Once again Comodo garners the attention of the security community. The latest issue came to light when Consumer Security MVP Mike Burgess reported that Comodo continues to issue certificates to known Malware.
Although Melih Abdulhayoglu, the President and CEO of Comodo, pointing a finger at Verisign and Godaddy, contends the difference is that the certificate is a DV (Domain Validation) Certificate:
"As far as I am concerned DV certs SHOULD NOT EXIST! Encrypting data for a recipient you have not verified is stupid at best!he goes on to explain in a further forum reply:
Some people claim that DV certs has a place for just encryption for a site that has a pre-established trust, but that only happens if the user types https://www....... and goes to site... if the user types http://www... and then clicks on a link, then there is no trust as you can't trust this site in the first place cos its not validated (its just http).
So the problems that DV certs have caused has ranged from phishing sites to be secured with SSL to malware sites having a DV cert!"
"Comodo cares for their security, so when somoene gets a DV cert from Comodo, we do try to explain to them it is important that they get a higher validation certificate like OV (Organisation Validation) or EV (Extended Validation). This way at lease we can convert some of the people who whould have bought DV into a validated customers."So, what does this indicate? According to Melih, DV Certs should not exist. Yet, Comodo still issues them to provide an opportunity to convert customers into other certificates that require validation.
Edit Note: Paragraph Break added for clarification.
I decided to take a look at Comodo's website. Yes, I see, according to the Comodo "Cost Saving & Product Comparisons Calculator", regardless of the product being purchased, it only takes one hour for Comodo to provide validation for an SSL Certificate, compared to 3-7 days for the other vendors. Note also that "Company Legitimacy" is also provided:
Check the other provider/product comparisons on that page and you will find similar results.
Moving forward, Melih has now reported that the certificates relating to the site have been revoked. The discussion topic continues, however, with Comodo supporters questioning why there are not similar complaints about Verisign and Godaddy. As Consumer Security MVP Donna Buenaventura wrote about Comodo in her article, Making a boo boo, Can't beat them, Join them?:
"do you think it's a two-faced security vendor (for offering security service/product and at the same time, certifying a malicious site/service to be noticed/make money)"The question still remains as to why Comodo has chosen to ignore Mike Burgess' notification of malware being served by a Comodo issued cert to rapid-antivirus2009. com and subsequently reissued a new certificate. As Mike went on to say:
"Comodo is supposed to be one of the good-guys ... and they even describe themselves as "Internet security software products including SSL certificates and Free Firewall Antivirus software among others from Comodo, a leading global trust provider" ... however I have been reporting on them since the WinFixer days and it seems it just falls on deaf ears ... and now that they bundle the Ask Toolbar it really makes you wonder ...?
- Comodo continue to issue certificates to known Malware (Calendar Of Updates)
- Comodo continues to issue certificates to known Malware (Comodo Forum)
- Comodo continues to issue certificates to known Malware (Hosts News)
- Comodo continues to issue certificates to known Malware (Wilders Security Forums)
- How Does an SSL Certificate Provide Website Security? (Network Solutions)
- Making a boo boo, Can't beat them, Join them? (Calendar Of Updates)
- REMOVE Comodo Certificates from FireFox, Opera!!! (dslreports.com)
- What are the types of SSL Certificate available (Global Sign)
Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...