Very Disappointing

Comodo Dragon - CD News / Announcements / Feedback - CD
#1

I always look forward to new releases from Comodo, and was intrigued by the release of the Comodo Dragon browser, so I installed it. After using it I was very disappointed by the way it handled standard SSL certificates. I am a part owner of several ecommerce websites, and noticed that when I attempted to view our sites or sites that use standard - but none the less secure ssl certificates Comodo Dragon displays a full page warning telling the user that the site is potentially unsafe, and that it is not recommended to continue. The user then needs to click a button to say they wish to continue to this potentially “unsafe” website. I found I needed to click the I accept button twice just to continue. Once the user chooses to continue…the address bar shows a crossed out https: in red. Which implies that the website doesn’t even use an SSL certificate, even though it does in fact use one. We happen to use the GeoTrust Quick SSL Certificates. The only difference with this type of certificate is the process in which the certificate is issued does not verify the details of the business. The certificate is indeed secure…so I am really curious why Comodo would feel the need to do this? The site is secure, yet you are trying to tell users that it is not.

I do see the advantage of letting users know if the business itself has been verified via the certificate but don’t feel that it is justified to display such a warning telling people that it is not recommended to continue to the site…and I also question these tactics used by Comodo, especially considering the fact that Comodo just so happens to sell these more expensive types of SSL certificates. Personally I can’t help but feel that these are dirty tactics used by a company who wishes to sell more of these more expensive SSL certificates, and I am almost surprised that the warning page does not display an ad from Comodo stating something along the lines of “Are you the website owner? Want to remove this annoying message…then Click here to purchase our SSL certificate to remove this warning.”

The Comodo Dragon browser also fails to take into consideration that there are other 3rd party verification programs that exist that also verify the identity of the business. We personally use Trust Guard for this purpose. And the verification process is more thorough then the methods used to verify a business with these business verified SSL certificates. The other issues I have with this process is the fact that the user can’t even white list the domain if they know the site is safe. I personally think in the future as this browser becomes more popular, that many websites owners will simply detect the Comodo Dragon browser on the webpage and warn users that this browser is not accepted on this website. I know that I am considering doing this. I really hope that Comodo can fix these issues because I don’t think it is fair to website owners who are in fact legitimate businesses who just happen to use the non business verified SSL certificates.

#2

It would show this if there was a link on that page to an insecure site.

#3

Did you try the latest beta 6.0.0.10?
They have made changes to this mechanism…

#4

It will do this if any resources on the page are not HTTPS. Such as ad banners, awards, etc…

As you can see from my screenshot, even Comodo.com gets this same treatment from Dragon. Agreed, it does look a bit intimidating and could be misunderstood if you don’t know the reason behind it, but as Dragon is touted as being security oriented, it’s good that it lets you know.

Edit: Forgot to mention that viewing the page info on the site will tell you specifically what the problem is. (Added Screenshot) As you can see, it does say the page is encrypted, but has insecure resources.

[attachment deleted by admin]

#5

@ D190:

First of all, I do thank you for taking the time to give us your feedback.

Let me explain our logic…

but before i do this let me clarify that: This warning is for any “non-validated” certificates, including Comodo! So its a fair warning…

What is a non validated certificate? Should it exist?
Non validated certificates are a way of, literally, cheating the browser to display the padlock logo. End users have come to trust these yellow padlocks and have come to get warm fuzzy feeling when they see it. The reason is because no SSL was issued without validation. So the padlock did stand for something…

but with the loophole in lack of “Standards” in the SSL business, this was exploited and so called “Certification Authorities” started issuing certificates without “Certifying/Validating”… which pretty much goes against their very name “Certification Authority”. Now these certificates, although used by many legitimate entities also used by MANY fraudsters. Hey, look we have just handed them the “Key” to “trust” for a mere $15 :). All a fraudster needs is $15 in their pocket and they can make their site “trusted”…cool ha :). Take a look at this http://www.ccssforum.org/malware-certificates.php where you will see many “unvalidated” certificates being used by malware providers who in return make $100M from this…(yes $100s of Millions)…

So, these certificates should NOT be used by legitimate ecommerce providers. Afterall, as legitimate ecommerce shops you want to make sure to give the maximum trust and confidence to your end users. Why would you choose to have a certificate that has no validation in it? Don’t you want your customers to trust you? No legitimate ecommerce wants to cheat their customers by showing a “trust” indicator although there is no “trust” inside that indicator.

This is why I created the www.cabforum.org to setup new standards which resulted in EV SSL. And when you buy any Certificate from Comodo, you will get this certificate along with it for Free!! Why? because its important to validate the good from bad! Our end users deserve nothing less. I totally believe that all good legitimate ecommerce shops care for their end users and they DO want to show them that they are legitimate.

Some facts: Comodo has varied levels of prices, from world’s cheapest…to higher value ones. eg: www.positivessl.com , go there and get a cert…then you will get a free upgrade to EV SSL automatically! That means for $9.95 you get an EV SSL certificate!!!

So D190: do you care for end users? Do you want them to validate and see how good you are? If the answer is yes, why are you not using EV SSL? (cos its only $9.95!!! Cheaper than a non-validated certificate).

I sincerely believe that you do care and you do want to validate yourself to your potential customers. So here once again Comodo provides you the means to be able to do that and for only $9.95!!! (no other Certification Authority is doing that for you today!!)

Melih

#6

I’m not disappointed with CD. It was interesting to see how it handled the certificate when I logged into my Facebook account.

#7

This problem that the OP complains about is a useful feature inherited from Chromium, with some relevant modification. Complain to Google too.

The “Crossed out” https means that content that does not come through that secure connection is displayed on the “secure” site. So, you use ads on secure pages in your websites.

Even when you don’t remember that most browser hijackings come from ads on otherwise legitimate websites, loading content from outside the secure connection negates most of the premise of using SSL.

Even if your ads don’t use scripts, it gets easier for someone else to insert one - packet injection over a wireless network is a standard feature under Linux for my Intel wireless card on a stock Dell D830 Laptop, as one partial example of how available the means are to take advantage of this. I don’t need a special feature to insert packets when we’re not running wireless.

A stream of encrypted data from one source to 443, and normal data from another source to port 80 is a giant flag for those who want to take advantage - good packet sniffers abound! Some will even let me run a script for me… to insert a script for them. There goes your customers’ privacy. If they don’t have a decent antivirus, I could do more.

Meanwhile, Dragon is a security-oriented browser. That means Dragon, “errs on the side of caution so much that sometimes folks think it’s paranoia, when it’s really not”.

Fix your websites before someone who actually does this stuff finds your customers.

#8

Ooo, those were some strong words there Boss, but informative; but I think you knocked the OP (What does OP stand for exactly, I know it is referring to the person that started the post but I am not sure what words the abbreviation stand for? :smiley: ) unconscious with the strength of those words, because he or she has not been back since :smiley: :wink:

It is good to hear from the Experts like you, sometimes, Boss. :wink:

#9

Original poster.

#10

Thank you Boss, I feel stupid for not knowing that. ;D

Thank you for the English lesson Boss, I hope my Old Brain will remember that. :wink: