Controversies Comodo Group

-



1 controversies

1.1 symantec
1.2 certificate hacking
1.3 association privdog
1.4 certificates issued known malware
1.5 chromodo browser, acl, no aslr, vnc weak authentication
1.6 let s encrypt trademark registration application
1.7 dangling markup injection vulnerability





controversies
symantec

in response symantec s comment on effectiveness of free antivirus software, on september 18, 2010, ceo of comodo group challenged symantec see products can defend consumer better against malware. gcn s john breeden understood comodo s stance on free antivirus software , challenging symantec: pretty smart move based on previous reviews of av performance ve done in gcn lab. our recent av review year showed no functional difference between free , paid programs in terms of stopping viruses, , s been way many years. in fact have go way 2006 find av roundup viruses missed companies.


symantec responded saying if comodo interested should have product included in tests independent reviewers.


comodo volunteered symantec vs. comodo independent review. though showdown did not take place, comodo has since been included in multiple independent reviews av-test, pc world, best antivirus reviews, av-comparatives, , pc mag.


certificate hacking

on march 23, 2011, comodo posted report 8 days earlier, on 15 march 2011, user account affiliate registration authority had been compromised , used create new user account issued 9 certificate signing requests. 9 certificates 7 domains issued. attack traced ip address 212.95.136.18, originates in tehran, iran. though firm reported breach result of state-driven attack , subsequently stated origin of attack may result of attacker attempting lay false trail. .


the attack thwarted, comodo revoking of bogus certificates. comodo stated actively looking ways improve security of affiliates.


in update on march 31, 2011, comodo stated detected , thwarted intrusion reseller user account on march 26, 2011. new controls implemented comodo following incident on march 15, 2011, removed risk of fraudulent issue of certificates. comodo believed attack same perpetrator incident on march 15, 2011.


in regards second incident, comodo stated, our ca infrastructure not compromised. our keys in our hsms not compromised. no certificates have been fraudulently issued. attempt fraudulently access certificate ordering platform issue certificate failed.


on march 26, 2011, person under username comodohacker made several posts pastebin.com claiming iranian responsible attacks.


such issues have been reported, , have led criticism of how certificates issued , revoked. of 2016, of certificates remain revoked. microsoft issued security advisory , update address issue @ time of event.


such attacks not unique comodo - specifics vary ca ca, ra ra, there many of these entities, of them trusted default, further holes deemed inevitable.


association privdog

in february 2015, comodo associated man-in-the-middle enabling tool known privdog, claims protect users against malicious advertising.


privdog issued statement on february 23, 2015, saying, minor intermittent defect has been detected in third party library used privdog standalone application potentially affects small number of users. potential issue present in privdog versions, 3.0.96.0 , 3.0.97.0. potential issue not present in privdog plug-in distributed comodo browsers, , comodo has not distributed version users. there potentially maximum of 6,294 users in usa , 57,568 users globally potentially impact. third party library used privdog not same third party library used superfish....the potential issue has been corrected. there update tomorrow automatically update 57,568 users of these specific privdog versions.


certificates issued known malware

in 2009 microsoft mvp michael burgess accused comodo of issuing digital certificates known malware.


comodo responded when notified , revoked issued certificates contained rogue malware.


chromodo browser, acl, no aslr, vnc weak authentication

in january 2016, tavis ormandy reported comodo s chromodo browser exhibited number of vulnerabilities, including disabling of same-origin policy.


the vulnerability wasn t in browser itself, based on open-source code behind google s chrome browser. rather, issue add-on. comodo became aware of issue in february 2016, company released statement , fix: industry, software in general being updated, patched, fixed, addressed, improved - goes hand in hand development cycle...what critical in software development how companies address issue if vulnerability found - ensuring never puts customer @ risk. using chromodo received update. chromodo browser subsequently discontinued comodo.


ormandy noted comodo received excellence in information security testing award verizon despite vulnerability in browser, despite having vnc delivered default of weak authentication, despite not enabling address space layout randomization (aslr), , despite using access control lists (acls) throughout product. ormandy has opinion verizon s certification methodology @ fault here.


let s encrypt trademark registration application

in october 2015, comodo applied let s encrypt , comodo let s encrypt , , let s encrypt comodo trademarks. these trademark applications filed year after internet security research group, parent organization of let s encrypt, started using name let s encrypt publicly in november 2014, , despite fact comodo s intent use trademark filings acknowledge has never used let s encrypt brand.


on june 24, 2016, comodo publicly posted in forum had filed express abandonment of trademark applications.


comodo s chief technical officer robin alden said, comodo has filed express abandonment of trademark applications @ time instead of waiting , allowing them lapse. following collaboration between let s encrypt , comodo, trademark issue resolved , behind us, , d thank let s encrypt team helping bring resolution.


dangling markup injection vulnerability

on july 25, 2016, matthew bryant showed comodo s website vulnerable dangling markup injection attacks , can send emails system administrators comodo s servers approve wildcard certificate issue request can used issue arbitrary wildcard certificates via comodo s 30-day positivessl product.


bryant reached out in june 2016, , on july 25, 2016, comodo s chief technical officer robin alden confirmed fix put in place, within responsible disclosure date per industry standards.








Comments

Post a Comment

Popular posts from this blog

Discography Ole Paus

-
1 discography 1.1 albums 1.2 songs 1.3 opera discography albums (for peak charting positions, see norwegiancharts.com) der ute - der inne (1970) garman (1972) blues pyttsan jespersens pårørende (1973) ole bull show (with gunnar bull gundersen) (1973) zarepta (1974) lise madsen, moses og de andre (with ketil bjørnstad) (1975) i anstendighetens navn (1976) paus-posten (1977) nye paus-posten (1977) sjikaner utvalg (1978) kjellersanger (1979) noen der oppe (1982) bjørnstad/paus/hamsun (with ketil bjørnstad) (1982) svarte ringer (1982) grensevakt (1984) muggen manna (1986) stjerner rennesteinen (1989) salmer på veien hjem (with kari bremnes og mari boine)(1991) biggles testamente (1992) mitt lille land (1994) hva hjertet ser (1995) stopp pressen! det grøvste fra paus-posten (1995) to rustne herrer (with jonas fjeld) (1996) pausposten extra! (1996) det begynner å bli et liv(1998) damebesøk (with jonas fjeld) (1998) den velsignede (2000) kildens bredd (with ketil bjørnstad) (2002) tolv rustn
Read more

Gaeta class Lerici-class minehunter

-
gaeta (foreground) , numana depending on source, gaeta class ships considered either lerici subclass, or separate class of ships. the 8 ships of second series lerici class, more commonly known gaeta class, launched in 1990s, , commissioned may 1996. gaeta class identical lerici class: main structural differences between ships displacement of latter 77 tons greater, hull 2.5 metres (8.2 ft) longer, , communications mast moved above bridge forward of exhaust funnel. gaetas used improved version of vds fiar sqq-14 (it) sonar, fitted in 1991 4 lerici class ships. rov gaymarine pluto , gaymarine pluto gigas. navigation radar gem elettronica spn-753 replaced (v)9 arpa version (i band).cms evolved version (combat management system) datamat ssn-714(v)3ul. on board 1 larger hyperbaric chamber (8 seats). gaeta mlu in 2010 intermarine began mlu (mid-life update), expected complete in 2018. new sonar thales 2093 mk2, new cms (combat management system) selex es ssn-714(v)4, new containerized , remo
Read more

Driver.27s licenses used for identification purposes Driver's license

-
1 driver s licenses used identification purposes 1.1 europe 1.2 asia 1.2.1 japan 1.3 north america 1.4 south america driver s licenses used identification purposes many countries, including australia, new zealand, canada, united kingdom, , united states, have no national identification cards. many people have driver s licenses, accepted de facto proof of identity. identity cards , driver s licenses credit card size—the id-1 size , shape defined in iso/iec 7810. europe many european countries require drivers produce license on demand when driving. european countries require adults carry proof of identity @ times, driving license not valid identification in every european country. in united kingdom drivers not required carry licence. driver may required constable or vehicle examiner produce licence, may provide in specified police station within 7 days; police issue form purpose. in denmark, finland, norway, spain , sweden, driver s license number same citizen s id number. banks , auth
Read more