[Data]

I don't think Melih is playing with me, but to keep answering in the way he did would not be proper for one in his position. He might have realised that and changed his stance.

As for not understanding what I'm getting at.... Nah.

Monkey said:

Well it can matter if facts are wrongly presented due to this. Does it matter if I just pure out stuff like CoF is full of viruses avoid that site? Maby I think a .css file is a virus.. Ofc you will tell me people that Iam incorrect. Melih does that, he is claiming the articles is incorrect due to the advanced nature of it that is not fully understood by the people writing them.

What does CoF mean?

You don't need to understand the technicalities of a subject to know the core values. e.g. I don't understand the workings of the law, yet i know it's wrong to take somebody's property.
By the same logic, I know nothing about the workings of certificates, yet I know they are an indicator of trust. So when a certificate is bestowed on an entity I would not trust to any extent, by a company that claims to be in place to combat this, and is actively engaged in fighting the very people these certificates are going to, it's obviously wrong, and I have to question it. The fact Comodo are at it makes the effect that much worse.

[Donna]

Quote

Well it can matter if facts are wrongly presented due to this. Does it matter if I just pure out stuff like CoF is full of viruses avoid that site? Maby I think a .css file is a virus.. Ofc you will tell me people that Iam incorrect. Melih does that, he is claiming the articles is incorrect due to the advanced nature of it that is not fully understood by the people writing them.

hence spreading some misinformation.. Spreading misinformation is not okay in my opinion no matter what you write about..

There's no misinformation on Corrine's blog entry, Monkey. Please re-read her blog. I have re-read it but I see no misinformation there.

Quote

(with he you are referring to Melih I suppose?)

Its a difference to listen and being a slave to peoples opinions. If some users lets say me and Charlie told you to make the CoF site Red and host some porn along with the calendar would you do it? Probably not, since you are incharge and have to weed out Ideas you don't believe will help CoF for the better.

Melih has answered you guys and he has read topics in this forum as well. You can't seriously claim he did not lissen? He has given personal answers to Corrine, Data as well as to you Donna..

Don't you think he has to hear and read some of your content to do that? Maby he just didn't like the ideas, like you might not like having a red porn site as suggested by me and Charlie in my theorized scenario.

No, I'm not referring to his answers over this topic. See my answer to Corrine again. I talked about Ask.com Toolbar when I wrote "He should know that we are not happy to see the list of products to not to recommend to grow but rather we're looking forward to see security vendors to listen.". I wrote that he did not listen because he really did not listen to the feedback of his own customers or end-users of Comodo products. Most feedback they gave is Comodo should not even partner with IAC/Ask, Comodo should not even added a toolbar in his programs.
Did Melih listened to those feedback? Oh! yes, he did. He plan to remove Ask.com Toolbar in CIS but have released HopSurf which is IAC/Ask again. As you can see there are users who are confused. They thought HopSurf is not Ask Toolbar but a new whole product by Comodo with no Ask/IAC partnership.

Quote

The DV certificates don't work like that (for anyone), there is no human checking that's why they are so cheap and also easy for bad guys to get hold of. DV just means that the certificate is issued after a Domain Validation.. It is what it is Domain Validation, not organisation validation or extended validation....

I know that DVs don't work like that and I never questioned how certs work but was surprised on his response that he is against DVs and yet he continue to issue due to money and competition. No human validation, right but what about his desktop security program that he is offering? I already said earlier:

Step 1. Comodo provided DVs. Done.
Step 2. Comodo have malware research team. Detects example Rogue Product from example.com domain
Step 3. Malware Research Team check the source of the rogue, example.com domain. They will notice the rogue is using Comodo's DV cert.
Step 4. Malware Research Team will alert the Cert Team of Comodo. Revoke the cert.
Done--> MVP Mike or others will not even mention Comodo's name if no Comodo cert was found when anyone is researching on malware.

But it have to be another person, (MVP Mike) to report since Winfixer days and up to now... it's happening. Comodo continues to issue certificates to malware. For what? To not lose customers? To compete and the poor people infected / victimized by rogue products since they saw that cert is OK and to be trusted?
Why on first alert, 2nd alert... Melih and his company did do not anything to prevent what Mike have discovered again? Mike wishes that Comodo will do their own research to prevent it from happening again (since Mike is fully aware that Comodo have another service or resources to do their own research by the means of detecting malware and that research team should do the job in finding out which of them are using DVs by Comodo)

Godaddy and Verisign do not have to do the Step 2 to 4 because they don't claim and offer what Comodo is claiming. We don't have to make comparison here on what is OV, DV and other certs because this is not what all about. I'm becoming repetitive already. And I think I and others have described already what is the problem. There's 2 services here that Comodo should be working on to make their cert not associated at all to malware/rogue distributors.

This is why some people in other forums have asked... if Comodo is the only one who does that. And the answer is clear... yes. That's a big role that Comodo have taken and this is their responsibility to handle for issuing any cert to known malware distributor. It's quite possible for Comodo to stop the cert association using their name if they only do their work.

[Monkey]

Charlie, on May 18 2009, 12:34 PM, said:

Again I say it's all about the money, as Melih tosses our security into the wind. I wonder also why he sent a monkey to do his job, have you asked you self this question Monkey. yes Donna I also see it as Melih playing games instead of repair his major flaw. His certificates are now "Ask only" here and may be deleted all together or blocked. Enough people do this and his customer base will take notice

Well to be honest many companies does stuff "for the money", why is it bad if comodo needs money as well? I was not sent by Melih I joined here and post by free will, not course Melih asks me to.

Charlie I don't think you see the whole picture.. Comodo is NOT a solo Certification Authority to host DV certificates. ALL CERTIFICATION AUTHORITIES have those certificates. Its an INDUSTRY problem. the whole industry has this.

They are all as bad, the whole industry need to change.. Maby you should consider removing GoDaddy, verisign as well with a whole bunch of Certification Authorities.. And be consistent in your strive against weak malware certificated sites, don't belive a malware can't be hosted on other certified sites.

Comodo has had suggestions since many years ago to raise the standards.. Even dropping weak certificates.. Unfortunately the competitors is preventing this from happening, namely GoDaddy and verisign (the major issuer of weak DV certificates..) Maby you guys should lobby against them some as well..?

Data, on May 18 2009, 01:15 PM, said:

What does CoF mean?

I meant CoU (Calendarofupdates) ofc.. A small typo there by me.. =)

Data, on May 18 2009, 01:15 PM, said:

You don't need to understand the technicalities of a subject to know the core values. e.g. I don't understand the workings of the law, yet i know it's wrong to take somebody's property.
By the same logic, I know nothing about the workings of certificates, yet I know they are an indicator of trust. So when a certificate is bestowed on an entity I would not trust to any extent, by a company that claims to be in place to combat this, and is actively engaged in fighting the very people these certificates are going to, it's obviously wrong, and I have to question it. The fact Comodo are at it makes the effect that much worse.

Understand as well that this is a industry problem. Verisign and similar need to agree on a higher standard comodo can't drive this alone. At least comodo is suggesting higher standards and stuff, thats more than what you can say about most of them..?

[Donna]

To update this topic. MVP Mike made a follow-up post on the subject:

http://msmvps.com/blogs/hostsnews/archive/...18/1692604.aspx

Edit: he posted the email (as screenshot). He send the email on April 21, 2009 about this particular malware/rogue on his first blog but Comodo did not respond.
But the reply came today (when it goes public) after the email got buried for nearly 1 month.

[Monkey]

@donna what exactly is it comodo promises that you see they don't deliver when it comes to certificates?

And is this exactly what you want comodo to do prior to giving out a certificate:

Quote

Step 1. Comodo provided DVs. Done.
Step 2. Comodo have malware research team. Detects example Rogue Product from example.com domain
Step 3. Malware Research Team check the source of the rogue, example.com domain. They will notice the rogue is using Comodo's DV cert.
Step 4. Malware Research Team will alert the Cert Team of Comodo. Revoke the cert.
Done--> MVP Mike or others will not even mention Comodo's name if no Comodo cert was found when anyone is researching on malware.

[Donna]

So we got the reply by Mike on Melihs responses on this issue.
Quite obvious that his team is not doing the work they are promising to users. To trust who carry's Comodo certs and to trust that their malware research team is hunting, preventing malware (who should've done the work for their cert team also LOL)

[siljaline]

Great thread, Folks ! Most interesting.

[Monkey]

Look what he says here:

Quote

however I was asked to keep it quiet.

And then his follow up story:

Quote

Well as I stated in my previous post I sent an email on 04-21-09 alerting Comodo and never received a reply

I don't get it to add up, its possible I missed something.. But he was told to shut up but he did not receive any reply??

=S

[ColdinCbus]

Monkey, on May 18 2009, 09:24 AM, said:

Look what he says here:

Quote

however I was asked to keep it quiet.

And then his follow up story:

Quote

Well as I stated in my previous post I sent an email on 04-21-09 alerting Comodo and never received a reply

I don't get it to add up, its possible I missed something.. But he was told to shut up but he did not receive any reply??

=S

I think they are referring to Comodo asking him to use the e-mail to report and not post publicly.

[Donna]

Monkey, on May 18 2009, 05:05 AM, said:

@donna what exactly is it comodo promises that you see they don't deliver when it comes to certificates?

And is this exactly what you want comodo to do prior to giving out a certificate:

Quote

Step 1. Comodo provided DVs. Done.
Step 2. Comodo have malware research team. Detects example Rogue Product from example.com domain
Step 3. Malware Research Team check the source of the rogue, example.com domain. They will notice the rogue is using Comodo's DV cert.
Step 4. Malware Research Team will alert the Cert Team of Comodo. Revoke the cert.
Done--> MVP Mike or others will not even mention Comodo's name if no Comodo cert was found when anyone is researching on malware.

You know... Comodo know what they need to do. The above is an example. First, cert is given to someone by them or by their reseller. Their AV team found a malware. The AV team checked the domain or source of malware and discovered it is using Comodo cert. That's the time they can revoke the cert.

Don't you see Monkey that they are not doing what they should be doing responsibly. The issued cert and that's it.. they forget it because they got the money already.
Their desktop security software is another resource for them to find out who's who and who's not allowed to use whatever cert they sell.

Quote

And is this exactly what you want comodo to do prior to giving out a certificate:

How on earth they will revoke without proof that it is misused? Well, they have to have do their homework just like what MVP Mike and other researchers are doing.

[mvdu]

Of course I have used Comodo, Monkey. What are you talking about? While I don't expect it to act like a baby, there's a difference between that and earning my trust. I found your reply a little insulting.

Thanks for the welcome, Donna!

This post has been edited by mvdu: 18 May 2009 - 02:33 PM

[sded]

A note on handling these DV certificates. Based on a previous discussion at http://www.dslreport...remark,21634814 I set up Opera to warn me whenever a site used a Comodo supported (mainly UTN) certificate. Since there are other sources for DV certificates, this was really just an attempt to get an idea of the spread of the problem. I actually don't go to a lot of sites where I see DV certificates. Using Opera makes the whole thing simple to monitor in general. The padlock on the tab bar (view/toolbars/customize/buttons/browser view/security) has a number in it indicating the class of the certificate. If you want serious validation, look for a 3. With a 1, you have a DV, which does encryption but is not validated. If you click on the padlock, you get more information. The attached is for the Comodo Forums, which use a DV, and gets the popup shown indicating the site is not really secure. Other browsers probably do something similar, but Comodo certs currently have no more trust than Verisign, GoDaddy, or anyone else, even with an active malware group that watches for malicious sites.

Attached thumbnail(s)

• 

Attached image(s)

• 

This post has been edited by sded: 18 May 2009 - 05:03 PM

[Charlie]

Monkey, on May 18 2009, 07:59 AM, said:

Charlie I don't think you see the whole picture..

They are all as bad, the whole industry need to change.. Maby you should consider removing GoDaddy, verisign as well with a whole bunch of Certification Authorities.. And be consistent in your strive against weak malware certificated sites, don't belive a malware can't be hosted on other certified sites.

I might do that if they were in the "Security Software Business" and issuing these certificates to the malware publishers as Comodo did. Now I DO NOT trust any Comodo issed cert

Wasn't send, but you have Melih's ear and use his voice for him, is this correct?

[hayc59]

That copy of Mikes e-mail is an eye opener for sure!! wow is all I can say

[Charlie]

Donna, on May 18 2009, 08:02 AM, said:

http://msmvps.com/blogs/hostsnews/archive/...18/1692604.aspx

Appears as if someone has a problem with the truth here, doesn't it. Little white lies will bury the one time giant

[Donna]

Some people at BBR and other forums also don't want Comodo anymore because of these issues:

1. Comodo partnered with IAC/Ask - embraced the toolbar. Serve people with Ask.com and now HopSurf. Oh! Remove detection on this thing that BOClean used to detect.

2. Comodo took advantage of people's trust: Giving away freeware software. Include what they want to include to earn money. No one, nobody asked any vendors to give free software. It's them who gives and release or made a free software available. When this free software become hit/popular, they take advantage by saying to help us develop... we inserted third party toolbar or created a toolbar.. Why end-users have to deal with it? There is so much for security software to focus (malware detection, improving removal process done by their products, malware research, shutdown malware domains etc) but their focus is somehow shifted on how to take advantage of people's trust. Note again, that no one told them to provide free edition of their products. They give it away for free.

3. Comodo disagreed with Softpedia's flagging on CIS as adware. So what is CIS actually? It's freeware with PUPs and maybe adware/spyware -- depending on how inclusion and detection policy was created. They disagree since they have their own "detection policy on Adware/Spyware/PUPs"? Then why BOClean who is flagging Ask products as bad is no longer detect it ever since they partner. Who have double-standard? Softpedia or Comodo?

4. Now this controversy: Comodo continues to issue certs to known malware. MVP Mike is right... Comodo is aware since Winfixer days that their cert is misused by malware domains. Comodo should have done something to prevent this. But nope, they will wait until someone like MVP Mike to alert them or someone like Alex of Sunbelt Software to alert them. Community works like that, right? Alert one another but it'll be great if Comodo guys will take it as community work but in the end, they questioned the ethics and measure the ability and knowledge of people who is trying to explain what is going on for weeks and months.

Symantec have bad move also: Suddenly remove the detection of IAC/Ask. Partner with IAC/Ask. Bundle Ask Search Assistant on new installer. Push it as patch. Viola! big money (not only new downloads or install will give them money but existing users of Norton products get it since it's a patch). They took advantage of people's trust on their service and detection. They mislead people that it's the way to prevent malware using Ask Search Assistant.

Webroot, BitDefender, StopZilla and ZoneLabs did the same. To mislead people and take advantage of people's trust.

Let us see if another security software vendor will bite. I wonder if they pushes this unwanted stuff to their corporate customers? if they don't... then the target is the poor end-users whom they consider as easy target.

[danny9]

Donna, on May 18 2009, 08:46 PM, said:

Some people at BBR and other forums also don't want Comodo anymore because of these issues:

1. Comodo partnered with IAC/Ask - embraced the toolbar. Serve people with Ask.com and now HopSurf. Oh! Remove detection on this thing that BOClean used to detect.

2. Comodo took advantage of people's trust: Giving away freeware software. Include what they want to include to earn money. No one, nobody asked any vendors to give free software. It's them who gives and release or made a free software available. When this free software become hit/popular, they take advantage by saying to help us develop... we inserted third party toolbar or created a toolbar.. Why end-users have to deal with it? There is so much for security software to focus (malware detection, improving removal process done by their products, malware research, shutdown malware domains etc) but their focus is somehow shifted on how to take advantage of people's trust. Note again, that no one told them to provide free edition of their products. They give it away for free.

3. Comodo disagreed with Softpedia's flagging on CIS as adware. So what is CIS actually? It's freeware with PUPs and maybe adware/spyware -- depending on how inclusion and detection policy was created. They disagree since they have their own "detection policy on Adware/Spyware/PUPs"? Then why BOClean who is flagging Ask products as bad is no longer detect it ever since they partner. Who have double-standard? Softpedia or Comodo?

4. Now this controversy: Comodo continues to issue certs to known malware. MVP Mike is right... Comodo is aware since Winfixer days that their cert is misused by malware domains. Comodo should have done something to prevent this. But nope, they will wait until someone like MVP Mike to alert them or someone like Alex of Sunbelt Software to alert them. Community works like that, right? Alert one another but it'll be great if Comodo guys will take it as community work but in the end, they questioned the ethics and measure the ability and knowledge of people who is trying to explain what is going on for weeks and months.

Symantec have bad move also: Suddenly remove the detection of IAC/Ask. Partner with IAC/Ask. Bundle Ask Search Assistant on new installer. Push it as patch. Viola! big money (not only new downloads or install will give them money but existing users of Norton products get it since it's a patch). They took advantage of people's trust on their service and detection. They mislead people that it's the way to prevent malware using Ask Search Assistant.

Webroot, BitDefender, StopZilla and ZoneLabs did the same. To mislead people and take advantage of people's trust.

Let us see if another security software vendor will bite. I wonder if they pushes this unwanted stuff to their corporate customers? if they don't... then the target is the poor end-users whom they consider as easy target.

Nicely said Donna and a very interesting thread.
I ran CIS but no more.
I have to think that the Security Co. is doing and trying to do the right thing.
The Trust factor which no longer exists with Comodo.

Correct me if I'm wrong but if I remember right there were several threads on the forums about their eula also a few years back.
Irregardless I hope that this shines a bright light on Comodo so that all can see what is going on there.

My business is going to stay with Online Armor and WinPatrol.
Two companies who value the trust of their users more and refused to play the toolbar game!

[hayc59]

Hello Dan and welcome to COU

[Data]

Donna said:

existing users of Norton products get it since it's a patch

That's diabolical!

Hey, they got quite a collection of members at the cab forum.... Everybody, I think.
http://www.cabforum.org/

You can't actually see any sort of forum, and this is a bit past tense:

Quote

Many browser suppliers plan to provide support for extended validation certificates (EV SSL Certificates) some time during 2007.

This post has been edited by Data: 19 May 2009 - 01:59 AM

[Monkey]

Charlie, on May 18 2009, 03:50 PM, said:

Monkey, on May 18 2009, 07:59 AM, said:

Charlie I don't think you see the whole picture..

They are all as bad, the whole industry need to change.. Maby you should consider removing GoDaddy, verisign as well with a whole bunch of Certification Authorities.. And be consistent in your strive against weak malware certificated sites, don't belive a malware can't be hosted on other certified sites.

I might do that if they were in the "Security Software Business" and issuing these certificates to the malware publishers as Comodo did. Now I DO NOT trust any Comodo issed cert

Here is a example of one of the "Certificates authorities" you "probably" trust:

http://blogs.pcmag.com/securitywatch/2007/...ned_malware.php

As you can see this "accidentally selling certificates to people hosting malware" is not a comodo specific issue. Verisign even signed the freaking FILE that was a malware.

Seriously guys, try to avoid the partial/baised nonsens. What you guys have said in this thread is that you trust anyone that host malware except comodo.. And all should have the right to sell DV certificates with little to no checking, except comodo.. Thats pure double standard in my eyes..

I know some of you guys probably dislike the free software CIS and maby prefer a other security suite like norton 360 or avira or outpost, but thats an whole different topic..
The certificates has nothing to do with that.. And as Donna probably is aware comodo has done and is doing what it can to get the DV certificates gone or at least raise the standard on them..

However you can't demand comodo to do more checkings than any other when issuing a weak certificate. Thats not fair. And people like donna understands that that will make it expensive and isn't really a realistic solution.. The industry as a whole must do something..


Here is just a reminder of some of the stuff comodo is actually doing to improve on those DV certificates and fight sites with malicious content that has gotten a certificate:

1) Comodo explain to a wider extent than its competitors why buyers should go for something else than DV certificates (the one commonly use by malware sites) why DV is no good and about its weaknesses.

2) Comodo is pushing for the site www.ccssforum.org to help early reporting and disclosure when malicious activity is seen on any certified site certified by any vendor (certification authority).

3) Comodo is suggesting a higher minimum standard for DV certificates.

4) Comodo has tried the way of not selling DV certificates, unfortunately they could not go around that way. And people get DV certificates anyway, at least if they get it from comodo they will get proper info as to why they "should" pick something else..

5) Comodo do not tolerate malicious content on any of its certified sites, certified sites will "most likely" lose their certificate directly once comodo get the info that a certified site is used to host a fake antivirus or whatever..