where can I securely download Comodo Firewall from?

A recent thread reminded me of this:

I can’t find a secure download link for Comodo Firewall. Most of the download links on Comodo.com go offsite and I can’t find any checksums or .sig files on Comodo.com to verify that the files I’m downloading haven’t been tampered with. I’ve found some links to the files hosted on Comodo.com, but none of those are HTTPS.

Seems not-good to download security software without a way of verifying it :slight_smile:

The files provided here doesn’t lead to third parties, they are however provided over http, but you still have the MD5 and SHA1 to compare with.

Edit: You can copy the links given in that thread, lets take for example http://download.comodo.com/cis/download/installs/2000/standalone/cispremium_installer.exe and then you can change the “http://” part to “https://” to download it over https… don’t know why it isn’t that by default.

After downloading Comodo Firewall from a third-party site you can make sure it has not been tampered with by checking the digital signature. As long as it says the digital signature is OK you are fine.

Thanks Sanya! Exactly what I was looking for. Why aren’t those hashes on the main download pages?

As for the digital sig built into the .exe’s, I’ve never known how far I can trust those. I know the cert’s will say something like “Comodo Inc” and they’re signed by some trusted CA, but those CA keys leak occasionally and surely they’re tricked sometimes - out of all the CA’s out there, surely there’s one I could convinced that my last name is “Comodo” and sign a cert named something like “Comodo Apps” for me.

Funny story from work - one of our departments was bringing yet another snazzy hosted web service online and opted to have our IT department make a DNS entry so this off-site service could have URLs like “snazzyservice.MyCompany.com”. This snazzy service did HTTPS for logins and during implementation the IT department got to wondering how these guys were pulling that off since we’d never passed along a certificate signing request for them. Turned out these guys had a disturbingly close & casual relationship with a major CA and the CA would just sign whatever - including a certificate in my company’s name! Our security officer went thru the roof :slight_smile:

Uhmm… Iunno…

I just ran across a couple articles mention malware being signed by trusted CA:

 http://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/
 http://nakedsecurity.sophos.com/2013/02/27/targeted-attack-nvidia-digital-signature/

Articles like that and all the Snowden revelations makes me want to have a little more assurance that any installer I run hasn’t been tampered with; assurances like the file coming directly from the developer’s HTTPS site or the developer publishing hashes on one of their HTTPS sites.
And that’s exactly what I get with the hashes being on the forums :slight_smile:
But I’ll bet some other folks look for those hashes, but can’t find them.