[Donna]

Quote

I was following up on a list of malware sites posted on Dancho Danchev's Blog and yet again I find Comodo issuing certificates to these Malware writers. The reason I say again is I was given a "secret" email address at Comodo a while back to report these culprits ... however I was asked to keep it quiet.

http://msmvps.com/bl...16/1692519.aspx

What's the use of reporting to Comodo if they will ask the alerter on security/privacy issue to shut-up? And why give email address in the first place to report problems on certificates issued to known malware/rogue by Comodo?

All I can say is Comodo products need NO support at all. If they continue to earn money from this malware/rogue authors by issuing certificate or if their free certificates give them “popularity” (to attract potential paying customers) then how is the fight against rogue/malware will succeed if a known security vendor will do that?

[Data]

Donna, on May 16 2009, 04:48 PM, said:

What's the use of reporting to Comodo if they will ask the alerter on security/privacy issue to shut-up? And why give email address in the first place to report problems on certificates issued to known malware/rogue by Comodo?

All I can say is Comodo products need NO support at all. If they continue to earn money from this malware/rogue authors by issuing certificate or if their free certificates give them “popularity” (to attract potential paying customers) then how is the fight against rogue/malware will succeed if a known security vendor will do that?

Agreed. They are too deep into "the dark side". I'm in two minds if I should delete my account there.

As I've stated before, Comodo are very pushy about selling the paid, pro version of the free products they do.

[Donna]

There should be no problem in advertising their paid products to people who opted to enter the email address but to ask anyone to shut-up when reporting security/privacy issues on their services/products is unacceptable (in addition to partnering with known unwanted, suspect, spyware/adware company, Ask).

Comodo BOClean updates is going to stop by May 26 but I just told CoU Calendar Mods to stop posting updates information on BOClean. No Comodo products will be posted here from now on. It just does not make sense to even recommend or be informed any of their products/services.

[Charlie]

Donna I agree and apologize for ever support them. I too trusted them until i needed help after their CIS trashed my system. May I post your thread elsewhere

[Donna]

Feel free to share the links, Charlie. People make mistakes in choosing what we will use but we can always correct it, if we want

There are many and better alternative.

[WiltedShoots]

Donna, on May 16 2009, 02:53 PM, said:

There are many and better alternative.

Once upon a time they had the best freeware firewall.
I was very happy to use it.
This is terrible all the stuff they are doing.

[roddy32]

Agreed Donna. I would not be surprised if Kevin is sorry he sold BOclean to them in the first place but that is just a guess on my part. I have not talked to him in quite a while.

[hayc59]

Thanks Donna and how many times can you
shoot yourself in the dang foot before you bleed out
WOW!!

[siljaline]

MVP and friend Mike Burgess deserves full credit for this sad discovery.

[weaselthatbites]

I guess that answers the question of whether you can trust the certificates...

[Donna]

So Melih respond (thanks Gordon for the link to Wilders discussion) :

Quote

That's an ssl certificate (not a code signing cert).

Now let me explain the SSL Certificate market....

Until Geotrust came into picture in 2001 all SSL certificates were issued after validating the applicant to make sure they were a legitimate company (just that it existed as a legal entity etc so that the end user had a recourse).

Geotrust "innovated" their way into SSL market by removing this validation process and called it "Domain Validation".. which means the applicant has money and has a domain. And yes you guessed it, this means bugger all in terms of validation!

This allowed Geotrust to issue certificates very quickly to their customers. Of course this caused the end users to falsely trust sites too. One of the reasons why I initiated the CABForum was that this DV certs were eroding user trust in ecommerce by creating false sense of security.

Today, the biggest issuers of DV certs are Verisign and Godaddy. They have continued issuing DV certs which caused likes of Comodo to offer it as well. If we didn't we would lose customer and the world would have no chance of fight back. We only issue a very small amount of DV certs compared to Verisign and Godaddy.

If one did a bad thing, doing what Melih knows as not good already will not solve the problem. Why join Godaddy and Verisign's DV certification if he knows it's not good for end-users.
Note that Godaddy and Verisign do not offer what Comodo is offering, a free and paid security software that is bundled with Ask.com and taking advantage of user's trust by "trusting" also malware domains.

And oh... Melih missed the big picture. It's not who else did this (so pointing fingers is not helping by making it look like he's not the only one) but why ask MVP Mike to shut-up when he's reporting such cert issued to known malware/rogue domains? They as issuer of whatever secure certification have all the rights to reject/refuse/terminate it. Why did not terminate? It's about competition and money again... that the end-users are the one to suffer by being a victim of malware/rogue.

@Randy,
Yes, it's Mike's work which is why I quoted him as you can see in the original post.

[ColdinCbus]

Here is the best part

Quote

So the problems that DV certs have caused has ranged from phishing sites to be secured with SSL to malware sites having a DV cert!

Perhaps it will take end users to start demanding the removal of DV certs from the market place! Cos likes of Verisign and Godaddy are against removing DV certs all together. (Verisign bought Geotrust for $120M two years ago).

Is this the first.. NO
will this be the last... NO

Its time to demand NO MORE DV CERTS!!!!!!!!

End users must start show that they care about their security and demand from their OS providers, Browser providers, Standards organisations that they want proper validation for SSL certs and Domain Validation should be banned!

Thanks

Melih

OK, so He know it is wrong. Here is a thought, why don't Comodo be ground breakers in the ssl certificate industry and start validating the applicants or... gasp ... not sell DV Certs.

[Monkey]

Hello, Iam Monkey_boy=) from the comodo forums. I come in peace.

https://forums.comod...e-t39564.0.html

I don't see why you guys feel the need to trash comodo for this when the major resellers of this is other vendors? that isn't even mentioned. Just Comodo. This is a certification related issue not a comodo related.

@ColdinCbus Comodo sells this since the problem would not go away if they did not sell those certificates the others still would.. At least if comodo sells them they can warn the buyers that DV certificates is a bit less safe.

Comodo can't really be blamed if a site that has a certificate hosts malware a day. lets look at a real world example, If I buy a car the manufacturer can't know that I have bad intentions and will drive over little kids with it.. But they can act after and send the person to jail..

Comodo does something similar, once they find out that one of their certificates are used to host something malicious, comodo reacts since comodo does not tolerate that kind of stuff..

Quote

Posted by Melih:
All the certificates relating to this site was revoked.

We do not tolerate malicious intent in any form.

As soon as we were alerted to this, our Validation team analysed these sites and immediately revoked their SSL Certs. Thank you for alerting us to this and look forward to our users continous reporting of any malicious activity on internet.

We are hopeful that through www.ccssforum.org we can improve the speed of alerts and response.

thank you

Melih

As you can see Comodo does what it can to prevent certificates to be used for bad..

Even hosting a site for people to quicker alert if a certificate is used maliciously..

[hayc59]

Monkey, NO one is trashing Comodo!! Melih should be held
to a higher standard and was called on it and if thats what it took for him and company
to clean up his program so be it!!
You say you come in peace...?? How about just come informed and not blinded like others

[Charlie]

hayc59, on May 17 2009, 01:31 PM, said:

Monkey, NO one is trashing Comodo!! Melih should be held
to a higher standard and was called on it and if thats what it took for him and company
to clean up his program so be it!!
You say you come in peace...?? How about just come informed and not blinded like others

I agree, had Melih and company done their homework this would have never happened. It's all about the money

[Monkey]

hayc59, on May 17 2009, 07:31 PM, said:

Monkey, NO one is trashing Comodo!! Melih should be held
to a higher standard and was called on it and if thats what it took for him and company
to clean up his program so be it!!
You say you come in peace...?? How about just come informed and not blinded like others

Sounds like you are discussing the toolbar. To me that's a different topic.

Why should Melih be held at a higher standard than the competitors? (godaddy and verisign + almost the whole certification authorities? that still pushes for weak DV certificates? something that comodo is not doing to the same extent)

Just out of curiosity what makes you think that Iam not informed? Do you even understand what a certificate does? sounds a bit like you repeat the stuff miss donna says..

Charlie, on May 17 2009, 07:43 PM, said:

I agree, had Melih and company done their homework this would have never happened. It's all about the money

Is it ugly by comodo to make money? As you probably are aware of all companies needs some cash to go around, yes they sell certificates to make money yes there is a optional toolbar selected by default in their free security suite for home users/companies.

Off topic:

ask toolbar will become removed from CIS.. According to Melih himself..

[Corrine]

Quote

Even hosting a site for people to quicker alert if a certificate is used maliciously..

Is that why Mike's report to Comodo via their "secret address" a list of sites distributing malicious software was ignored and a new certificate was issued to rapid-antivirus2009. com? (Comodo continues to issue certificates to known Malware - Hosts News)

Give Comodo an hour and you'll have a validated certificate: Another Comodo Controversey.

[ColdinCbus]

Monkey, on May 17 2009, 02:09 PM, said:

Comodo can't really be blamed if a site that has a certificate hosts malware a day. lets look at a real world example, If I buy a car the manufacturer can't know that I have bad intentions and will drive over little kids with it.. But they can act after and send the person to jail..

Your analogy makes no sense. A car company can't prosecute anyone that used their car improperly. Keep in mind that the family of the person that was killed could sue the car dealer if they sold a car to a person that should not be able to purchase a car in the first place.

How about this analogy... I am a Security Product Vender that makes this claim "Internet security software products including SSL certificates and Free Firewall Antivirus software among others from Comodo, a leading global trust provider.". Now I sell a security certificate to a known malware vendor. It would seem that the general public might have a basis for questioning my claim of being "a leading global trust provider" if I did knowingly sell a SSL Certificate to a known Malware Vender. And if I did it unknowingly, the general public might have to question how good my companys security software products are and how trustworthy my company is in the first place.

[Monkey]

Corrine, on May 17 2009, 09:28 PM, said:

Give Comodo an hour and you'll have a validated certificate: Another Comodo Controversey.

It really don't matter so much if it takes one hour or a day it just means comodo is quick with its certificates. I don't really see why issuing certificates in 3-7 days would have an impact, the malware guys don't host malicious stuff until they got the certificate anyway. They can use any certificate from whatever company without a problem.

This is not comodo specific in any way. Certificates are there to tell you YES THIS SITE IS THE SITE YOU ARE TRYING TO VISIT.. and also to protect your info while surfing (cryptating the connection) so that noone can see what is being sent except you and the site getting the info..

Certificates are not there to say "Hey this is malware free"..

Even if companies such as comodo does their best to prevent having their certificates on sites with malwares there is no way as of today for a certification authority to know the intent before and to know a site won't be used to host malwares. But once they does and comodo gets this info they reacts ofc.

Corrine, on May 17 2009, 09:28 PM, said:

Is that why Mike's report to Comodo via their "secret address" a list of sites distributing malicious software was ignored and a new certificate was issued to rapid-antivirus2009. com? (Comodo continues to issue certificates to known Malware - Hosts News)

How do we know this guy is not trolling?

According to Melih they don't tolerate malicious sites to have certificates and this site lost their certificate once comodo got this info, suggesting that they was not handed the info as claimed. Maby not completley related but here is a post from Melih about what comodo has done in order to fight "bad" certificates:

Quote

The issue of the inherent vulnerability that DV certs suffer from is different than what Comodo itself does.

DV certs are vulnerable.

Comodo has been championing to change that since 2005.

Comodo has founded www.cabforum.org and created a new trust indicator "green bar" (because the trust in yellow padlock is misplaced)

Comodo still todate is trying to mitigate the risks of DV certs by trying to convince the industry to adopt a new standard for DV certs. (with our efforts in www.cabforum.org)

Comodo is educating anyone who tries to get a DV cert from Comodo about benefits of Validation hence improving the understanding of SSL certs and pit holes and dangers posed by DV certs to ecommerce.

So pls tell me which one we should not be doing?

Melih

PS: why don't you guys ask Browser makers and other Certification Authorities as to what they are doing to create a minimum standard for DV certs!

DV certs do NOT offer security unless the user types the https url in full into the address bar in the browser for a site they have already pre established trust with. Clicking on an https link on an http site is flawed if the https site has a DV cert! And DV certs should NOT be used for any ecommerce whatsoever!

[Monkey]

ColdinCbus, on May 17 2009, 09:45 PM, said:

Monkey, on May 17 2009, 02:09 PM, said:

Comodo can't really be blamed if a site that has a certificate hosts malware a day. lets look at a real world example, If I buy a car the manufacturer can't know that I have bad intentions and will drive over little kids with it.. But they can act after and send the person to jail..

Your analogy makes no sense. A car company can't prosecute anyone that used their car improperly.

Well that's true, ofc I meant in a more general way.. The point was that comodo (the car seller) can't know what the buyer will use the car for and if the buyer uses the car for bad all that can be done has to be done afterwards unfortunately (something that comodo is doing).

Ofc this real world example was bad since the seller was not the one doing the clean up.. But the part about comodo having little to no chance to prevent a malicious person to get hold of a certificate is true unfortunately.. and this applies to all the certification companies, not just comodo.

But I agree it was not one of the best examples..

=)