Turn Off Extended SSL verification "feature" in CD?

Hi, I am wondering how I can go about turning off the Extended SSL verification “feature” in CD?

While I understand the feature and its useful purpose for the general public at large, I actually understand SSL, the different types, levels of verification. I also understand the weaknesses of SSL and the SSL selling points… blah blah blah.

But…while I love CD for its many security and privacy features, I do not want My web browser to force me to push an additional button (in the middle of the browser window no less) to agree to go to a web page I use all the time, like duckduckgo (among others, many much older than CD).

I would just like to turn this particular feature off, is this possible?

Thanks in advance for any help anyone can give.

This feature has been debated many many times and thus far it is not configurable.

DuckDuckGo claims to protect your privacy, but how do you know? What happens if your data gets out there? Who do you go after legally should it come to that? They want you to trust them solely on the fact they have control of a domain name. Honestly, this isn’t enough and this is WHY Comodo Dragon, throws up said warning.

Did you know most scammers, malware providers and other malicious people use the same type of certificate (DV) as DuckDuckGo? This is WHY CD goes through such great lengths to provide such a warning.

It is ridiculous that even manually importing the cert doesnt remove this warning, and it seems so far there is no way to remove this “feature” for the people who, as stated on my OP, understand SSL. While this is a valuable feature for many, its the only reason I dont use CD as my primary browser. Also the Fear Uncertainty and Doubt posts on this site kinda creep me out too.

“DuckDuckGo claims to protect your privacy, but how do you know?” - Does the fact that a website buys a $1000 EV cert mean they follow good netsec policy internally, patch 0 day exploits, and dont use root p/w’s like Password on their credit card processing database? No.

“What happens if your data gets out there?” - well if “my data” does get out there, how would I ever know? How would I know that exact website was even responsible unless they told me? Oh… I wouldn’t.

“Who do you go after legally should it come to that?” - So we should start filing suits against corporations and their SSL providers every time theres a security “incident”? Well then I guess we’d start playing the litigation blame game, but really it would never get to that point, since any T&C’s you agreed to at their site probably indemnified them from damages for things like lax network security or stupid employees. There’s a reason they have these million $$$ “if you can prove our SSL was at fault” policies…dumb people like big numbers, but how many of those claims ever really get paid out? Very few, because its always going to be someone else fault up the line.

“They want you to trust them solely on the fact they have control of a domain name.” - thanks, I understand domain validation, as contrasted to the stringent verification procedures of an EV cert. Sweet, that means the registrant faxed a piece of paper legally connecting them somehow with the domain or corporation… will a fax of a photocopy of a business card and permit do? Oh well, that Definitely IS enough for me to trust them, and is an obvious testament to the fact that they Will protect my information.

“Honestly, this isn’t enough” - really? Really? so for the thousands of websites who have been around 20 years longer than CD, without any SSL at all, it isnt enough? Wait… we just need EV SSL 3D…on every website… That will be enough…then we can all browse safely.

"Did you know most scammers, malware providers and other malicious people use the same type of certificate (DV) as DuckDuckGo? " - no, of course I dont know that because the actual fact is that most scammers, malware providers and other malicious people dont use any SSL at all, since their site will likely be shut down tomorrow, and most of their victims dont care about SSL (and would stop listening even if you tried to tell them). And if scammers do want to lend an air of credibility to their scam site, they would use a ■■■■■■ SSL provider like G-dd–y who rents their root, instead of an expensive one like Eq–f–, as in DDG’s case.

So thanks for your response, I will look for other ways to disable this “feature”, , however nothing annoys me like people who try to state their opinions as fact.

That being said, I think SSL and even EV SSL has its place, it should be a law that banks and online tax processors use it…oh wait it is a law. And anybody who sells something should prolly have a cert, and not a cheap ■■■■■■ one (but that’s really just for the benefit of people who actually understand SSL).

But forcing me to click this annoying button a million times a browsing session, without the option to turn it off kinda makes me feel like CD is a creepy advertisment for expensive SSL, like a shareware browser, and that is why its not my only browser.

I feel the same… Even when i visit website that are trusted, i get this “warning”… why?

Could there be a future update, where its possible to turn this SSL Warning off. ?

I asked our developers to take a 2nd look at this feature to see how we can improve.

The problem with SSL protection with some sites that uses certificates that has no trust in it is that, you simply don’t know you are on that site :frowning: So we err on the safe side, we always will.

But as always, we try to improve everything all the time.

Melih

"DuckDuckGo claims to protect your privacy, but how do you know?" - Does the fact that a website buys a $1000 EV cert mean they follow good netsec policy internally, patch 0 day exploits, and dont use root p/w's like Password on their credit card processing database? No.

You don’t need an EV certificate to make the warning go away. You simply need IV/OV (Identity/Organization) or better certificate. Only EVs from Verisign cost an arm and leg. Comodo EVs are roughly half that.

"What happens if your data gets out there?" - well if "my data" does get out there, how would I ever know? How would I know that exact website was even responsible unless they told me? Oh... I wouldn't.

Depending on how large the site is/was the news might have told you. I’d venture to say most reputable companies would let you know of a breach shortly there after but I truly can’t speak for them all.

"Who do you go after legally should it come to that?" - So we should start filing suits against corporations and their SSL providers every time theres a security "incident"?
Why the SSL providers? The SSL provider has nothing to do with network security. You should be able to go through an SSL provider to recoup lost fees but that's really about it. The SSL providers are not akin to the Payment Card Industry. It's up to you secure your servers, not them.
Well then I guess we'd start playing the litigation blame game, but really it would never get to that point, since any T&C's you agreed to at their site probably indemnified them from damages for things like lax network security or stupid employees.

And who is the one that agreed to those T & C? I doubt a T & C of the points you brought up would stand up in a court of law in today’s world but it all depends on the case.

There's a reason they have these million $$$ "if you can prove our SSL was at fault" policies...dumb people like big numbers, but how many of those claims ever really get paid out? Very few, because its always going to be someone else fault up the line.

That’s because the SSLv3/TLS protocol in itself is not the weakest link.

"They want you to trust them solely on the fact they have control of a domain name." - thanks, I understand domain validation, as contrasted to the stringent verification procedures of an EV cert. Sweet, that means the registrant faxed a piece of paper legally connecting them somehow with the domain or corporation... will a fax of a photocopy of a business card and permit do? Oh well, that Definitely IS enough for me to trust them, and is an obvious testament to the fact that they Will protect my information.
I think you don't understand what an EV certificate is. What you speak of is an IV/OV certificate. EV goes beyond that.
"Honestly, this isn't enough" - really? Really? so for the thousands of websites who have been around 20 years longer than CD, without any SSL at all, it isnt enough? Wait... we just need EV SSL 3D...on every website... That will be enough...then we can all browse safely.

See above.

"Did you know most scammers, malware providers and other malicious people use the same type of certificate (DV) as DuckDuckGo? " - no, of course I dont know that because the actual fact is that most scammers, malware providers and other malicious people dont use any SSL at all, since their site will likely be shut down tomorrow, and most of their victims dont care about SSL (and would stop listening even if you tried to tell them). And if scammers do want to lend an air of credibility to their scam site, they would use a ■■■■■■ SSL provider like G-dd--y who rents their root, instead of an expensive one like Eq--f--, as in DDG's case.
Maybe 5-7 years ago this was true, but not in today's world. Wile this site [ http://www.ccssforum.org/malware-certificates.php ] may not have a giant database into the millions, it does show you that malicious people do use DV certificates
So thanks for your response, I will look for other ways to disable this "feature"

You will not be able to do so with out reverse engineering CD or exploiting a bug. It requires the CD Devs make this a user-enabled feature.

That being said, I think SSL and even EV SSL has its place,
Technologically they're the same. (EV, OV/IV and DV). The extent of difference lies within the 'Certificate Policies' section on the certificate, this is an OID that points to a particular CA, if this OID is not there, it's not recognized as EV class certificate.
it should be a law that banks and online tax processors use it..oh wait it is a law. And anybody who sells something should prolly have a cert, and not a cheap ■■■■■■ one (but that's really just for the benefit of people who actually understand SSL).
You don't have to understand SSL to buy an OV/IV, DV or EV class certificate. You should do your 'homework' before buy things anyways to make an educated decision and if you don't know something, ask.
But forcing me to click this annoying button a million times a browsing session, without the option to turn it off kinda makes me feel like CD is a creepy advertisment for expensive SSL, like a shareware browser, and that is why its not my only browser.

Wow, what sites do you visit that you have to do it a million times? On the average I see it 3-4 times throughout the course of my day and I browse A LOT. As said above, I don’t think you understand the different certificate types. (EV, IV/OV, DV) and the warning goes away with an OV/IV certificate and these go for as little as $70 a year. That’s really expensive. 88)

I hope there’s never such a feature. I hope to see it tweaked ever so slightly. It brings your attention to the kind of site you’re on and that’s part of the reason I personally like it.

We will have an option to turn off this feature in the next version.

Can we have a whitelist instead in addition to turning it off completely? Personally I like having it on, but there may be some sites I want to turn it off for.

That is Awesome… while I think its a great feature for most users, I also think people should have the freedom to turn it off as well. And now they do, you guys are great.

Thank you for the prompt replies, and thanks for putting out an excellent browser like CD.

Turning off warning for low-validation certificates has been implemented in Dragon 13.2:
https://forums.comodo.com/news-announcements-feedback-cd/comodo-dragon-ver-132-is-now-available-for-download-t75971.0.html