Comodo continues to ignore Malware warnings

Yet again we find the same group “ISystem Inc” scamming the public with their bogus products … with a little more help from Comodo. Now I ask you … how many times do I have to report the same group being issued a certificate from Comodo, before they take the necessary steps to prevent the general public from being ripped-off by these bad actors?

If the page looks familiar … it is … the same template as I previously reported … from the same people “ISystem Inc”

As you can see I pasted the certificate details into the Fiddler report … below you can see there is no doubt that “ISystem” is the owner … same as previously reported several times! …

 

It not hard to find the bad actors and the connection between “ISystem and SoftDialog” … hey Comodo ever heard of Google? …

“WindowsSecuritySuite” is hosted at the same location as before … just how many red flags does it take?

“pay-secure” is also hosted on a previously reported location

# [Netdirekt][95.168.163.0 – 95.168.164.255]
127.0.0.1  aquabilling.com
127.0.0.1  secure.aquabilling.com
127.0.0.1  secure.bestbillingpro.com
127.0.0.1  secure.payment-cc24.com
127.0.0.1  pay-secure.net #[ISystem]
127.0.0.1  safe-pay-vault.com
127.0.0.1  webexpressbill.com
127.0.0.1  secure.webexpressbill.com

Comodo – creating trust online” … makes you wonder doesn’t it … I’ve been reporting on Comodo’s lack of concern since
LimeLight Networks and connecting the dots (12-07-07) all we get is excuses and spin on how everyone else is doing it (issuing certificates) … what ever happened to being a responsible part of the Internet community?



66 Responses to “Comodo continues to ignore Malware warnings”

  1. with all the money Comodo gets from this and their toolbar they start now paying people for creating positive video reviews of their products… see http://forums.comodo.com/general_discussion_off_topic_anything_and_everything/1000_from_comodo_for_your_video-t43021.0.html

  2. Yeah, that is their primary tactic from the very first start, now that they have the cash at hand, and the power to overpower they start to “buy” positivers. It’s like the digital Mob.

  3. The above cert has now been revoked. Thank you for bringing it to our attention.

    This was a free ssl certificate for 90 days.

    Melih

  4. That is trial version of your SSL cert Melih which gone thru many steps to register including Domain Validation 1 and Domain Validation 2. Not all applicants of your cert You revoked the cert, that’s good but please answer this question:

    Why does the same group, ISystem Inc is able to get cert whenever they want?

    Why the same people behind different malware domains continues to get cert from you.

    Don’t you have blacklist on which IP and location so your cert will not be use by them again?

    Many in the security community don’t trust Comodo certificates anymore. Trust online is not in Comodo if you don’t do something better
    Revoking is another move but show us something better.

    Creating a group or association to help stop rogue is not the answer to this. There’s so many group or association already that claim and joined by vendors already but it’s not what it is. It’s about the issuer of certs. Other vendors that joined your group is not issuing cert. You are issuing the cert to malware domains. Revoke when highlighted? Prevent it Melih.

    BTW, you know a fake antivir website is also using your cert right?

  5. despite all the claims that Comodo do not support DV certs, dubbing them ‘Dangerous Validation’ it’s still quite clear that Comodo are happy to make a profit from DV and then shrug their shoulders when things go wrong. For a company that (claims) not to support the use of DV and uses a poor excuse to justify this two faced action (along the lines, we sell DV to upsell to EV – hello, thats like saying I sell drugs to kids so that I can tell them how bad it is). Yet Comodo this week run a promotion (via twitter) offering a ‘roll up roll up’ on Essential SSL (DV) which is free to users of Comodo competitors. If DV is really a bad product, the only way you can stand on your soap box is to stop promoting it and make a stand on OV & EV.

  6. “we sell DV to upsell to EV – hello, thats like saying I sell drugs to kids”

    Selling DV certs is like selling drugs to kids??!
    Do you people have any shame?

  7. @Melih

    one more from the same gang extra-antivir.com

  8. Avoiding the issue of DV and pretending that it doesn’t exist and as long as Comodo doesn’t issue it everything will be fine is not going to solve the DV problem.

    The problem with these fraudsters is that DV process is too easy for them to take advantage of. DV only checks if the site owner owns the domain or not. There is no other check. Verisign and Godaddy own around 90% of this market. I have been very vocal in http://www.cabforum.org to bring higher standards so that end users can be protected. It has met with resistance with people from Verisign and Godaddy. But I am continuing to push for better standards as DV gives a trust indicator to fraudsters hands.

    As to some basic checks like, IP etc etc.. been there and done it..doesn’t work! These people are professional criminals! They know how to change their IP when applying for a cert, how to create a new identity etc etc. We are coming up with different defense mechanisms but we’ll see how it will work.

    To people who claim we profit from these:
    Fact 1) These are all FREE SSL certs.. we don’t get money from them (notice the duration of the cert is 90 days, these are trial certs we issue)
    Fact 2) we issue over 300,000 certs a year getting some fraudsters getting a free cert or two costs us money in reality!

    So what can we do to fight this?

    1)We need to get a standard (yep.. there is NO STANDARD for issuing DV certs today) that mitigates fraudsters having access to this yellow padlock (nothing ever is 100%)
    2)We all need to work together and report these sites so that they can be revoked quickly again limiting the damage. Common Computing Security Standard Website has a reporting form where this is fed to all CAs quickly. http://www.ccssforum.org/report.php . Please use this to report any maliciously used certificate so that it can be acted upon quicker.

    Pls feel free to engage in a discussion (here or in Comodo forums) as to how we can make it safer for the end user. Again, Comodo stopping issuance doesn’t make it safer, it might even end up with other CAs who might take much longer to revoke maliciously used certs. And a DV is a DV, yellow padlock indicator does not differentiate between vendors.. Users just see the yellow padlock and trust it.

    Melih

  9. solution = stop providing free/trial DV certs! Comodo tries to promote EV certs (because they are more expensive), so they make DV be/look useless (and that Comodo creates forums and websites where other sellers are needed to join is a bogus marketing strategy).

  10. We did a manual check to see how many of the malware related sites (sites that are pushing rogue AV products or other malicious activities, not including fake investment scams etc offered by fraudsters) use SSL certs to create legitimacy in an attempt to dupe end users.

    The site is called http://www.malwareurl.com which has a list of malware related URLs (this is just one of many sources) We checked the last 2000 entries from http://www.malwareurl.com/rss.xml?n=1&limit=2000
    for malware websites with certificates. The list and the corresponding certificates are attached.

    https://secureoem.com/shop/order/ Equifax
    https://secure.signupsecurity.com/p05/(S(4xghlr45eyy5dd45f33jqub4))/join2.aspx GoDaddy.com, Inc.
    https://secure.yclinks.com/p05/(S(r02vzt55hmnxlh45vy5dvj55))/join.aspx?siteid=freemovienow_cm&product=30&cli=7&descriptionid=new-movies&lng=en GoDaddy.com, Inc.
    https://secure-plus-payments.com/cgi-bin/nph-pr/pandora/softcore/buy_soft.php?productid=avplus3&advert=1 Thawte Consulting cc
    https://secure.cc-process24.com/ Equifax
    https://secure.mpsjoin.com/join/index.php Equifax Secure Inc.
    https://secure.payment-cc24.com/payment/?sku_name=PCSEC_EN,PCSEC_EN_01,ACTF_EN&sku_checked=1&affid=020c990db04ea0196e1af96bdae2e508LCw=&nid=431ae3a42aa877d0d3ac816da0e4b772 Equifax secure.payment-cc24.com.p7c Session-based link. Redirected from: http://pcsecurity09.com/buy.html
    https://1-vscodec-pro.com Thawte Consulting cc
    https://secure.onlineinternetpayments.com/billpav/? Thawte Consulting cc
    https://secure.innovagest2000.com/ GoDaddy.com, Inc.
    https://secure.paysecorder.com/order?agree=on&prodid=2&r=1.0&butt= Equifax Secure Inc.

    You see, wouldn’t it be better for the end users if all the above certs were from Comodo? They would have been revoked by now!!!! DV is a dangerous tool!

    @Herbert: As you can see above, Fraudsters are already using the other providers in a bigger way (you will find more certs maliciously used that belong to other providers than Comodo). So Comodo stopping issuing DV will NOT help end users. At least now we all talk about this and it gets reported and Comodo acts on it and end users get protected! Look at the above Certs.. they are still not revoked! Believe me I wish I didn’t have to deal with the hassles of DV. It represents a tiny (tiny) amount of sales for us and the hassle it causes it much bigger than its worth to us. But I can’t let this stop us from protecting end users! Hence why I am here at 11:38pm plugging away at this. I initiated http://www.cabforum.org (didn’t have to!), I initiated http://www.ccssforum.org (didn’t have to!), I decided to give top notch Free Security product (didn’t have to). I am selling DV (didn’t have to) but I also know if I pretended DV didn’t exist and don’t take the bull by its horn, fraudsters will simply go get it from other providers and the certs they use might not get revoked in a timely manner. And end users are the losers at the end in that scenario.

    The solution is not to pretend DV doesn’t exist. The solution is to introduce a stringer standards for DV so its not easy for fraudster to obtain it and until that happens the solution is for everyone to report these sites to http://www.ccssforum.org/report.php so that it can be acted on quickly.

    Melih

  11. Melih,

    Mike’s question and everyone’s question including mine was “Why your company continue to issue cert to the same gang?”

    Let me re-phrase that: “Why Comodo continue to provide cert to malware domains that is from the same group that you’ve revoked?”

    Comodo seems to not to apply what other cert vendors can do in protecting their own service so that end-users will not become victim. They seems to know how to implement “creating trust online” than you do. Verisign said:

    “Yes, we can revoke a cert whenever we want. But more importantly we have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place.”

    “The system we have in place automatically rejects obviously fraudulent sites and kicks anything questionable to a manual approval. And if anyone flags a site as malicious, we have a team that investigates these and revokes the certificate if found to be malicious/fraudulent.”

    “For GeoTrust and RapidSSL we have the ability to revoke a cert issued to a malicious or rogue site instantaneously. The cert will then show up on our CRLs immediately.”
    http://www.thetechherald.com/article.php/200922/3750/Criminals-using-Comodo-to-attempt-legitimacy

    You said those fraudsters are professionals which is true but as you can see Melih, other cert vendors do not care whether the cert offender is professionals or not. That is not an issue for them. If it’s known fraudster they have a good system to handle it and good team to monitor and investigate it. What about Comodo? It’s been 2 years that your cert is found in malware domains and until now you have high standard of checking like other cert vendors has?

    You said you are coming up with different defense mechanism. Good luck! Let’s hope Mike and others will not have another blog entry like this. If there will be, we’ll see the date that the cert was issued.

  12. Donna

    I made a post but its not showed up yet(?), where you could see the other Vendor’s certs used by malicious sites.. more than ours! So your statement and inference that other CA’s got it sorted is totally misguided and wrong.

    I have a similar post in our forum here http://forums.comodo.com/feedbackcommentsannouncementsnews_cis/bad_comodo_bad-t43119.0.html;msg312958#msg312958
    with the details of some of the certs we found from other CAs.

    Again, DV is inherently vulnerable and fraudsters will continue to abuse it! Actually Comodo has the lowest ratio of malicious use of our Certs compared to our market share as can be seen from my post in our forum.

    Again, Donna, you are misguided to think other CAs are not vulnerable or don’t have their certs maliciously used. And you are misguided to think DV malicious use can be stopped.

    Melih

  13. @Donna

    You are asking the same question that I already answered in my post of Friday, July 24, 2009 11:47 AM by Melih.

    Pls read it the answer is there.

    But let me expand on it more:

    Do you really think that these criminal outfits come to us and say, hey Comodo, we are the same criminal outfit that got a free cert from you and you revoked it, can you pls give us another one!!! Pls get real Donna… These people hide any traceable information that might link their new application to the previous one that got revoked. You are understimating these professional criminals Donna, a big mistake!

    Your naivety in this subject is scary as someone who claims to be in the security world.

    thanks

    Melih

  14. I think this was the best question … that went unanswered … about the discussion on your forum:

    Melih,

    Yes, I know that usually CAs only check if the site owner owns the domain or not, but why don’t you change the standard for yourself?

    If you are pushing for better standards, why don’t you use them instead of waiting for others to?

    Is there some “rule” prohibiting you from doing so? If not, why don’t you set the example?
    http://forums.comodo.com/feedbackcommentsannouncementsnews_cis/bad_comodo_bad-t43119.0.html;msg312955#msg312955

    Rather than trying to discredit the people reporting on this issue …

    “Why don’t YOU set the example?”

  15. The problem in fact boils down to two issues here.

    First, the certs issue. The fact other cert vendors may or may not have standards or systems to investigate and revoke certs is merely part of the solution. Putting a halt on providing free and trial certs as those in question from this moment on by all cert vendors would be the way to go, in combination with fast and solid investigations from already provided sortalike certs.

    The tricky part is, these free and trial certs are in fact commercial teasers. All cert vendors do provide them with one goal in mind: selling “the real stuff” in the end. Earning money is what it’s all about in the end.

    It may not come as a surprise cert vendors are far from willing to drop providing free and trial certs for that reason: it’s the start from their main source of revenues.

    Comodo is no exception to the rule here. Does this put Comodo off the hook? Certainly not. Although I applaud all sorts of actions as mentioned by its CEO to tackle this issue, it’s bound not to work – it never has and never will. Far stronger rules should be applied – see above.

    So the ethical versus commercial consideration arises: should Comodo stop issuing free and trial certs? Ethics say: “here and now”. Commerce demands: “never. It does cost us far more then we can and wish to affort. Our competitors will laugh all the way to the bank”. The conclusion: Comodo picks and will pick the commercial point of view. And Mike will keep on posting over here for years to come about this subject.

    Second issue: Comodo is rapidly involving in creating various security related softwares. Fairly all of them do have at least a freeware option. This comes with a hugh price tag (vast team of employees, bandwidth costs etc.). And here the connection with the first issue is obvious: this price tag most probably is mainly coming from the certs revenues.

    It’s rather obvious, the combo “certs” and “security software” is a fairly impossible one, not to say a contradicto in terminis.

    Personally, I do see the overall marketing concept behind this combo concept. It’s a rather smart concept as well from Comodo’s perspective. Unfortunately, there’s one misconception implemented: the real money maker source – the certs as being discussed. This misconception may well backfire in the end.

    On a personal note and well intended: I’ll take it your lunch invitation in NY from a while ago still stands, Melih :). I do wish you all the wisdom needed in dealing with the situation at hand.

    Cheers,

    Paul Wilders

    (yet another darned Microsoft MVP since say 2002 or so)

  16. This “audited” comment system look indeed awkward considering that a comment suddenly appeared before the one posted by Donna or that it usually take hours (or even a day) to post a reply.

    The focus is clear and the tone is too and it looks way more easy to abide to the pre-laid path with eyes closed than addressing the substance of the arguments and the premise provided.

    It would be really interesting though to read an article thoroughly detailing what procedure and checks should be necessary for DV certs in order to unequivocally identify legitimate requests from malicious ones during application.

    It would be crucial to not neglect how circumstantial suspicion criteria should supposedly handled to not illegitimately deny applicants using assumptions the likes of IP or ISP which are not meant to unequivocally identify people (though they could be undoubtedly used afterwards providing that impression)

    Indeed a technical article in this regard could be less interesting for casual readers but would be unlikely to pass unnoticed by other security experts reviews for completeness, inaccuracies or weaknesses because the focus would be to find a reasonable, realistic and efficient solution for the benefit of everyone…

  17. @winhelp2002

    Actually that question has been answered many times, including in my posts above.

    thanks
    Melih

  18. Hey Donna you remmeber the site that you complaied had a Comodo DV http://windowspcsuite.com , its now using a Equifax DV.

    Stop complaining about Comodo and go complain about the other CA who dont even give a curd for there end users security!

  19. This is too funny!

    The very website you (the site shown above in the main blog) complain about is now using Geotrust Certificate (A Verisign Company)..

    The very company that Donna thinks is immune to fraudsters! Lets see how long it will take them to revoke this cert! Count down starts now 🙂

    Melih

  20. Melih,
    No one said that other cert vendors has not issued cert to other malware domains. Don’t say I’m a total fool because “no one here including myself” has said that other cert vendors has not issued cert to malware domains.

    The differences?
    1. Comodo “continue” to issue it even after you revoked from the same group/gang.
    2. Comodo offers not only certs but desktop security software. Other certs don’t offer security software. Comodo has more responsibility and should have better strategy.
    3. You or Comodo admitted that you are doing this because others is doing that. That’s a lame excuse. Many times people have ask you to start to show example on whatever standard that you think is better and we’ll even praise you if you will show to the world that you are doing better than other cert vendors.
    4. Comodo is offering free 90days of DV certs! You are promoting DV which you said “not good”. Promoting something that you know bad is adding problem instead of preventing.
    5. Last but not the least, Comodo questions the ethics of people who report instead of working on it. To tell us that we are targetting Comodo alone is simply untrue. We are not misguided. We look at the history and report… we look at track records.

    I’m glad to see your answer about why Comodo continue to issue cert to the same fraudster. That’s lame answer you got. You have desktop security software that has detection to particular malware. Ever heard of heuristic? The same behaviour will be flag. That is the same method that you can apply in your cert business. Same gang, a bell should ring. If not, monitor it then revoke before anyone become victim. What is happening is you failed to monitor. You wait for report from people whom you questioned the ethics. Oh well…

    This going in circles. No wonder why MVP Steven Burn stopped talking in your forums because it’s useless. You keep pointing fingers and going in circles.

    ‘Nuff from me. I hope to not to see another blog or report that Comodo has issued cert to the same gang or other malware domains.

  21. 1George,
    Who said I reported to Comodo that domain? Are you like Melih who is confused on who is Donna, Mike and Corrine?
    Read my reply earlier. I said ‘no one here has said that other certs don’t issue certs to other fraudsters’. The problem is Comodo continues to issue to the same fraudster. In my post there are differences between Comodo and other cert vendors. Wait til my post appear.

  22. But Donna dont you know that no CA has a system to check if the DV is being given to a repeat offender.

    What happen to Comodo here happens to all other CA way more offten, just because you dont/wont notice it or find one, doesnt mean it’s not happening to other CA’s also.

  23. 1George,

    You just answer your question. It happens more often with Comodo cert which means? more malware domains has cert and the worst part is.. the same offender get the cert again, again and again. The action of Comodo to prevent this from happening is what? There must be action to prevent this or else, Comodo cert should not be use by non-malware domains because many people will block and not trust Comodo certs anymore.

    >>>But Donna dont you know that no CA has a system to check if the DV is being given to a repeat offender.

    You better ask that with Comodo because Verisign claim that they have a system to automatically reject known fraudelent (repeat offenders) and their manual system handles questionable domains that try to get a cert. So if Verisign can do that… your belief that no CA has system to check if DV is given to repeat offender is incorrect.

  24. 1George,
    You’re right “pay1.windowspcsuite.com” now redirects to “stonewave.net” which is hosted at the same location as the others …

    # [Netdirekt][95.168.163.0 – 95.168.164.255]
    127.0.0.1 aquabilling.com
    127.0.0.1 secure.aquabilling.com
    127.0.0.1 secure.bestbillingpro.com
    127.0.0.1 secure.payment-cc24.com
    127.0.0.1 pay-secure.net #[ISystem]
    127.0.0.1 safe-pay-vault.com #[server down?]
    127.0.0.1 stonewave.net
    127.0.0.1 webexpressbill.com
    127.0.0.1 secure.webexpressbill.com

    http://www.robtex.com/dns/stonewave.net.html#shared

    As for the actual culprits they all use the same upstream provider = AS304407

    # [Velcom / Teleglobe][AS30407][64.86.16.0 – 64.86.17.255]

    # [Global Crossing][AS30407][64.212.0.0 – 64.215.255.255]

    # [Rcp.net][AS30407][206.53.48.0 – 206.53.63.255]

    If you view the Google Diagnostic report you’ll see they are bad characters …
    http://www.google.com/safebrowsing/diagnostic?site=AS:30407

    In my opinion Comodo needs to step up and take a different approach, as the method now in place clearly doesn’t work … thus my comment:

    “Why don’t YOU (Comodo)set the example?”

  25. –quote–“Why don’t YOU (Comodo)set the example?”–end quote–

    Easy one. Setting an example > big revenue loss plus a grinding halt from all security software(s) developed.

    Business wise that boils down to a disaster. This is a roller coaster with virtually no way out. Anyone who fails to understand this never ever has been involved in high staff level business situations and decisions.

    In all fairness it should be a good thing to imply GoDaddy, Verisign(!) and all others into this issue as well. The only reason to focus only on Comodo is – in my view – the impossible connection as for developing security software(s).

  26. Paul,
    I not asking Comodo to stop issuing certificates, but rather come up with a better method of verification …

    “Trust, but Verify”

  27. Mike,

    I do understand your point of view. Perhaps we agree to disagree about your proposal :).

    In my view these certs in question should not be issued at all, and that includes all cert vendors. As far as I see it, Verisign, GoDaddy and others belong in one and the same category as Comodo. Nice looking statements are not more then words.

    Let them sell only the real and trustworthy stuff to carefully examined buyers – and keep them examining very frequently. Weed out the certs already issued and keep doing so.

    That’s my interpretation from “Trust but Verify”. And that goes for all cert vendors, Comodo included.

    Will that happen? For reasons as already posted earlier on, I probably won’t live to see that day.

  28. @Paul…Lunch.. you know my email address, just drop me a line anytime 😉

    As to whether the issue is free trial or not. Well imo its not. As you can see from the above example even though windowssecuritysuite site had a free trial cert from us (where we made no money from), they now got a cert from Verisign and they paid for it and its still not revoked! Comodo revoked their certs within minutes of finding out about them.

    Its the DV SSL process that is the problem. With this process there is no check about the legitimacy of the applicant. CA doesn’t even check if its a real person or real entity or not! That is the problem! Whether you provide this paid for or free, its still susceptible as a protocol.

    Hope this clarifies the issue.

    cheers
    Melih

  29. Donna

    This is why look like a fool

    You Quoted this statement From Verisign in your above post

    ***************
    Verisign said:

    “Yes, we can revoke a cert whenever we want. But more importantly we have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place.”
    ***************

    Then soon after the windowssecuritysuite went and got a cert from a Verisign company!

    You look very foolish indeed!

    Moreover,

    You look foolish, because you are ignorant and do not understand the problem is not per Company but the Protocol of DV cert

    You look foolish, because you are involved in a witch hunt against a company without getting your facts straight

    You look foolish because in your flawed argument in your witch hunt you quoted a company saying ” we have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place.” and only shortly after the above malicious site went and got a cert from them!

    Donna, you look very foolish indeed.

    Melih

  30. Paul,

    Ever since this issue with Comodo cert started, most of us highlighted that Comodo is not only a cert vendor but a security software vendor (kindly see http://www.calendarofupdates.com/updates/index.php?showtopic=19279) which is not the same with other cert vendors so it is not unfair to imply Comodo on this issue. How can people trust their security software to detect malware if the malware domains that will serve the malware is carrying Comodo cert? That alone should make Comodo to do something better than other cert vendors. They have all the possible method to prevent it. They have malware team who should know the “source” of the malware. That malware team should be talking to their Cert department and flag a malware domain if they only checked the source and found out that there is Comodo logo on the source of malware that their security software will be detecting.

    If they cannot set-up a better strategy and step up then they are mistaken to render two products: Cert Issuer and Security Software Vendor.

    They issues cert to malware domains. Their scanner detects the fake antivirus. What the malware research team there has done? Did they pass the malware domain information to their cert team and say “Hey, we are detecting this as rogue, it has our Comodo cert”.
    Their cert department should revoke it soon before any researcher like Mike will find it or before anyone is victimized by the fraudster.

    Regards,

    Donna

  31. Donna,

    You’re behavior is down right not acceptable! Your spreading lies all around about Comodo! Seriously Donna, Cut the crap right now. Instead of blogging “OMG! Comodo has a Certfiicate issued to this malware domain!” And blogging misleading crap about it, You can help COMODO and other CA’s ALOT by submitting malicious websites using Certificates here: http://www.ccssforum.org/contact.php

    ALL the malware sites used by COMODO certificates are either (Free, 90 Day Trial) or Domain Validation Certificates. Heck as long as you got a domain, And you got money, COME AND GET A DV! No Validation WHAT so ever.

    THIS is the problem The Industry is posting relating to ALL CERTIFICATION AUTHORITIES, PERIOD! There is no Standard. Comodo, Versign, etc are all in the same boat.

    winhelp2002: There is no Validation for DV’s. It’s an industry wide problem. Comodo educates people about Extended Validation, which does have validation and all the proper steps.

    Btw, Melih has a video about Domain Validation here: http://www.comodovision.com/?p=343 (Cause of all this misleading information).

    Cheers,
    Josh

  32. Josh,
    You are way off base here … I posted the “Comodo has a Certfiicate issued to this malware domain” not Donna …

    As for the “industry wide problem” … yeah yeah, yeah … we’ve heard it all before, and that’s why I continue to ask for a better method of validation. Comodo wants to be a leader … well let’s see some leadership.

    “Comodo educates people” … the criminals won’t be educated, that’s just a poor excuse for doing nothing. If there is no “standard” then create one …

  33. Melih,

    Hah! You find that foolish? Then you’re the one making yourself like a one. Why? Because you believe that we do not know that other certs has issued cert to fraudster. You believe that we are singling you out. Since May 2009 discussions in Calendarofupdates.com forum, people was highlighting your difference from other cert vendors. No one is saying that only Comodo has issued cert to malware domains.

    From day 1 that this issue about your cert was blogged or discussed in forums, you keep pointing fingers. You keep comparing yourself with other cert vendors but you failed to realize that people expect MORE from Comodo because you are offering NOT only certs but Comodo security software also. People are not comparing you to other cert vendors because they know that it is not Comodo alone has done it but they expect more from you. You are the one who keep mentioning your rivals.

    You are using other cert vendors as EXCUSE or ALIBI that as if people do not know about certs at all. What we cannot understand and you/Comodo failed to do is to prevent it and provide better prevention especially you are expected by people to do better. You have security software! Your teams (malware research and cert teams) should be coordinating and reporting to one another then prevent it before people become victim.

    Even Paul can see the problem with your services. Even Paul has said it. Ethics vs Commercial. You opted for losing your ethics. You opted to not to provide professional standards. You opted to provide a not fair job and you opted to not to show your duty as security software vendor.
    Even Mike has said before “who’s ethics is being question here?”, not his but yours.

    And since you opted to the above, then you got to face this problem. Solve it Melih. That what people want to see, your solution.

  34. It would be pointless to argue in the span of this page whereas the manifest intention to restrict the focus to a single CA is unambiguously clear.

    Each reader ought to confirm if some arguments could actually warrant the comments insofar provided whenever there might not be enough of a context nor the information to have them properly address some claims, even in case some will _not miss_ the comment section.

    It should be clear by now the effort some put to point out arbitrary reasons to maintain such narrow focus is directly related to the extent of targeted criticism provided.

    It’s is baffling to notice the unavailability of a technically reasonable, realistic and efficient solution which should have been provided months ago and reviewed for
    completeness, inaccuracies or weaknesses by other experts and unambiguously proposed “to all CAs” for the benefit of everybody.

    How log opinions have to come in form of “judgments” and not as a “proposal of solution”?

    Because only a solution-oriented industry wide “proposal” could possibly cast away the undeniable considerations arising from such narrowed perspective some individual vocally advocate.

    The “vast majority of CAs” will not fail to answer to such officially provided “solution” whenever released outside the cabforum.

    Especially if provided by reputable individuals who apparently have the issue at heart instead of posing as judges on the sidewalk while delegating the rest or focusing on a single CA whenever it is a marginal issuer of DV certs.

    Whenever some may be still willing to argue about these aspects and only passing their righteous judgment all along, their approach and their focus will be self-evident regardless of their confidence on their reasons and premises…

    Whenever comments the likes “this should never happen” vocally leverage on popular sentiment arguing about viewpoints and sentiments is much different from arguing from a technical perspective to “thoroughly” describe a reasonable proposal…

    …because per-reviews could be assumed to be as thorough and pertinent as well oriented on on realistic constraints and efficiency aspects in order to determine the span and applicability of such DV proposal.

    Whenever it does indeed look that OV certs inherent identity validation can already address many DV certs related pitfalls in a reasonable and efficient way with less resources, any experts willing to address a detailed DV proposal for all CAs could write about that outside the restricted space of this “comment section”

  35. @Donna

    Donna:
    Hah! You find that foolish? Then you’re the one making yourself like a one. Why? Because you believe that we do not know that other certs has issued cert to fraudster.

    Melih:
    If you do pls tell us the percentages. How many percent of the malware sites used Comodo certs vs other vendor`s certs. You do NOT know this, if you did, you wouldn`t be doing what you are doing! Can you pls provide percentages to say that Comodo is not doing its part or even more that its fair share!

    Donna:
    You believe that we are singling you out. Since May 2009 discussions in Calendarofupdates.com forum, people was highlighting your difference from other cert vendors. No one is saying that only Comodo has issued cert to malware domains.

    Melih:
    Then the only foolish one is you Donna. You even quoted a line from Verisign: “Yes, we can revoke a cert whenever we want. But more importantly we have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place.” If you didn`t believe that line why did you quote it? Can you pls explain?

    Donna:
    you failed to realize that people expect MORE from Comodo because you are offering NOT only certs but Comodo security software also. People are not comparing you to other cert vendors because they know that it is not Comodo alone has done it but they expect more from you. You are the one who keep mentioning your rivals.

    Melih:
    Expect more from Comodo because we have security software implies comparison to other cert vendors. You are clearly saying Comodo as a CA who also has security software should do more than other CAs who doesn’t have security software. btw more compared to whom or what? Obviously our competitors! Or perhaps you can explain what you mean by expect more from Comodo compared to what/who based on What percentage? What data do you have in terms of percentage to say that Comodo is not doing enough compared to our competitors? Perhaps again you can share that data showing the percentage of maliciously used certs issued by comodo vs competitors as well as the average revocation time for respective companies. Surely you must have this for you to come to the conclusions you have. If you haven`t how can you possibly say all the stuff you have been saying?

    Donna:
    Even Paul can see the problem with your services. Even Paul has said it. Ethics vs Commercial. You opted for losing your ethics. You opted to not to provide professional standards. You opted to provide a not fair job and you opted to not to show your duty as security software vendor.

    Melih:
    Paul`s point was about free/trial SSL, but as was clearly shown this is not the issue as the malicious site blogged about in this very blog against Comodo went and purchased a cert from a Verisign Company. Once again the protocol for DV is flawed, no matter who issues it (maybe one day you will get it..)(will you?)

    Again, we expect substance to your allegations, we expect no flip flopping, we expect not some foolish girl going around on a witch hunt with literally ZERO understanding of the security world!

    Its amazing how the universe works in mysterious ways…. You quoted the Verisign statement and within 24 hours You were proven wrong!

    How can you with any credibility claim that You didn`t quote Verisign`s statement saying: “we have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place”. Donna you are a fool for posting that statement and then claiming you never said others vendors don`t issue certs to malware domains.

    Look forward to your explanation of why you quoted that Statement from Verisign if you didn’t believe in it?

    Melih

  36. Melih,

    You are trying to use this “single” malware domain to justify your work :-O
    Note: The same gang that you’ve revoked cert before and the same gang that you have issued the cert before it goes to other cert vendors.

    Why did I quote Verisign’s response? it is to answer 1George’s claimed: “no CA has a system to check if the DV is being given to a repeat offender”. Take note that he said “repeat offender”. You see, this single malware domain that you are trying to use now as your defense was found only to have Verisign cert after you have revoked it. It does not mean that Verisign re-approved or re-issued the cert to the same gang that unlike you, Comodo… who continues to provide cert to same gang. You issued the cert to the same gang. Repeat offender.

    See the difference?

    Nope. MVP Paul Wilders wrote about the issues in Comodo services: certs and security software. Read his entire message again, Melih. He can see what other people have seen since May 2009: A cert and security software services is the issue here that’s why Comodo is being questioned. Paul clearly wrote that there is 2 choices: Ethics vs Commercial. He understand why you picked commercial instead of ethics. It’s quite obvious anyway but let us not forget that you have other source of money to develop your free software now: A toolbar in partnership with Ask/IAC. A toolbar that is bundled with EULA at all in the installer and not even link. No EULA means you are not clearly disclosing what your software has and what it will do.

    You want to count how many malware domains has cert by other vendors. Why bother if Comodo cannot even monitor it and that Comodo have to wait for reports like this. Remember, MVP Mike (aka winhelp2002) is reporting to you since Winifixer days. Since 2007, he’s been catching malware domains with Comodo certs. Does the numbers matter now if people knows that your system like other cert vendors system is failing? What is the point if you are not going to provide solution?
    You have security software to help in having a better strategy than them. That is the point.

  37. As a end user here, I’m tired of the name calling and finger pointing. How about all of the folks in this industry work together to stop the bad guys.

    Enough with the attitude and how about we all get together to protect customers?

    How about taking the time from justifying what happened to figuring out how to stop it happening again?

  38. @Donna

    You said
    Why did I quote Verisign’s response? it is to answer 1George’s claimed:

    WOW…what a LIE….because you posted the verisign Statement on Saturday, July 25, 2009 5:41 PM by donna

    But 1George made his first post on
    Saturday, July 25, 2009 9:53 PM by 1George

    You are now lying through your teeth Donna!! Shame on you! A Fool and now a blatant LIAR!!!! Have you no shame?

    Melih

  39. Melih,

    You’ve stated somewhere above:

    –quote–

    “Its the DV SSL process that is the problem. With this process there is no check about the legitimacy of the applicant. CA doesn’t even check if its a real person or real entity or not! That is the problem! Whether you provide this paid for or free, its still susceptible as a protocol.”

    –end quote–

    Although in my opinion free/trial certs should never been issued at all for reasons as discussed, you certainly have a hugh point here. So let’s focus on this one for a while.

    What if any reasons do exist for cert issuers not to change this darned protocol? In case it’s flat out the money, by all means state so. From purely a business stand I can understand such a reason. Although (being aware of the consequences) it wouldn’t be my kind of business. Then again, we all do know how reality is in this business if this is the case.

    If on the other hand other reasons come into play, say lack of organization, setting standards accepted by all etc. : that’s quite a different ball game. In effect the cert issue overall could be tackled. It will cost time and money no doubt – but it will pay back in the end. Provided this is the case, what can and could be done in your opinion?

    I’d like to address issues one by one now as everyone may notice, starting with the root of the evil.

    On a side note: I’m all for a heavy and straight forward discussion. Calling names and shouting at one another never solved anything as far as I know and isn’t my cup of tea anyway. Consider this a well intended hint for those who fits the shoe :).

    Paul

  40. @Donna

    As if all that wasn’t enough….What was that thing you said about “repeat offender”?

    http://www.malwarecatcher.net mentioned in the original blog above points to
    https://secure.softsales-discount.com/support/ and this domain had an SSL from a Verisign Company previously (was valid until 6/26/2009) and now they went and got another cert again from Verisign!

    Can you pls explain that Donna (along with why you lied pretending you posted the Verisign statement after 1George’s statement, and now it has been proven that your theory of “repeat offender” is total rubbish!

    You look a total fool and big liar Donna! Shame on you!

    PS:here is the screenshots to the previous verisign cert in my post in our forum http://forums.comodo.com/feedbackcommentsannouncementsnews_cis/bad_comodo_bad-t43119.0.html;msg314120#msg314120

    Melih

  41. Paul

    First of all there was and still is no standards for issuing SSL certs (yellow padlock)(There is a standard for EV SSL – Green address bar). So any CA can do whatever they like when issuing these certs as there is no standard for it.

    So in 2001, Geotrust came up with this innovation of issuing SSL certs without asking for docs etc. and “invented” DV SSL. People didn’t understand the implication and thought hey, great, don’t need to bother with documentation and I can get my cert in few minutes. That’s how Geotrust was able to get a market share. Verisign and Comodo was against this kind of Dangerous Validation, until Verisign bought Geotrust:) All of a sudden Verisign thought DV was a great idea! Then Godaddy came into picture pushing DVs. Now between GoDaddy and Verisign they own around 90% of the DV market. DV created a tool for market share. DV certs are dirt cheap so I doubt anyone can make money from them, but they are a business tool for gaining market share, but of course monetizing that market is another issue after you obtained that market share.

    Coming to now, Comodo has proposed a minimum standard to the CABForum for DV. Because today there is no standard for how to issue Yellow padlock. You see I believe a Certification Authority must Certify Identity, otherwise whats the point. So we are pushing for a standard, but we are getting resistance from the “DV Market Leaders” :). Of course “DV Market Leaders” have Legal Monies to spend if browser people force a change on them. So it has be done amicably..but they resist!

    So that’s the story!

    I think we need to educate users and get them to demand better standards from their browsers and be aware of DV certs (asking for too much but hey)..

    We as Comodo will continue to push for minimum standards thru the CABForum and everyone should write to their Browser vendors and demand that they should improve the DV SSL standards.

    Hope this clarifies, if not pls feel free to ask.

    thanks

    Melih

  42. Melih,
    re: malwarecatcher.net

    Well I just checked it after your last comment and I surely don’t see Verisign … what I do see is a recently expired certificate from Comodo!
    [Screenshot – 7/28/2009]
    http://mvps.org/winhelp2002/blog/malwarecatcher.gif

    Enough with all the namecalling … you are the one making yourself look foolish …

  43. @winhelp2002

    Can you pls post the screenshot of what you see. Thank you

    Melih

  44. Melih,
    The link to the screenshot was included in my last comment …
    http://mvps.org/winhelp2002/blog/malwarecatcher.gif

  45. @winhelp2002

    You are showing a cert for softhotspot.

    I was referring to https://secure.softsales-discount.com/support/ and the screenshot is available in the link provided in my above post.

    If you choose Visa then you go to what you posted, if you choose Mastercard they you go what I posted (as far as I can see).. Can you pls confirm that is the case for you too?

    thanks
    Melih

  46. here is the site http://pay1.malwarecatcher.net/ProcessTransaction.php?pc_id=&uid=0&ls=1&bid=b_Unknown&t=day&np=&pid=3&sid=&wv=wvUnKnown&verint=&presale_id=1&abbr=MCATCH&bill_id=-1&prID=2

    If you choose Visa you go to: https://secure.softhotspot.com/cgi-bin/bill.cgi?type=cc&id=135_138&reseller=wvUnKnown;b_Unknown;1;0;0;0;-1;1;;0

    and if you choose Mastercard you go to:
    https://secure.softsales-discount.com/payment/?sku_name=MLWCT_EN,MLWCT_EN_00,MLWCT_EN_01,ACTF_EN&sku_checked=2&nid=&affid=0&lid=wvUnKnown;b_Unknown;1;0;0;0;-1;1

    So all along, even as you were writing your blog against Comodo, this malicious site you blogged about had a verisign cert. And now they actually got another one from Verisign. While Comodo cert is a Revoked cert, previous Verisign Cert “expired” and the current Verisign cert is still “valid”.

    I think its fair to say, Comodo is doing its fair share at protecting its users and shouldn’t be singled out!

    Melih

  47. Melih,
    You’re right … each card selection goes to a different provider … first I’ve ever seen that.

    Equifax (expired) 6/26/2009 (Mastercard)
    Comodo (expired) 7/21/2009 (Vista)

    Most likely the culprits have abandoned MalwareCatcher for whatever they have cooked up this week …

  48. winhelp2002

    Can you pls confirm that all along the very site you blogged about had a verisign cert and these crooks went and got another verisign cert again and that Verisign cert is still valid?

    Thank you

    Melih

  49. Melih,

    Conclusion: it’s the money that counts, and Comodo – supposidly having 10% or less market share is too minor a cert issuer to have real influence on the existing dangerous validation protocol. As suspected and not coming as a surprise.

    Would you mind posting the minimum standards Comodo is pushing over on the CABforum, so we know the possible positive impact?

  50. Melih,
    If you go back and look, I only made a passing reference to MalwareCatcher …
    [quote]
    Seems iSystem Inc also controls several other (malicious) domains … including “malwarecatcher. net” which is associated with “updvms. net” and this is where it get interesting …
    http://msmvps.com/blogs/hostsnews/archive/2009/05/23/1693034.aspx
    [quote]

    You can spin it all you want, but it doesn’t change the fact the Comodo was involved with yet another malicious domain as seen in the last screenshot … the Verisign certificate I saw from the Mastercard link expired 6/26/09.

    I never saw the Mastercard/Equifax connection when I blogged about MalwareCatcher because I clicked randomly on the Vista card selection.

    I mentioned MalwareCatcher on 5/23/09 … the Equifax certificate was issued:

    [Issuer]
    CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US

    [Serial Number]
    0BB707

    [Not Before]
    5/26/2009 10:00:25 PM

    [Not After]
    Equifax 6/26/2009 7:33:42 PM
    ————
    So even if I clicked the Mastercard link, I wouldn’t have seen Equifax since it wasn’t issued until 3 days later … no telling what was there previously (if anything)

    And no I do NOT see a valid certificate … it shows just as I posted it above …

  51. Melih,
    I quoted verisign to let readers see that other certs have strategy and provided a good response. I quoted verisign again to answer 1George. Are you happy now? If so let’s go back to the fact and main issue: Repeat offenders is able to get from Comodo so the blog of Mike is very correct.

    As to your message:
    QUOTE
    So all along, even as you were writing your blog against Comodo, this malicious site you blogged about had a verisign cert. And now they actually got another one from Verisign. While Comodo cert is a Revoked cert, previous Verisign Cert “expired” and the current Verisign cert is still “valid”.

    I think its fair to say, Comodo is doing its fair share at protecting its users and shouldn’t be singled out!
    END QUOTE

    Oops Melih… there is no valid cert on the domains you mentioned 😉

    @Mike,
    I just look at the sites that Melih mentioned and I able to repro here what you saw:

    I do not see valid cert.

    secure.softsales-discount.com – Equifax (issued 5/27/2009, expired last month 6/26/2009) – 1 month this malware domain is able to use Equifax cert.

    secure.softhotspot.com – Comodo (issued 4/22/2009, expired few days ago – 7/21/2009) – that’s the 3 months trial that this malware domain is able to use Comodo cert.

  52. It has become more than clear during the course of this discussion that the main contributors to this blog have launched a vicious attack on Comodo with no justification whatsoever. This has no doubt damaged the business of Comodo, as the people concerned use their status of MVP to add weight to their remarks and will thus have been taken seriously by the wider security community.

    It is hardly surprising that Melih has reacted furiously in this instance, as he has obviously not in any way been justly treated here.

    Fortunately Paul Wilders has now introduced some common sense to this discussion, but the damage has been done, as the accusations have been widely repeated in many forums.

    It would be good to see some humble pie being eaten here now and an apology at the very least!

  53. I must admit I find this quite disconcerting! As an MVP myself, I tend to have quite high standards when it comes to discussing matters related to IT and especially security. What I find here and elsewhere, however, seems to amount to a vendetta against a single company, by a small band of irate MVPs.

    The simple fact is, this is not a single company issue, it’s an industry issues. Comodo is not alone in issuing certificates and is in fact a relatively small player, yet I find no mention on your site of Verisign. Will you tell me, honestly, they are not also guilty? I think the proof lies in this very thread.

    Your premise for singling out Comodo as the evil supplier of certificates to “criminals” seems more to to with your dislike of them also being a software supplier, in addition to a certificate supplier. I have to wonder if this at all relevant. If I choose to install their software on my computer, I don’t see any ‘malware’ being installed. Granted, they offer the Hopsurf toolbar, which is powered by Ask, but it’s optional. For the most part the security package is first class.

    I really believe you should stop with the ridiculous ‘tabloid’ headlines and concentrate on the real issues. If you want the industry to change then report fairly, put pressure on those that can make a difference.

  54. @winhelp2002 and Donna

    You guys give MVPs a bad name, Shame on you both!

    @winhelp2002: You didn`t spot the Verisign cert on this malicious site and solely blamed Comodo, even though Verisign is also a repeat offender you only chose to focus on Comodo.

    Donna you lied saying you posted your statement in response to 1George and now you are changing your story yet again…

    Donna you were foolish to make a statement about repeat offender and you were proven wrong in this very thread by the repeat offender malicious site by going and getting another cert from a Verisign company.

    I have nothing else to say to you guys apart from I really hope you are both ashamed of yourselves!

    Melih

  55. Truthseeker,
    I wasn’t looking for an apology … rather a solution to the ongoing problem. I’ve been reporting on this since 2007, yet no viable solution is offered. All I see is spin and distorting the truth, or try to discredit the research… blaming Verisign is not a solution, and the truth is in my research chasing these type culprits I see a Comodo certificate most of the time …

    With that said … this is going nowhere and I’ve got better things to do …

  56. That is really quite amusing, you looking for an apology?

    You clearly completely missed my point, that you have carried out a vendetta against Comodo with absolutely no justification. Your remarks have been repeated by your followers and those who wish Comodo harm, all over the internet.

    Yet you cannot see the wrong you have done and have no intention of apologising. That is shameful in my opinion.

  57. Despite blaming some major CA, nor blogging about it doesn’t appear a solution, it comes to no surprise that *several domains* reported in this blog under the Netdirekt [as28753] range are still featuring _valid_ DV certs despite were seemingly “unseen” truth and thus not featured in any research nor article.

    Obviously if it they remain _unseen_ it would even be possible to think they never existed especially if the sites will be taken down *before* the certs could be possibly revoked.

    If those certs were *issued* was it due to poor standards like implied for some other CA?

    If they will _not_ be revoked will it mean that the “red flags” so far hinted were not something enough to warrant that?

    If those certs were not “seen” even by the most dedicated researcher could it mean that is inherently _difficult_ to spot these cases despite it was seemingly provided the opposite impression for similar cases?

    If a research/article contain a selection bias < http://en.wikipedia.org/wiki/Selection_bias > and related underreporting or overreporting how much its conclusions could be considered reliable?

    Whenever it doesn’t look like the focus has changed much, it comes at no surprise the willingness to “wait on the sidewalk” a proposal coming from the same CA involved in ethics debates with different tones.

    Obviously there are many people willing to share their expertise and gratuitously provide their consultancy though it would be rather surprising if the so far demanded and more-less focused “expectations” will be easily met.

    Apparently though *no expert* has so far taken any step to provide a “DV proposal” nor even one possibly carrying their own _ethical_ perspectives, nor one that could have been previously provided as _documented criteria_ for the “evaluated” DV certs scenarios and not strictly focused on a single CA (whereas the opposite could be interpreted as a telltale sign of bias).

  58. The fact that Comodo provides CERTS aswell as Security Software seems irrelivant. Both stand on their own. As far as trust one could fail and the other would stand.

    Singling out Comodo based on the fact that they offer both compared to other CA makes no sense.

    Quoting Verisign simply saying we have solutions to prevent malicious websites from getting certs does not necessarily make it so. Comodo also has solutions however effective they may be, same as Verisign, GoDaddy etc. EVERYTHING can be improved upon as with all other products, services and companies.

    Based on all these comments it’s been shown that Verisign, Comodo and other CA all have problems with malicious sites and i’m certain they ALL have problems with recurring CERTS.

    Showing only one side in an article such as this is merely closing your eyes to the rest of the world.

    Unless you show what other companies are doing to fix the issue (in detail) that Comodo is not then it seems rather unfair to attack Comodo and their 10% share. When maybe you should be attacking Verisign and other CAs.

  59. I would love to see this same article focusing on other CA aswell since this isn’t an isolated issue to Comodo.

    Marc

  60. And as you can see… This isn’t just to do with Comodo. Every CA is in it guys.

    This one by Verisign, found today: http://forums.comodo.com/feedbackcommentsannouncementsnews_cis/bad_comodo_bad-t43119.0.html;msg314840#msg314840

    Rouge Registry Tool.

    MAL1, Censored Thoughs, Truthseeker and Paul. Your posts are highly appreciated. And totally agree.

    PLEASE.. Donna, or anyone else: If you find a malware site with a CA domain on there, Pls report it. Don’t blog about it and post misleading lies. This is why Melih acted so furiously, You seriously think he enjoys this crap? He doesn’t.

    Anyway the evidence is here and also on the Comodo Forums, There is no Validation for DV and all CA’s disagree to take it down. Melih tried to do it at the CABForum, But no go. 🙁 So all CA’s are forced to give out the DVs… So as long as you got a domain, who cares about validation of who you are, Just have one and give us the money. 🙂

    Comodo promotes, On their site, EXTENDED Validation much more promptly, And is MUCH more recommended and shows the green bar (EV), not the yellow padlock which lost its trust! (Again, DV).

    Cheers,
    Josh

  61. Lol, I had similiar issues with Comodo, Thats why I no longer use it.

  62. 3xist,
    re: This one by Verisign”
    Someone had already reported that and I replied here:
    http://msmvps.com/blogs/hostsnews/archive/2009/07/28/1710608.aspx#comments

    As for the rest of your comments, I still don’t see any solution being offered … just excuses, spin and childish actions by a bunch of Comodo groupies and a “CEO gone wild” that can’t stand being called out on the carpet …

    Comodo – There is nothing to defend when you take no action … blaming Verisign is not a solution. Blaming posters for exposing Comodo’s non-action is not a solution.

  63. What difference does having a security certificate make? Even having a revoked certificate, the website is still up right?

    I understand that of course, to the layman, if he sees a website that sells a fake anti virus program, but doesn’t know any better, seeing the website have a valid “Secured by Comodo” certificate would give a false sense of security, which is wrong, then he would purchase the fake program.

    It’d be great if the crooked hosting companies would stop hosting this garbage in the first place, and ICANN and all the registrars need to step up their game and do full background checks on any new websites being registered, whether for business or personal use.

    It’s pretty sad that all the fake sites out there even get registered….but it’s all about $$$$ I guess…

  64. Mike, indeed many would agree that blaming any specific CA wouldn’t appear to be a solution but it doesn’t look like you have proposed a solution either.

    Can you confirm you are aware that the CA which issued DV certs now featured by these sites you listed, is not the *same* you initially focused on?

    # [Netdirekt][95.168.163.0 – 95.168.164.255]
    127.0.0.1 aquabilling.com
    127.0.0.1 secure.aquabilling.com
    127.0.0.1 secure.bestbillingpro.com
    127.0.0.1 secure.payment-cc24.com
    127.0.0.1 pay-secure.net #[ISystem]
    127.0.0.1 safe-pay-vault.com
    127.0.0.1 webexpressbill.com
    127.0.0.1 secure.webexpressbill.com

    Should these sites be reported even if they appear legitimate at the moment?

    If you think so, would you please take the necessary steps to report them to the other CA?

    Besides what actually was the technical solution applicable to all CAs you ought to be apparently aware to the point it elicited the disappointment you focused on a single one?

    Would you thoroughly describe a solution in a separate article for reference?

    Will your solution account for the uncertainty of mismatching whois records?
    Will it assume the cooperation of ISPs at least to address the cases of virtual hosting?
    Will it be entirely focused to prevent and unambiguously identify malicious cert requests as soon as those are processed in a way it would be actually possible to _predict_ the abuses in order to *legitimately deny* those requests or will advocate a definite action based on what might only be confirmed at a later time, eventually by 3rd party reporting?

    Would you be inclined to point out also the prospected effectiveness and inherent constraints of such solution in a way nobody could possibly abuse it to put forward unwarranted criticism?

    It goes without saying that blaming a specific CA when someone knows the _outcome_ and expects the CA in question should have considered that negative outcome as *undoubtedly certain* _before_ it was confirmed, would be not much different from blaming _any other CA_ after similar issue is eventually confirmed (even the other CA whose valid certs are currently featured on the sites mentioned in this blog).

  65. @winhelp2002
    You said:
    Comodo – There is nothing to defend when you take no action … blaming Verisign is not a solution. Blaming posters for exposing Comodo’s non-action is not a solution”

    Again:
    Comodo took action and revoked the certs that was reported. Comodo also has continuous improvements which has resulted in percentage of maliciously used certificates to be a smaller %age compared to Verisign. (only if you could provide the %ages you could see it yourself..but I guess that wouldn’t be as much fun for you :))

    You claim you reported it to Verisign on 29th, 2 days on, have they revoked it yet? If not, will you blog about it? Can you pls let us know the URL for your blog for that? If not why won’t you blog? Afterall, they are repeatedly issuing to the same gang who abuse their certs and they haven’t still taken action.(again, perhaps its not as much fun as singling out Comodo?)

    At some level I am glad you are expecting Comodo deliver better standards for the whole industry as you obviously see Comodo as the Leader in the Security field and expect us to be able to deliver better security for people ahead of Verisign, Symantec. And also I am grateful that you see us in a position of leadership otherwise you wouldn’t have asked to change the industry by setting example and change the way the industry work. But once again, this DV is an industry issue with DV protocol that requires the whole industry to change. I don’t know what it takes for you to understand that?

    Melih

    PS: To summarise
    1)You didn’t know how to analyse the malware site and you totally missed that the very site you blogged against comodo had a verisign cert.
    2)You reported verisign certs but they are still not revoked.
    3)Verisign has more certs out there maliciously used than Comodo.
    4)Your friend Donna lied about why she made that statement.
    5)You had your signature in your MVP profile pointing to a malware domain over 7 month and you didn’t even know it!

    I think now that everyone knows all about you, your intention, your “capability” as a security professional and Donna, pls blog away….:)

    Melih

    PS: I hope your new MVP profile is not pointing to yet another malware domain 😉

  66. Censored Thoughs,
    re: but it doesn’t look like you have proposed a solution either”
    Why would I? … it’s not my area … you should focus those comments to Comodo.

    In my research I find Comodo’s certificates far far more than anyone else … I’ve been reporting on this issue since 2007, but Comodo just continues on as usual, blaming others, attacking the researchers, and uttering nonsense, but provides no solution.