Comodo Insecurity
Feb. 23rd, 2015 01:09 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
emgrassoWhen installing Web server and mail server software one nuisance is the need to purchase security certificates (or generate and use 'self-signed' certificates that cause annoying warnings to bbe presented to users). But we expect that the added security of and https vs. http connection is worth it.
Late last week there was news that Lenovo had been caught shipping its laptops with software installed that invalidated the security stack. Scary and annoying -- especially for anyone who has recently acquired a Lenovo laptop -- but arguably the result of greedy manufacturers being clumsy. You don't necessarily expect Lenovo to understand the fine points of the security stack, or be competent to perform adequate security audits on the crappy software they pre-install on the machines they sell.
Comodo makes a lot of money by managing one of the roots of the CA security certificate stack and selling certificates to people who need them for setting up (hopefully) secure web servers and mail servers and LDAP name and directory servers. Security certificates are (or should be) their core competence, and one would expect that they would have financial incentives for safeguarding both the integrity of the certificate and their own reputation for integrity.
There are reports that a software package called PrivDog, created by associates of Comodo and distributed by Comodo itself, does more than facilitate the possible subversion of the certificate stack, like the Lenovo app. PrivDog is reported to create a forged certificate stack on each machine where it runs that accepts all incoming certificates, thereby invalidating all certificate checking and website validation.
There are situations that elicit a WTF.
Then there are the ones where the appropriate reaction is more like "Good GOD! What were they thinking?" This is like an anti-virus company freely distributing software that turns out to disable anti-virus scanners.
Comodo does NOT have the excuse that they were dealing with something outside their area of expertise.
A few weeks ago I was looking at certificates for my sites and for a recommendation for a certificate source for my employer. I almost went with Comodo. I am very glad that I waited. The phrase "Cold day in Hell" comes to mind at this point, and not just because we've just had 3 days of snow.
The Electronic Frontier Foundation is supposed to be setting up a source of free server certificates this summer and there are a couple of other OpenSource sources for Certificates out there. I think I'm going to find out whether the EFF's "Let's Encrypt" project needs and will accept donations. Open Source is not a guarantee against bugs, but egregious problems are a bit more likely to be spotted before they get out into the wild, and I trust the EFF not to try to make a profit by corrpupting with one hand the security product they arre distributing with the other.
Late last week there was news that Lenovo had been caught shipping its laptops with software installed that invalidated the security stack. Scary and annoying -- especially for anyone who has recently acquired a Lenovo laptop -- but arguably the result of greedy manufacturers being clumsy. You don't necessarily expect Lenovo to understand the fine points of the security stack, or be competent to perform adequate security audits on the crappy software they pre-install on the machines they sell.
Comodo makes a lot of money by managing one of the roots of the CA security certificate stack and selling certificates to people who need them for setting up (hopefully) secure web servers and mail servers and LDAP name and directory servers. Security certificates are (or should be) their core competence, and one would expect that they would have financial incentives for safeguarding both the integrity of the certificate and their own reputation for integrity.
There are reports that a software package called PrivDog, created by associates of Comodo and distributed by Comodo itself, does more than facilitate the possible subversion of the certificate stack, like the Lenovo app. PrivDog is reported to create a forged certificate stack on each machine where it runs that accepts all incoming certificates, thereby invalidating all certificate checking and website validation.
There are situations that elicit a WTF.
Then there are the ones where the appropriate reaction is more like "Good GOD! What were they thinking?" This is like an anti-virus company freely distributing software that turns out to disable anti-virus scanners.
Comodo does NOT have the excuse that they were dealing with something outside their area of expertise.
A few weeks ago I was looking at certificates for my sites and for a recommendation for a certificate source for my employer. I almost went with Comodo. I am very glad that I waited. The phrase "Cold day in Hell" comes to mind at this point, and not just because we've just had 3 days of snow.
The Electronic Frontier Foundation is supposed to be setting up a source of free server certificates this summer and there are a couple of other OpenSource sources for Certificates out there. I think I'm going to find out whether the EFF's "Let's Encrypt" project needs and will accept donations. Open Source is not a guarantee against bugs, but egregious problems are a bit more likely to be spotted before they get out into the wild, and I trust the EFF not to try to make a profit by corrpupting with one hand the security product they arre distributing with the other.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2015-03-02 02:12 am (UTC)