milions of users do (and Apple or any other similar company is generally trustworthy). Thats the exact reason why it should be included in the list of trusted applications so popups are not spawned for stuff thats not malicious.
And why is it a bad idea to trust known good vendors? You can’t steal or modify digital signature without breaking it. If you’re afraid of malware exploiting this feature, well then it can just as well exploit exclusions mechanism in every antivirus there is.
You have the option to install or not install Safari with QuickTime. I have QT installed for the Codec, but have always refused to install Safari. Again, it is personal choice what you install and what you don’t.
Ya nicely yoinked a quote of me, “out of context”, and called BS.
As a lot of common sense has since been posted, it’s almost a shame to respond now, but ya called out the Bad.
I could dissect your post line by line and demonstrate your ignorance on the subject.
As a self proclaimed “advanced user” ha ha. You should have been able to figure out that you can choose
to use/not, modify/not, the list. Talk about PEBKAC!
Just to emphasize there is a huge difference between Possibly Unwanted Software and Malicious Software. If (big if, like in my quote)a legit Co. on the list did slip you a little extra something and you didn’t want it you could easily uninstall it.
I seriously doubt you will get Skype (example) installed by a malicious drive by. Or anything else from a vendor on the list without the user initiating it.
If one of the Companies on the list turned Malicious, do you really think they would remain on the list.
Silly man.
Granted there is some room for a little more refinement, as with those that choose to customize the list and updates putting vendors back. All in due time.
Comodo is working hard to provide usability for the masses, for which you have so much disdain.
Yet they still provide total granular control, for those advanced enough to really know what to do with that control.
I personally think it is ignorant or wrong of people to bash at a feature that does what it is supposed to do just because they either don’t use it or see an imagined threat and don’t (seemingly) wish to turn that feature off (which would thus resolve their issue).
Just my thoughts on the matter.
It has everything to do with being trustworthy! A trustworthy vendor won’t try to slip anything I didn’t ask for on my system! If you feel that’s cool for someone to do, then by all let them fill up your HD with unwanted stuff!
And no, Quicktime isn’t particularly trusted… This is why corporations like Secunia have stepped in and have written applications (PSI) to let you know when you should update Quicktime and other software you may have installed because of security breaches.
Yes, you have the option. But do you really feel that opt in by default is a reasonable practice? I don’t. I feel that opt in by default is merely a company preying on those not paying attention, or even not realizing what the check boxes mean. It’s your basic “average user” who many people feel that Comodo is not yet ready for that are ending up with Apple pushing Safari onto their systems without them realizing what happened. This is exactly the same sort of practice that those predatory websites use by intentionally misspelling a popular website in hopes of netting the unwary.
Wow! :o
I’m not sure how to respond to that one. Being that this is a multicultural forum, and English isn’t many users native language, I guess I’ll try tact and not respond in kind. Where I come from, it’s extremely poor form to call someone ignorant or wrong because they have a different viewpoint than your own…
And I’m not trying to “bash” the feature. As I have already stated, I think the list has it’s uses. That is why I don’t want to turn it off to “resolve” my issue. What I have said is that I don’t approve of a blanket trust system for many vendors that get added to the list without my consent. I may trust an application or two of any vendor, but that does not mean that I trust all of their products! I’m actually a bit surprised that many of you security minded folks don’t feel the same way.
All I’m saying is that I want Comodo to ask me if it’s OK to put certain vendors on the list. I’m really not sure why this makes me ignorant… 88)
