Comodo continues to issue certificates to known Malware

[hayc59]

Quote:

I was following up on a list of malware sites posted on Dancho Danchev's Blog and yet again I find Comodo issuing certificates to these Malware writers. The reason I say again is I was given a "secret" email address at Comodo a while back to report these culprits ... however I was asked to keep it quiet.

Forum: COU
More Info: MSMVPS Blogs

[sded]

Followup to http://www.dslreports.com/forum/remark,21634814 ? I have Opera set up to warn me if any site tries to use a Comodo sponsored certificate.

[hayc59]

sded, thanks for the additional info

[mvdu]

Quote:

Originally Posted by GiddyUp

Forum: COU
More Info: MSMVPS Blogs

All I can say is - yikes!

[Saraceno]

This 'CoreGuard' tool downloads an installer to the user, then proceeds a longer download, bringing all sorts of junk with it.

With Shadow Defender on, tried to install, but having problems with wireless, so just quarantined the process.

Just a note, once installed, very difficult to uninstall. Tries to connect and download itself again.






Buy page:

The sad thing is that during these hard economic times there will be companies go toe's up,
not as a direct result of the economy,but rather as a result of a "Ends justify the mean's" business model, in response to the economy.
Perhaps Comodo teeters on the brink of such a fate.
So much for "building trust on line""

[danny9]

Quote:

Originally Posted by ypestis

The sad thing is that during these hard economic times there will be companies go toe's up,
not as a direct result of the economy,but rather as a result of a "Ends justify the mean's" business model, in response to the economy.
Perhaps Comodo teeters on the brink of such a fate.
So much for "building trust on line""

"building trust on line"
Between this thread and the ask.com fiasco, Comodo surely has lost mine.
I would like to hear Comodo's side or excuse but I doubt if we will.
That's a shame too because CIS worked so well on my system.
I will find alternatives.
Sometimes things aren't always free.
There is a price to pay.

[Boost]

Just another reason I wont touch any software that has the Comodo name.

Re: Comodo continues to issue certificates to known Malware.

Quote:

Originally Posted by Melih

That's an ssl certificate (not a code signing cert).

Now let me explain the SSL Certificate market....

Until Geotrust came into picture in 2001 all SSL certificates were issued after validating the applicant to make sure they were a legitimate company (just that it existed as a legal entity etc so that the end user had a recourse).

Geotrust "innovated" their way into SSL market by removing this validation process and called it "Domain Validation".. which means the applicant has money and has a domain. And yes you guessed it, this means bugger all in terms of validation!

This allowed Geotrust to issue certificates very quickly to their customers. Of course this caused the end users to falsely trust sites too. One of the reasons why I initiated the CABForum was that this DV certs were eroding user trust in ecommerce by creating false sense of security.

Today, the biggest issuers of DV certs are Verisign and Godaddy. They have continued issuing DV certs which caused likes of Comodo to offer it as well. If we didn't we would lose customer and the world would have no chance of fight back. We only issue a very small amount of DV certs compared to Verisign and Godaddy.

As far as I am concerned DV certs SHOULD NOT EXIST! Encrypting data for a recipient you have not verified is stupid at best!

Some people claim that DV certs has a place for just encryption for a site that has a pre-established trust, but that only happens if the user types https://www....... and goes to site... if the user types http://www... and then clicks on a link, then there is no trust as you can't trust this site in the first place cos its not validated (its just http).

So the problems that DV certs have caused has ranged from phishing sites to be secured with SSL to malware sites having a DV cert!

Perhaps it will take end users to start demanding the removal of DV certs from the market place! Cos likes of Verisign and Godaddy are against removing DV certs all together. (Verisign bought Geotrust for $120M two years ago).

Is this the first.. NO
will this be the last... NO

Its time to demand NO MORE DV CERTS!!!!!!!!

End users must start show that they care about their security and demand from their OS providers, Browser providers, Standards organisations that they want proper validation for SSL certs and Domain Validation should be banned!

Thanks

Melih

So... you got $15 in your pocket and a domain, then you can buy an SSL cert...
buying ssl cert is very easy (unfortunately)...

so any malware provider simply goes gets it...

they can get it from Verisign, Godaddy, Comodo etc... so if you are a malware author and have a domain you can buy an SSL.

Cheers,
Josh

Quote:

Originally Posted by ssj100

Interesting. I think that explanation basically rules out any wrong doing from Comodo.

That said thing is: endusers don't understand it, Including my self, Because they see a DV Certificate on a website and think it's legitimate. Geotrust removed validation process and named it DV... And ANYONE can then buy a DV. Then Comodo, etc were forced to do the same.

Cheers,
Josh

[Einsturzende]

maybe mr. sded will now remove all certification authorities from his browser?

It's an issue... This isn't first time either. DV should be banned, Validation process should be carefully re constructed by CA's.

As for Rouges... Just... EWWWW...

Cheers,
Josh

[danny9]

Quote:

Originally Posted by ssj100

Interesting. I think that explanation basically rules out any wrong doing from Comodo.

Does it really?
Does Kaspersky, Online Armor, Avira, Outlook etc. do the same thing or is it just Comodo?
This is what I'd like to find out.

[Eice]

Quote:

Originally Posted by danny9

Does it really?
Does Kaspersky, Online Armor, Avira, Outlook etc. do the same thing or is it just Comodo?
This is what I'd like to find out.

Considering how those companies you listed aren't in the certificate business at all, I doubt it.

[Boost]

Quote:

Originally Posted by danny9

Does it really?
Does Kaspersky, Online Armor, Avira, Outlook etc. do the same thing or is it just Comodo?
This is what I'd like to find out.

Funny thing is,all the controversy comodo generates and we're supposed to believe everything is fine,especially these days with rogue software applications popping up every day,nope I'm not convinced at all. Comodo's reputation is hardly anything to be proud of.

Do Verisign,Godaddy or Geotrust offer end user security programs?
Its really the Ask thing again
Its OK to be a criminal defense lawyer.
Its OK to be a prosecutor.

To be doing criminal defense work,while employed as a prosecutor has at least the appearance of impropriety.

It is OT, but look at SpywareTerminator.
not that they do not have other problems, but the
crawler toolbar is still an albatross for them,and this long
after Crawler is supposed to have reformed.

[Kees1958]

Quote:

Originally Posted by Melih

Geotrust "innovated" their way into SSL market by removing this validation process and called it "Domain Validation".. which means the applicant has money and has a domain. And yes you guessed it, this means bugger all in terms of validation!

This allowed Geotrust to issue certificates very quickly to their customers. Of course this caused the end users to falsely trust sites too. One of the reasons why I initiated the CABForum was that this DV certs were eroding user trust in ecommerce by creating false sense of security

Today, the biggest issuers of DV certs are Verisign and Godaddy. They have continued issuing DV certs which caused likes of Comodo to offer it as well.

Two things
1) understable, not good, but as worse as their competitors

b) What a marketing misser, let me explain

Quote:

Originally Posted by Melih

If we didn't we would lose customer and the world would have no chance of fight back. We only issue a very small amount of DV certs compared to Verisign and Godaddy.

SO they issue only a very small number, for $15 each. So for a small profit share they risk to negatively associate their other business initiative: security software. Remember they must have invested serious money in developing freeware FW/HIPS/AV.

So in stead of seeking public attention/free publicity with the fact that other companies show bad practise/have bad company norms and values. They could have had a massive USP as being the only trusthworthy company in that field. After all it is only a small income of te Comodo company those DV certificates!

Imagine what a nice scoop this would be for PC magazines, on-line magazines and possibly even popular tabloids?

Comodo can change their tag line, from making available security for everyone to applying web / e-business deciet for everyone!

Boy the marcom department of Comodo is really a bunch of empty heads.
a) profit of being as bad as the competitors is problably less then the investements made in CIS (scenario being as bad as the competition, can damage our investments in CIS)
b) value of free publicity problably exceeds loss of income of those DV certificates (scenario Comodo being more thrustworthy as its competitors)

[Eice]

Quote:

Originally Posted by ssj100

Interesting. I think that explanation basically rules out any wrong doing from Comodo.

lmao?

Comodo jumps into the practice of issuing security certificates to MALWARE DOMAINS, just because it wants a share of the big buck$$$ that VeriSign and GoDaddy were raking in from doing so. Instead of being the one CV company that refuses to consort with malware writers, Comodo decides that the $$$ is more important. Very innocent and online trust-building indeed.

I'm looking forward to the comedy that their clown of a CEO is inevitably going to spew out to justify his company's actions.

[Kees1958]

Quote:

Originally Posted by Eice

lmao?

Comodo jumps into the practice of issuing security certificates to MALWARE DOMAINS, just because it wants a share of the big buck$$$ that VeriSign and GoDaddy were raking in from doing so. Instead of being the one CV company that refuses to consort with malware writers, Comodo decides that the $$$ is more important. Very innocent and online trust-building indeed.

I'm looking forward to the comedy that their clown of a CEO is inevitably going to spew out to justify his company's actions.

Eice that is the stupid thing about it, Comodo only issues few DV certificates! So it is not for big bugs, but for change money.

[Eice]

Quote:

Originally Posted by Kees1958

Eice that is the stupid thing about it, Comodo only issues few DV certificates! So it is not for big bugs, but for change money.

Then again, sometimes you really have to wonder. The malware guys are making money by the truckload, and I don't think they'd hesitate to pay "special" rates for a certificate for their domain.

Wonder what's coming next: D+ subtly allowing malware by default, and Comodo getting paid for each installation?

[Eice]

Quote:

Originally Posted by ssj100

I don't think that will happen, because then their software will be obselete. It will be detected as malware by those amazing scanners (and very very trusted vendors) like Avira, MBAM, SAS and others haha.

Simple. Just have Melih take the grandstand, claim that it's a bug in D+, and dramatically promise that it'll be "looked into" and "fixed immediately in the next version". Or just have him spew whatever crap he wants, or even threaten to sue Avira/MBAM/SAS, it's not like the Comodo fanboys have ever doubted whatever outlandish poo he spouts anyway.

Meh, hopefully someone else going to continue posting Melih's responses here or link to them. I'm kind of not enjoying the idea of having to wade into the Comodo forums to get my dose of Melih comedy.