For most of this month there has been a discussion over the business practices of Comodo, the company who along with free security software offers SSL certificates for online businesses. The discussion is not that they offer SSL certificates, it is that they offer them to criminals as well as legit businesses, with little to no checks during the process or once the certificate is in place. Most were unhappy that it took Comodo so long to respond to the issue itself.
Mike Burgess, sometimes known as MVP Mike, started a normal day in April by checking out some sites listed on Dancho Danchev’s blog. The sites that were listed on Danvhev’s blog were known to be malicious, so Burgess looked them over and discovered that the checkout systems were using Comodo SSL.
He reported the domains selling Rogue anti-Virus software, some including Malware, to Comodo back in April. Earlier this month, Comodo responded that the email was buried, apologizing for the delay, but informed him that the SSL certificates for the reported domains were revoked. Mike blogged about it, and conversations on several forums started spitting fire at the company.
Most of the comments center not on the fact that criminals use SSL to attempt to look legit and fool people into handing over cash and information in exchange for Malware, but that Comodo took entirely too long, in some opinions, to act on the reports.
Comodo President and CEO, Melih Abdulhayoglu, said that, “Today, the biggest issuers of DV certs are Verisign and Godaddy. They have continued issuing DV certs which caused likes of Comodo to offer it as well. If we didn't we would lose customer and the world would have no chance of fight back. We only issue a very small amount of DV certs compared to Verisign and Godaddy.”
Adding to his comments he offered that DV certificates should not exist in his opinion, “Encrypting data for a recipient you have not verified is stupid at best!”
The ten thousand dollar question, which no one asked of Mr. Abdulhayoglu, was why Comodo offers DV certificates free for 90-days.
“A free SSL certificate will secure your site and begin building trust,” Comodo’s site states, adding that a free SSL certificate is, “the same as our paid Essential SSL” They even promise no, “faxes, no paperwork and no delays - get the golden padlock within minutes and be ready to sell online.” How is this not making an offer to encrypt data for a recipient you have not verified?
For the record, here is a current customer, selling Rogue anti-Virus, the domain is fastantivirus09 .com (Note: This site is malicious, do not visit it. Original details of this Comodo customer are thanks to MVP Mike. His post on them is here.)
In addition to the slow removal of criminal certifications, there is another issue that was debated, disclosure. The response from Comodo to Mike Burgess said his initial warning was buried.
Later, Mr. Abdulhayoglu stated, “He doesn't claim that he sent an email to us to inform us before he went public. To my knowledge we haven't received any emails from him or emails from Dancho Danchev's site. We found these out after they went public.”
“So people claiming that we should have acted sooner: Well we did! But it seems as the bloggers were eager to write their blogs without informing us about it. So the question should be the ethics of publishing these kind of material without informing the security vendors in the first place.”
In actuality, the times and dates on the email response from Comodo, where they apologized for not answering sooner, show it was sent before the issue was blogged about. You can see them here and more information here.
“You question my ethics? ... It wasn't my intent to get into a [pissing] contest with these people but whose ethics are in question here? ... Mine for publicly reporting this or Comodo's for a continuing practice of issuing/selling certificates to questionable characters...,” Burgess responded.
Burgess has a simple solution, check the domains using the SSL certificates, if they are malicious, then block them. Easier said than done sure, but as long as there is a response mechanism in place, then this shouldn’t be an issue.
Again, criminals using SSL is nothing new, but security companies mismanaging communications reporting suspicious activities (as is the apparent case for Comodo’s email from Mike), and taking almost a month to revoke the certificate has to change. The excuse that everyone else does it, so we do it too else we lose business, is weak at best.
Since VeriSign was mentioned by name, we asked them to comment on this story. A spokesperson told us, “RapidSSL, Thawte, and GeoTrust are the only brands VeriSign issues DV certificates from.”
When asked if they can revoke at will if someone reports a malicious domain using their certificates, or if one of their resellers issued a certificate to a malicious domain, we were told, “Yes, we can revoke a cert whenever we want. But more importantly we have a high standard of checks & balances to make sure we do not issue certificates to bad sites in the first place.”
“The system we have in place automatically rejects obviously fraudulent sites and kicks anything questionable to a manual approval. And if anyone flags a site as malicious, we have a team that investigates these and revokes the certificate if found to be malicious/fraudulent.”
Jay Schiavo, Product Manager at VeriSign, mirrored that thought by adding, “For GeoTrust and RapidSSL we have the ability to revoke a cert issued to a malicious or rogue site instantaneously. The cert will then show up on our CRLs immediately."
They also mention that if criminals are using the GeoTrust name on malicious sites, and they have not discovered them, anyone can email [email protected], if it is a VeriSign SSL cert being abused, the reporting address is, [email protected].