hayc59
VoodooChild
Premium
join:2001-02-26
David R.I.P.
| reply to hayc59
Re: Comodo continues to issue certificates to known Malware
Criminals using Comodo to attempt legitimacy
For most of this month there has been a discussion over the business practices of Comodo, the company who along with free security software offers SSL certificates for online businesses. The discussion is not that they offer SSL certificates, it is that they offer them to criminals as well as legit businesses, with little to no checks during the process or once the certificate is in place. Most were unhappy that it took Comodo so long to respond to the issue itself.
»www.thetechherald.com/article.ph···gitimacy
--
ãrê ¥Øu êxpêriêncêD
Microsoft® MVP Consumer Security 2007-09
"Greater love has no one than this, that he lay down his life for his friends."
9/11/01 Never Forget |
|
DigitalBizPerp
@rr.com
| reply to Daniel
Re: A basic flaw in X.509?
I'm not sure I'd add to X.509, but certainly having a
"digital business bureau" that can attest to good business practices would be helpful.
If a CA is found to be untrustworthy, then I remove them from my root CA list. So far, only COMODO has left the building.
For example, as of 2007/2008 VONAGE is no longer a BBB member due to multiple unresolved complaints. But there seems to be no technical/automated mechanism for checking a domain name against BBB membership (or i'd have seen a browser add-on already, wouldn't I?)
I'd be far more likely to trust a business certified by two CAs in different jurisdictions than one that was only certified by
Verisign, for example. |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
 ·Verizon Online DSL
| reply to sivran
Re: Comodo continues to issue certificates to known Malware
Of course there should be a trust.
I trust Comodo's firewall but not their AV. I let Avast handle that side of security.
This is a world full of companies and individuals that do well in one area and fail miserably in other areas. The key is to be able to distinguish between the two.
--
“Facts not FUD." |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
 ·RoadRunner Cable
| reply to Grail Knight
said by Grail Knight  :I will still use Comodo Firewall until it is proven that there is something amiss w/ it. I can think of numerous companies where one part or division screws up well the rest of the companies cranks out excellent products. I realize that. Office 2007 is fairly nice (IMO, anyway), while Windows Vista is nigh intolerable (IMO). Even in Comodo's case, the firewall's pretty good, but their anti-virus is absolutely horrible.
But, shouldn't there also be a trust between the user of a product and the vendor?
I wonder how many with AIG insurance switched to another provider, despite the fact that the insurance division is wholly separate from the much-smaller financial products division.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause... |
|
Nikolai
|  reply to hayc59
I want someone to provide proof of a compromised computer that has/had CIS running. Personally I had multiple (total of 12 workstations) running CIS (Firewall + Defense Plus) for the last couple of years with no issues. They run online financial data 24/7 with no compromise of security and/or data theft. Seems that non-granted paranoia is wide spread in this forum. |
|
dvd536
as Mr. Pink as they come
Premium
join:2001-04-27
Phoenix, AZ
| reply to sivran
said by sivran :Hmmm. I'm beginning to eye my Comodo Firewall with suspicion. While it may be perfectly fine, I don't really trust the company, or their certs. Exactly why i'm kicking boclean to the curb when it craps out and i was a paid customer back when boclean was good.
--
When I gez aju zavateh na nalechoo more new yonooz tonigh molinigh - Ken Lee |
|
DonnaB
Premium
join:2003-05-07
malaysia
| reply to EGeezer
Re: A basic flaw in X.509?
Right. There's weakness about certificates and I'm sure we've seen other demos how bad guys will misuse a cert/validation -- extended or not (thanks BTW for those links).
If only they just acknowledged the alert, took action... there'll be no additional controversy on their services. And as already mentioned in other post in this thread, they have security software for end-users to at least, another means to protect end-users privacy and security.
Been visiting buy and download links but CIS is still quiet on my downloads. Anyhoo, just another experience on another desktop AV software I guess 
Regards,
Donna |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| reply to EGeezer
Hmm, I'd say this is a classic problem. How do we know when we can trust someone? Ultimately this isn't something easily solved by technology.
I suppose the main thing we can say is:
•Company x asked for this cert, and they're a real, major company.
•Our CA will sign their cert.
•And we make it known that we only sign certs where we've verified the legitimacy of the company.
But again, it comes down to trusting that CA party to verify the legitimacy of the companies they give certs too. Ultimately, and this is the reality we've been grappling with--you have to trust somebody.
--
dmiessler.com -- grep understanding |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
·RoadRunner Cable
·AT&T CallVantage
2 edits | reply to DonnaB
Donna, thanks for that response! Well written and you answer many of my questions quite well.
Your response triggered memories of a discussion my little group had sometime back about certificates. This whole issue brings up a serious weakness in the X.509 cert itself. It is perceived - and, by implication, marketed - as being a certificate that provides business practice integrity when in fact it is only an encryption certificate that guarantees only that the site to which the user is connecting is the site to which the certificate is registered, and provides an encryption key whereby the client can connect securely to the site.
For example, a certificate may be issued to GoodHands Insurance, but that does not mean that GoodHands is necessarily a reputable or financially sound entity. The certificate only provides that the client is connecting to Goodhands.com's site and doing so through SSL. There exists a need at this point for something more to be added to the certificate standards.
Bottom line, the present X.509 certificate standards are inadequate for the purpose of establishing the legitimacy and trustworthiness as a business. There will need to be another level similar to a Dun & Bradstreet, BBB or ISO set of standards incorporated into the certification process (and probably the X.509 standards) to achieve that feature.
Dan Houser, then of Nationwide Insurance and now with Cardinal Health(as I last recall), gave a presentation at ISSA on just such a process - For those interested, See »www.isaca-centralohio.org/archiv···mbus.pdf
Although Dan's motivation and concern is more geared to the B2B world, it also applies to the issue in this topic - consumer2B transactional connections.
Dan had more to say recently about SSL and certs - here's another PDF of his that hammers common misconceptions, assumptions and implementations;
»centralohioissa.org/images/Feb_2···user.pdf
For you folks serious about the broader issues, these will be interesting..
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
hayc59
VoodooChild
Premium
join:2001-02-26
David R.I.P. | reply to hayc59
Re: Comodo continues to issue certificates to known Malware
Hello Donna and thanks for posting
should clear a few thangs up!! |
|
mers2
Premium,MVM
join:2004-03-20
USA
clubs: | reply to DonnaB
Re: Comodo responses?
Thanks, Donna, for providing the practical demonstration. I have a feeling it's going to take strong public sentiment to get Comodo's attention/action. |
|
DonnaB
Premium
join:2003-05-07
malaysia
| reply to EGeezer
1. I just tried installing CIS latest version (on a test system) with all of its components installed (including Ask.com's stuff), I updated the program prior visiting the malware/rogue link that have Comodo cert. Visited xsoftstore.com and clicked on a buy link. Comodo's security desktop application is quiet. It is not revoked yet even after MVP Mike have shown screenshot that Comodo have issued certs to this rogue site/buy links. No alert from their desktop security software. I don't see option anyway that their AV or Firewall will handle that.
2. As per MVP Mike Burgess blog, he reported it on April 21, 2009.
3. He did by sending them the notice via email. No response from Comodo until it goes public and the good Sunbelt Software, CEO alerted Comodo.
4. More than 3 weeks that he waited for action or response from Comodo.
Difference on response and timeframes from other product vendors, including Microsoft: Well, there are steps:
1. Acknowledge/Time frame - Comodo did not acknowledge the email for weeks.
2. Response - It depends how a person will accept the response but they did respond (including questioning the ethics of the security MVP Mike Burgess)
3. Action - They acted fast as soon as they receive alert from another security vendor's CEO - Alex of Sunbelt. They failed to act on the alert of MVP Mike and most importantly, they failed to prevent this from happening again even though they are aware of such issue (as per MVP Mike.. he's been reporting since Winfixer days).
How it differs with other product vendors is in my opinion, other products vendors will not only fix/act/provide security notice or security response but will try to prevent it from happening again (unless of course there is a mistake on the fixes or another security issue affected old security issue that was fixed). It depends on the security issue though.
Others may have different opinion or views or answer to your question.
Regards,
Donna |
|
hayc59
VoodooChild
Premium
join:2001-02-26
David R.I.P.
| reply to Comodo User
Re: Comodo continues to issue certificates to known Malware
said by Comodo User :
Actually hayc59 i used to be a outpost user till i got fed up with buggy final builds, the closed clique that U call beta testing etc.
You have never ever used comodo firewall but all you do is moan & complain about the company doing the usual microsoft tactic of spreading FUD.
The reason i say that is you dont complain about the other cert sellers that still sell DV certs only complain about comodo.
Nowadays even a lot of paid apps include toolbars (google, yahoo, ask etc) & if folk just blindly click next & they get installed then it their own damn fault for not reading & checking things.
You dont like matousec testing when it started because he didnt give your beloved outpost top marks & you have been calling them dishonest & unreliable ever since comodo got top marks.
At least comodo engages with the users & listens to questions & suggestions etc unlike agnitum that ignore things for the most part, i dont see any agnitum staff posting in the OP forums.
Plus with comodo i can disable any call home function unlike OP that has hard coded rules to download so called news\ads.
I didnt post to start a argument, i only posted cause i have seen over the past few years that you go out of your way to disrespect comodo even though U dont use it & they have never done anything to you.
You are correct on one and only one issue! for a breif week sometime ago, I gave Comodo a whirl when it first hit the scene to test it and found it far inferior to Outpost[and still find it lacking all over] and gave it back as quickly as I took it!
I do not disrespect any inanimate object...never have or could comprehend how a human carbon life form can feel dis-respectful to a peice of software!!!
I only comment on your post because I find it intreging at the least...
--
ãrê ¥Øu êxpêriêncêD
Microsoft® MVP Consumer Security 2007-09
"Greater love has no one than this, that he lay down his life for his friends."
9/11/01 Never Forget |
|
sded
Premium
join:2002-11-04
San Diego, CA
·DSL EXTREME
1 edit | reply to hayc59
ssl tray icon | | | 
dv ssl warning |
If you use Opera 9.64, they have upgraded their padlock SSL indicator to show the class of the certificate used by a site, so at least you can tell if it is to be trusted. If you go to view/toolbars/customize/buttons/browser view you will find the icon that does it. If you click on the icon, you get more information about the status of the site-attached are the button and the page you get for a DV, showing it is encrypted but not trusted. Example is for the Comodo forums website, which uses a DV.
Presume the other browsers have something similar to expand on the "golden padlock" by now. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
|  reply to hayc59
Comodo responses?
Having read the various linked posts, I am not comfortable with Comodo as a certificate issuer. Since I have no way to differentiate the various levels of vetting in the free versus paid certificates, I've removed them from my trusted list until I see evidence from them that the process has been fixed.
As for their security applications, I don't use them, myself, but am curious about the notification and Comodo's responses
1) Did the Comodo security application(s) alert on the malware sites prior to any certificates being revoked(if they were revoked)? If not, I'd be quite upset if I were a user.
2) When the issue was reported, how long was it before they removed/revoked the malware site's certificates?
3) Did you follow the same public disclosure guidelines for Comodo as you would have for Microsoft or other vendors you would notify?
4) How long was it after you notified Comodo that you went public?
How did Comodo's response and timeframes differ from other product vendors, including Microsoft?
Thanks in advance for responses - they will be helpful in evaluating Comodo's actions relative to other vendors.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
danny9
Go Ahead, Make My Day
Premium
join:2002-07-14
Clinton Township, MI
clubs: | reply to dadkins
Re: Comodo continues to issue certificates to known Malware
dadkins, you have a way with words and tones.
Well written. |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
2 edits | reply to Comodo User
Their firewall was ok, but not as good as matousec stated.
They have been doing shady things for years now and it seems that you are taking exception to anyone berating them for their actions.
If it walks like a duck, and quacks like a duck...
Bottom line, COMODO is a crap company.
They trashed BoClean.
Their firewall has been severely buggy and problematic.
They *ARE* issuing certs to malware producers.
Hmmm... yeah, I want me some of that! 
Guess you missed the Lavasoft fiasco and the fallout they caught for merely de-listing malware.
Wasn't pretty.
AdAware is no longer part of my toolbox - who knows what it will allow to stay. 
By all means, keep using their software and patronizing a questionable company - no sweat off my ba... well, no worries here!
BTW, join DSLReports - It's FREE!
*EDIT*: For the record, I don't use any firewall. Not even Windows Firewall!
No brand loyalty here. 
--
Think outside the Fox... Opera |
|
Comodo User
@co.uk
| reply to hayc59
Actually hayc59 i used to be a outpost user till i got fed up with buggy final builds, the closed clique that U call beta testing etc.
You have never ever used comodo firewall but all you do is moan & complain about the company doing the usual microsoft tactic of spreading FUD.
The reason i say that is you dont complain about the other cert sellers that still sell DV certs only complain about comodo.
Nowadays even a lot of paid apps include toolbars (google, yahoo, ask etc) & if folk just blindly click next & they get installed then it their own damn fault for not reading & checking things.
You dont like matousec testing when it started because he didnt give your beloved outpost top marks & you have been calling them dishonest & unreliable ever since comodo got top marks.
At least comodo engages with the users & listens to questions & suggestions etc unlike agnitum that ignore things for the most part, i dont see any agnitum staff posting in the OP forums.
Plus with comodo i can disable any call home function unlike OP that has hard coded rules to download so called news\ads.
I didnt post to start a argument, i only posted cause i have seen over the past few years that you go out of your way to disrespect comodo even though U dont use it & they have never done anything to you. |
|
TheAnalyzer
join:2006-01-20
| reply to hayc59
I usually stay with the security products I have chosen.
But I am very glad now that I changed my firewall product.
(I originally changed my firewall because CPF 2.4 was getting old).
But now I say:
NO comodo software anymore for me ! I say this because I do not agree with what comodo is doing ATM.
I bought a product from Agnitum now. I am running Outpost Pro. And I am very happy that I took this step.
TA
--
quod erat demonstrandum |
|
mers2
Premium,MVM
join:2004-03-20
USA
clubs:
 ·AT&T U-Verse
1 edit | reply to hayc59
I'll back hayc59 up on character. If a security application he uses takes an action he considers wrong, he'll condemn that software just as much as one he may not use. And he's been consistent showing no favorites. |
|
