Dear Comodo: You gave WHAT to WHOM?

Topic

New Reply

The Comodogate problem stinks, and not just for the  reasons you already know. InfoWorld Tech Watch. (Update: this article has just been Slashdotted.
[See the full post at: Dear Comodo: You gave WHAT to WHOM?]

Reply | Quote

Replies

Woody,
“take over DNS infrastructure” – well, if you are government, I’d say you can do it for your country, right? And that’s the point – easily to spy on your own people. Why to bother to ask google to hand over mails of someone? That person will give you full access as soon as he’ll login. Pretty scary.

Reply | Quote

@ado –

Yes, you can. But that’s not the only way to use the SSL certs…

Reply | Quote

well woody, it’s another black eye to Comodo and their reputation. I keep away from using any of Comodo’s security software.

Reply | Quote

First, let me point out that none of this controversy over Certificates is about the security or reliability of Comodo’s Internet Security or Firewall products. Entirely different stuff, and a different division of the company.

Comodo has been doing secure DNS services for a few years now, and I think they got their hands on Certificate issuing by buying another company which was an established Certificates Registrar before Comodo acquired them. I could be wrong about this.

Rightly or wrongly, I do trust the Comodo Firewall, and Defense Plus, at least on my Windows XP laptop. I also do use the included Comodo DNS Service on my Windows XP laptop, and I have been saved from more than a few rogue sites and drive-by downloads when Comodo DNS either blocked sites, or warned that “something is not right here” (invalid certificates, etc.). So the basic Comodo security infrastructure seems to me to be working very well.

What is lacking is adequate controls over who issues Security Certificates, and to whom. There seems to be no International Standards Bureau, or whatever, to regulate and enforce the process. And revoking Certificates via browser version updates and security patches? Give me a break!! (BTW, when the MS-IE patch does come out, will we get to apply it without applying the other outstanding March MS Updates?)

My point about the process is that it is not Comodo’s fault, and I slightly resent Comodo being singled out for criticism. Hasn’t this sort of thing happened to Thawt, or other issuers of Certificates (and did they fail to notify anyone)? Is Comodo uniquely negligent, or is it the entire process which should be criticized and changed? And finally, does anyone have a better, concrete idea of how to manage the myriads of Certificate requests which are made in the average year? There’s a LOT of “secure” web sites out there! And a lot of Certificate issuers. Too many issuers.

If Microsoft’s own Certificates ever became compromised, would we ever be told? I doubt it!

So now that I know all of this, how do I determine that I really am at my bank’s secure log-in page? And that this page is actually really secure?

Reply | Quote

@RC –

Absolutely true, this has nothing to do with Comodo products. It’s a major screw-up with Comodo’s control over the issuance of SSL certs.

On the other hand, I disagree about this being Comodo’s fault. They’re being trusted to provide a service – an expensive service – and in this particular case they failed miserably. The process is flawed, yes. But Comodo has been uniquely remiss in this case.

IF MS’s certs were compromised, we probably would find out about it because the certs would have to be withdrawn with all of the major browser manufacturers – and somebody would, no doubt, spill the beans.

Reply | Quote