Sunday, May 17, 2009

Another Comodo Controversey

Once again Comodo garners the attention of the security community. The latest issue came to light when Consumer Security MVP Mike Burgess reported that Comodo continues to issue certificates to known Malware.

Although Melih Abdulhayoglu, the President and CEO of Comodo, pointing a finger at Verisign and Godaddy, contends the difference is that the certificate is a DV (Domain Validation) Certificate:
"As far as I am concerned DV certs SHOULD NOT EXIST! Encrypting data for a recipient you have not verified is stupid at best!

Some people claim that DV certs has a place for just encryption for a site that has a pre-established trust, but that only happens if the user types https://www....... and goes to site... if the user types http://www... and then clicks on a link, then there is no trust as you can't trust this site in the first place cos its not validated (its just http).

So the problems that DV certs have caused has ranged from phishing sites to be secured with SSL to malware sites having a DV cert!"
he goes on to explain in a further forum reply:
"Comodo cares for their security, so when somoene gets a DV cert from Comodo, we do try to explain to them it is important that they get a higher validation certificate like OV (Organisation Validation) or EV (Extended Validation). This way at lease we can convert some of the people who whould have bought DV into a validated customers."
So, what does this indicate? According to Melih, DV Certs should not exist. Yet, Comodo still issues them to provide an opportunity to convert customers into other certificates that require validation.

Edit Note: Paragraph Break added for clarification.

I decided to take a look at Comodo's website. Yes, I see, according to the Comodo "Cost Saving & Product Comparisons Calculator", regardless of the product being purchased, it only takes one hour for Comodo to provide validation for an SSL Certificate, compared to 3-7 days for the other vendors. Note also that "Company Legitimacy" is also provided:
Check the other provider/product comparisons on that page and you will find similar results.

Moving forward, Melih has now reported that the certificates relating to the site have been revoked. The discussion topic continues, however, with Comodo supporters questioning why there are not similar complaints about Verisign and Godaddy. As Consumer Security MVP Donna Buenaventura wrote about Comodo in her article, Making a boo boo, Can't beat them, Join them?:
"do you think it's a two-faced security vendor (for offering security service/product and at the same time, certifying a malicious site/service to be noticed/make money)"
The question still remains as to why Comodo has chosen to ignore Mike Burgess' notification of malware being served by a Comodo issued cert to rapid-antivirus2009. com and subsequently reissued a new certificate. As Mike went on to say:
"Comodo is supposed to be one of the good-guys ... and they even describe themselves as "Internet security software products including SSL certificates and Free Firewall Antivirus software among others from Comodo, a leading global trust provider" ... however I have been reporting on them since the WinFixer days and it seems it just falls on deaf ears ... and now that they bundle the Ask Toolbar it really makes you wonder ...?


References:




Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

7 comments:

Anonymous said...

It's too bad about Comodo. They make such a spectacular product (Firewall), and seemed to be one of the really good corporate actors. The CEO posts to their community forum, they have pretty good forum support, etc.

But, for a while now that have been pushing the ethical line, IMO. Some would say they are at that line. Since they are a security company, I think they have crossed it, on at least a few occasions.

When you get a big payoff by blurring that line, it's easy to try and rationalize bad behavior, I suppose. I no longer use any of their products, and refuse to recommend them to anyone.

Anonymous said...

Hello I suggest you read this comment by comodo's CEO.

https://forums.comodo.com/general_discussion_off_topic_anything_and_everything/comodo_continues_to_issue_certificates_to_known_malware-t39564.0.html;msg287266#msg287266

Corrine said...

Thank you for the link to Melih's comments.

Melih is correct that I am certainly not an expert on certificates. In fact, that was why I provided links to Global Sign (What are the types of SSL Certificate available) and Network Solutions (How Does an SSL Certificate Provide Website Security?) both of which provide a definition of Domain validated (DV) SSL Certificates.

A paragraph break has been added to the original post to remove the confusion that I was referring to a particular type of SSL Certificate. Rather, as I stated, I decided to visit the Comodo website. I manually navigated to http://www.comodo.com/, clicked Products > SSL Certificates and from there went to the Cost Saving Calculator.

With regard to my statement, "it only takes one hour for Comodo to provide validation for an SSL Certificate, compared to 3-7 days for the other vendors...", that was specifically based on the information provided by the Comodo Cost Saving & Product Comparisons Calculator (Image copy in the original post). Right or wrong, the implication to me is that perhaps more than an hour is needed in order to determine whether the requester is qualified to receive the Organizationally Validated (OV) SSL Certificate.

Corrine said...

See Mike Burgess' follow-up post: Follow-up to the Comodo Controversy

anu said...

Thanks you for the links. I bought a SSL certificate from tucktail. This links are helpful for me.

Anonymous said...

We have been trying to get a ssl certificate from comodo for over a week now after having paid our money. We have been in business since 2009 and have a digital download that is free of all viruses and malware. They ask for all forms of ID which we provide, then they want an email from our business specifically for them which we provide, then they want us to cancel stuff we have already provided, it has turned out to be such a headache. We sell simple cdl practice test software! I'm beginning to think that they are a scam!!

Anonymous said...

The "it only takes one hour for Comodo to provide validation for an SSL Certificate, compared to 3-7 days for the other vendors...", is a complete joke!!! It takes weeks!!!