Jump to content

Comodo Cybersecurity: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
WikiGopi (talk | contribs)
m Products: Product inclusion
Reverting edit(s) by 94.233.248.31 (talk) to rev. 1255348005 by Aicte.david: Non-constructive edit (UV 0.1.6)
 
(25 intermediate revisions by 16 users not shown)
Line 1: Line 1:
{{Short description|Software company in United Kingdom}}
{{Short description|Software company in United Kingdom}}
{{Use dmy dates|date=June 2019}}
{{Use dmy dates|date=June 2019}}
{{Tone|date=July 2024}}
{{Infobox company
{{Infobox company
| name = Xcitium
| name = Xcitium
Line 17: Line 18:
}}
}}


'''Comodo Security Solutions, Inc.''', is a [[cybersecurity]] company headquartered in [[Bloomfield, New Jersey]]. Under the brand '''Sectigo''', the company acts as a web [[Certificate authority]] (CA) and issues [[SSL/TLS]] certificates.
'''Xcitium''', formerly known as '''Comodo Security Solutions, Inc.''',<ref>{{cite web |last=Snider |first=Shane |date=23 August 2022 |url=https://www.crn.com/news/security/xcitium-exec-msps-can-protect-smb-security-vulnerabilities |title=Xcitium Exec: 'Mom-And-Pop' Ransomware Actors Are Going After SMBs |website=[[CRN (magazine)|CRN]]}}</ref> is a [[cybersecurity]] company headquartered in [[Bloomfield, New Jersey]].


==History==
==History==
The company was founded in 1998 in the [[United Kingdom]]<ref name="ukfounding">{{cite news|url=http://www.thetelegraphandargus.co.uk/news/11449076.Global_internet_security_firm_s_Bradford_roots/|title=How US entrepreneur's global internet security firm started life in Bradford|date=3 September 2014|access-date=3 September 2014|newspaper=Telegraph & Argus}}</ref> by [[Melih Abdulhayoğlu]]. The company relocated to the [[United States]] in 2004. Its products are focused on computer and internet security. The firm operates a [[certificate authority]] that issues [[SSL Certificates|SSL certificates]]. The company also helped on setting standards by contributing to the [[IETF]] (Internet Engineering Task Force) [[DNS Certification Authority Authorization]] (CAA) Resource Record.<ref>{{cite journal|url=https://tools.ietf.org/html/rfc6844|title=DNS Certification Authority Authorization – Comodo |year=2013 |doi=10.17487/RFC6844 |access-date=14 January 2013|last1=Hallam-Baker |first1=P. |last2=Stradling |first2=R. |s2cid=46132708 }}</ref>
The company was founded in 1998 in the [[United Kingdom]]<ref name="ukfounding">{{cite news|url=http://www.thetelegraphandargus.co.uk/news/11449076.Global_internet_security_firm_s_Bradford_roots/|title=How US entrepreneur's global internet security firm started life in Bradford|date=3 September 2014|access-date=3 September 2014|newspaper=Telegraph & Argus}}</ref> by [[Melih Abdulhayoğlu]]. The company relocated to the [[United States]] in 2004. Its products are focused on computer and internet security. The firm operates a [[certificate authority]] that issues [[SSL Certificates|SSL certificates]]. The company also helped on setting standards by contributing to the [[IETF]] (Internet Engineering Task Force) [[DNS Certification Authority Authorization]] (CAA) Resource Record.<ref>{{cite web|url=https://tools.ietf.org/html/rfc6844|title=DNS Certification Authority Authorization – Comodo |year=2013 |doi=10.17487/RFC6844 |access-date=14 January 2013|last1=Hallam-Baker |first1=P. |last2=Stradling |first2=R. |s2cid=46132708 |doi-access=free}}</ref>


In October 2017, [[Francisco Partners]] acquired Comodo Certification Authority (Comodo CA) from Comodo Security Solutions, Inc. Francisco Partners rebranded Comodo CA in November 2018 to Sectigo. The change in name came less than a year after Comodo CA was acquired by [[Francisco Partners]].<ref>{{Cite web|url=https://www.securityweek.com/francisco-partners-acquires-comodo-ca|title=Comodo Sells Certificate Business to Private Equity Firm {{!}} SecurityWeek.Com|website=www.securityweek.com|access-date=2019-10-29}}</ref><ref>{{Cite web|url=https://www.enterprisetimes.co.uk/2018/11/02/comodo-ca-becomes-sectigo-and-expands-to-cover-iot/|title=Comodo CA becomes Sectigo and expands to cover IoT -|last=Murphy|first=Ian|date=2018-11-02|website=Enterprise Times|language=en-GB|access-date=2019-11-21}}</ref>
In October 2017, [[Francisco Partners]] acquired Comodo Certification Authority (Comodo CA) from Comodo Security Solutions, Inc. Francisco Partners rebranded Comodo CA in November 2018 to Sectigo.<ref>{{Cite web|url=https://www.securityweek.com/francisco-partners-acquires-comodo-ca|title=Comodo Sells Certificate Business to Private Equity Firm {{!}} SecurityWeek.Com|website=www.securityweek.com|date=31 October 2017 |access-date=2019-10-29}}</ref><ref>{{Cite web|url=https://www.enterprisetimes.co.uk/2018/11/02/comodo-ca-becomes-sectigo-and-expands-to-cover-iot/|title=Comodo CA becomes Sectigo and expands to cover IoT -|last=Murphy|first=Ian|date=2018-11-02|website=Enterprise Times|language=en-GB|access-date=2019-11-21}}</ref>


On June 28, 2018, the new organization announced that it was expanding from TLS/SSL certificates into IoT security with the announcement of its IoT device security platform.<ref>{{Cite web|url=https://betanews.com/2018/06/28/comodo-iot-security/|title=Comodo CA launches IoT security platform|date=2018-06-28|website=BetaNews|language=en|access-date=2019-10-29}}</ref> The company announced its new headquarters in [[Roseland, New Jersey]] on July 3, 2018<ref>{{Cite web|url=https://njbiz.com/comodo-ca-global-hq-coming-to-roseland/|title=Comodo CA global HQ coming to Roseland|last=Perry|first=Jessica|date=2018-07-03|website=NJBIZ|language=en-US|access-date=2019-10-29}}</ref> and its acquisition of CodeGuard, a website maintenance and disaster recovery company, on August 16, 2018.<ref>{{Cite web|url=https://www.crn.com/news/security/comodo-ca-buys-website-disaster-recovery-startup-codeguard|title=Comodo CA Buys Website Disaster Recovery Startup CodeGuard|last=Novinson|first=Michael|date=2018-08-16|website=CRN|access-date=2019-10-29}}</ref>
On June 28, 2018, the new organization announced that it was expanding from TLS/SSL certificates into IoT security with the announcement of its IoT device security platform.<ref>{{Cite web|url=https://betanews.com/2018/06/28/comodo-iot-security/|title=Comodo CA launches IoT security platform|date=2018-06-28|website=BetaNews|language=en|access-date=2019-10-29}}</ref> The company announced its new headquarters in [[Roseland, New Jersey]] on July 3, 2018<ref>{{Cite web|url=https://njbiz.com/comodo-ca-global-hq-coming-to-roseland/|title=Comodo CA global HQ coming to Roseland|last=Perry|first=Jessica|date=2018-07-03|website=NJBIZ|language=en-US|access-date=2019-10-29}}</ref> and its acquisition of CodeGuard, a website maintenance and disaster recovery company, on August 16, 2018.<ref>{{Cite web|url=https://www.crn.com/news/security/comodo-ca-buys-website-disaster-recovery-startup-codeguard|title=Comodo CA Buys Website Disaster Recovery Startup CodeGuard|last=Novinson|first=Michael|date=2018-08-16|website=CRN|access-date=2019-10-29}}</ref>


On June 29, 2020, Comodo announced their strategic partnership with the company CyberSecOp.<ref>{{Cite press release|last=Cybersecurity|first=Comodo|title=Comodo and CyberSecOp Announce Strategic Partnership after Award-Winning MSSP Dropped Leading Competitor|url=https://www.prnewswire.com/news-releases/comodo-and-cybersecop-announce-strategic-partnership-after-award-winning-mssp-dropped-leading-competitor-301085203.html|access-date=2020-11-01|website=www.prnewswire.com|language=en}}</ref> The firm has partnered with Comodo in the past, and seeks to provide a range of cybersecurity products and consulting services.
On June 29, 2020, Comodo announced their strategic partnership with the company CyberSecOp.{{cn||date=May 2024}} The firm has partnered with Comodo in the past, and seeks to provide a range of cybersecurity products and consulting services.


==Companies==
==Companies==
* '''Comodo CA Limited (Sectigo)''': Based in the [[City of Salford]], [[Greater Manchester]], UK,<ref>{{cite web|url=https://www.comodo.com/contact-comodo/contact-us.php?key5sk0=2128&key5sk1=b80c454519459017187cf9cada5815e5414f518c|title=Comodo – Contact Us}}</ref> is a digital certificate authority that issues SSL and other digital certificates. In November 2018, Francisco Partners announced that Comodo Certificate Authority (Comodo CA) is rebranding as Sectigo.<ref>{{cite news |url=https://www.thesslstore.com/blog/comodo-ca-changes-its-name-to-sectigo/ |title=Comodo CA changes its name to Sectigo |date=1 November 2018 |first=Patrick |last=Nohe}}</ref><ref>{{cite news |url=https://www.prnewswire.com/news-releases/comodo-ca-rebrands-as-sectigo-300741808.html |title=Comodo CA Rebrands as Sectigo |date=1 November 2018}}</ref>
* Comodo CA Limited (Sectigo): Based in the [[City of Salford]], [[Greater Manchester]], UK,<ref>{{cite web|url=https://www.comodo.com/contact-comodo/contact-us.php?key5sk0=2128&key5sk1=b80c454519459017187cf9cada5815e5414f518c|title=Comodo – Contact Us}}</ref> is a digital certificate authority that issues SSL and other digital certificates. In November 2018, Francisco Partners announced that Comodo Certificate Authority (Comodo CA) is rebranding as Sectigo.<ref>{{Cite web |title=Comodo CA Rebrands as Sectigo |url=https://www.sectigo.com/resource-library/comodo-ca-rebrands-as-sectigo |access-date=2024-06-18 |website=Sectigo® Official |language=en-US}}</ref>
* '''Comodo Security Solutions, Inc''': Based in Clifton, New Jersey, US, develops security software for commercial and consumer use.<ref>{{cite web|url=https://www.icsalabs.com/vendor/comodo-security-solutions-inc|title=Comodo Security Solutions, Inc.|work=Icsalabs.com|access-date=30 March 2015}}</ref>
* Comodo Security Solutions, Inc: Based in Clifton, New Jersey, US, develops security software for commercial and consumer use.<ref>{{cite web|url=https://www.icsalabs.com/vendor/comodo-security-solutions-inc|title=Comodo Security Solutions, Inc.|work=Icsalabs.com|access-date=30 March 2015}}</ref>
* '''[[DNS.com]]''': Based in [[Louisville, Kentucky]], US, the company provides managed DNS services.<ref>{{cite web|url=http://www.domainersmagazine.com/Jul-Aug-Issue-22/DNS.com-The-Next-Geo-Targeting-Solution.html|title=Domainers Magazine – DNS.com : The Next Geo-Targeting Solution – Jul–Aug (Issue 22)|author=Joe Callan|work=Domainersmagazine.com|access-date=30 March 2015|url-status=dead|archive-url=https://web.archive.org/web/20150412125418/http://www.domainersmagazine.com/Jul-Aug-Issue-22/DNS.com-The-Next-Geo-Targeting-Solution.html|archive-date=12 April 2015}}</ref>
* [[DNS.com]]: Based in [[Louisville, Kentucky]], US, the company provides managed DNS services.<ref>{{cite web|url=http://www.domainersmagazine.com/Jul-Aug-Issue-22/DNS.com-The-Next-Geo-Targeting-Solution.html|title=Domainers Magazine – DNS.com : The Next Geo-Targeting Solution – Jul–Aug (Issue 22)|author=Joe Callan|work=Domainersmagazine.com|access-date=30 March 2015|url-status=dead|archive-url=https://web.archive.org/web/20150412125418/http://www.domainersmagazine.com/Jul-Aug-Issue-22/DNS.com-The-Next-Geo-Targeting-Solution.html|archive-date=12 April 2015}}</ref>


== Industry affiliations ==
== Industry affiliations ==
Line 49: Line 50:


==Controversies==
==Controversies==

===LinkedIn===
After a competitor commented on a Comodo employee posting that Comodo "stops all malware", the company CEO aggressively engaged on LinkedIn, such as insinuating that commenters were not qualified to work in cybersecurity, and replying to the majority of posts that the competitor's CEO was the one who "started it".<ref>{{Cite web|url=https://www.linkedin.com/feed/update/urn:li:activity:6964057482969157632/ |title=LinkedIn}}</ref>


===Symantec===
===Symantec===
In response to [[NortonLifeLock|Symantec]]'s comment asserting paid [[Antivirus software|antivirus]] is superior to free antivirus, the CEO of Comodo Group challenged Symantec on 18 September 2010 to see whether paid or free products can better defend the consumer against [[malware]].<ref>{{cite web
In response to [[NortonLifeLock|Symantec]]'s comment asserting paid [[Antivirus software|antivirus]] is superior to free antivirus, the CEO of Comodo Group, [[Melih Abdulhayoğlu]] had challenged Symantec on 18 September 2010 to see whether paid or free products can better defend the consumer against [[malware]].<ref>{{cite web
|url = http://www.melih.com/2010/09/18/challenge-to-symantec-from-comodo-ceo/
|url = http://www.melih.com/2010/09/18/challenge-to-symantec-from-comodo-ceo/
|title = Challenge to Symantec from Comodo CEO
|title = Challenge to Symantec from Comodo CEO
Line 66: Line 64:
|archive-date = 25 January 2011
|archive-date = 25 January 2011
|url-status = dead
|url-status = dead
}}</ref> GCN'S John Breeden understood Comodo's stance on free Antivirus software and challenging Symantec: "This is actually a pretty smart move based on previous reviews of AV performance we've done in the GCN Lab. Our most recent AV review this year showed no functional difference between free and paid programs in terms of stopping viruses, and it's been that way for many years. In fact you have to go all the way back to 2006 to find an AV roundup where viruses were missed by some companies."<ref>{{Cite web|url=https://gcn.com/articles/2010/09/27/antivirus-paid-vs-free.aspx |title=Is free virus protection inferior? | author=John Breeden II |work=gcn.com |access-date=23 December 2016}}</ref>
}}</ref> GCN'S John Breeden understood Comodo's stance on free Antivirus software and challenging Symantec: "This is actually a pretty smart move based on previous reviews of AV performance we've done in the GCN Lab. Our most recent AV review this year showed no functional difference between free and paid programs in terms of stopping viruses, and it's been that way for many years. In fact you have to go all the way back to 2006 to find an AV roundup where viruses were missed by some companies."<ref>{{Cite web|url=https://gcn.com/articles/2010/09/27/antivirus-paid-vs-free.aspx |title=Is free virus protection inferior? | author=John Breeden II |work=gcn.com |date=27 September 2010 |access-date=23 December 2016}}</ref>


Symantec responded saying that if Comodo is interested they should have their product included in tests by independent reviewers.<ref>{{cite news
Symantec responded saying that if Comodo is interested they should have their product included in tests by independent reviewers.<ref>{{cite news
Line 79: Line 77:
}}</ref>
}}</ref>


Comodo volunteered to a Symantec vs. Comodo independent review.<ref>{{Cite web|url=https://www.melih.com/2010/09/18/challenge-to-symantec-from-comodo-ceo/ |title=Challenge to Symantec from Comodo CEO! |access-date=23 December 2016}}</ref> Though this showdown did not take place, Comodo has since been included in multiple independent reviews with AV-Test,<ref>{{Cite web|url=http://www.networkworld.com/article/2989137/linux/av-test-lab-tests-16-linux-antivirus-products-against-windows-and-linux-malware.html| title=AV-test Lab tests 16 Linux antivirus products against Windows and Linux malware | author=Ms. Smith|work=www.networkworld.com |access-date=23 December 2016}}</ref> PC World,<ref>{{cite web |url=http://www.pcworld.com/article/170640/comodo_internet_security.html |title=Comodo Internet Security Free Antivirus Software |author=Erik Larkin |work=www.pcworld.com |date=24 August 2009 |access-date=23 December 2016}}</ref> Best Antivirus Reviews,<ref>{{cite web |url=https://bestantivirus.reviews/review/comodo |title=Comodo 2016 Review: Malware Protection & Online Security |author=Daniele P. |work=www.bestantivirus.com |access-date=23 December 2016 |archive-url=https://web.archive.org/web/20161228233750/https://bestantivirus.reviews/review/comodo |archive-date=28 December 2016 |url-status=dead }}</ref> AV-Comparatives,<ref>{{Cite web|url=https://www.av-comparatives.org/av-vendors/ |title=Independent Tests of Anti-Virus Software |work=www.av-comparatives.org |access-date=23 December 2016}}</ref> and PC Mag.<ref>{{Cite web|url=https://www.pcmag.com/article2/0.2817.2388652.00.asp |title=The Best Free Antivirus Protection of 2016| author=Neil P. Rubenking |work=www.pcmag.com |access-date=23 December 2016}}</ref>
Comodo volunteered to a Symantec vs. Comodo independent review.<ref>{{Cite web |url=https://www.melih.com/2010/09/18/challenge-to-symantec-from-comodo-ceo/ |title=Challenge to Symantec from Comodo CEO! |access-date=23 December 2016 |archive-date=15 August 2016 |archive-url=https://web.archive.org/web/20160815054509/http://www.melih.com/2010/09/18/challenge-to-symantec-from-comodo-ceo/ |url-status=dead }}</ref> Though this showdown did not take place, Comodo has since been included in multiple independent reviews with AV-Test,<ref>{{Cite web|url=http://www.networkworld.com/article/2989137/linux/av-test-lab-tests-16-linux-antivirus-products-against-windows-and-linux-malware.html|archive-url=https://web.archive.org/web/20151007235204/http://www.networkworld.com/article/2989137/linux/av-test-lab-tests-16-linux-antivirus-products-against-windows-and-linux-malware.html|url-status=dead|archive-date=7 October 2015| title=AV-test Lab tests 16 Linux antivirus products against Windows and Linux malware | author=Ms. Smith|work=www.networkworld.com |access-date=23 December 2016}}</ref> PC World,<ref>{{cite web |url=http://www.pcworld.com/article/170640/comodo_internet_security.html |title=Comodo Internet Security Free Antivirus Software |author=Erik Larkin |work=www.pcworld.com |date=24 August 2009 |access-date=23 December 2016}}</ref> Best Antivirus Reviews,<ref>{{cite web |url=https://bestantivirus.reviews/review/comodo |title=Comodo 2016 Review: Malware Protection & Online Security |author=Daniele P. |work=www.bestantivirus.com |access-date=23 December 2016 |archive-url=https://web.archive.org/web/20161228233750/https://bestantivirus.reviews/review/comodo |archive-date=28 December 2016 |url-status=dead }}</ref> AV-Comparatives,<ref>{{Cite web|url=https://www.av-comparatives.org/av-vendors/ |title=Independent Tests of Anti-Virus Software |work=www.av-comparatives.org |access-date=23 December 2016}}</ref> and PC Mag.<ref>{{Cite web |url=https://www.pcmag.com/article2/0.2817.2388652.00.asp |title=The Best Free Antivirus Protection of 2016 |author=Neil P. Rubenking |work=www.pcmag.com |access-date=23 December 2016 }}{{Dead link|date=December 2023 |bot=InternetArchiveBot |fix-attempted=yes }}</ref>


===Certificate hacking {{anchor|2011 breach incident}}===
===Certificate hacking {{anchor|2011 breach incident}}===
On 23 March 2011, Comodo posted a report that 8 days earlier, on 15 March 2011, a user account with an affiliate registration authority had been compromised and was used to create a new user account that issued nine [[certificate signing request]]s.<ref name="comodo inc1">{{cite web|url=https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html |title=Report of incident on 15-MAR-2011: Update 31-MAR-2011 |publisher=Comodo group |access-date=24 March 2011 }}</ref> Nine certificates for seven domains were issued.<ref name="comodo inc1"/> The attack was traced to IP address 212.95.136.18, which originates in Tehran, Iran.<ref name="comodo inc1"/> [[Moxie Marlinspike]] analyzed the [[IP address]] on his website the next day and found it to have [[English language|English]] localization.<ref name=":0">{{Cite web|title=DEF CON 19 - Moxie Marlinspike - SSL And The Future Of Authenticity - YouTube|url=https://www.youtube.com/watch?v=UawS3_iuHoA |archive-url=https://ghostarchive.org/varchive/youtube/20211213/UawS3_iuHoA |archive-date=2021-12-13 |url-status=live|access-date=2021-01-13|website=www.youtube.com}}{{cbignore}}</ref> Though the firm initially reported that the breach was the result of a "state-driven attack", it subsequently stated that the origin of the attack may be the "result of an attacker attempting to lay a false trail.".<ref name="comodo inc1"/><ref name="comodo blog1">{{cite web|title=The Recent RA Compromise|url=http://blog.comodo.com/it-security/data-security/the-recent-ca-compromise/|first=Phillip|last= Hallam-Baker|date=23 March 2011 |access-date=24 March 2011|publisher=Comodo Blog}}</ref>
On 23 March 2011, Comodo posted a report that 8 days earlier, on 15 March 2011, a user account with an affiliate registration authority had been compromised and was used to create a new user account that issued nine [[certificate signing request]]s.<ref name="comodo inc1">{{cite web|url=https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html |title=Report of incident on 15-MAR-2011: Update 31-MAR-2011 |publisher=Comodo group |access-date=24 March 2011 }}</ref> Nine certificates for seven domains were issued.<ref name="comodo inc1"/> The attack was traced to IP address 212.95.136.18, which originates in [[Tehran]], Iran.<ref name="comodo inc1"/> [[Moxie Marlinspike]] analyzed the [[IP address]] on his website the next day and found it to have [[English language|English]] localization and Windows operating system.<ref name=":0">{{Cite web|title=DEF CON 19 - Moxie Marlinspike - SSL And The Future Of Authenticity - YouTube|url=https://www.youtube.com/watch?v=UawS3_iuHoA |archive-url=https://ghostarchive.org/varchive/youtube/20211213/UawS3_iuHoA |archive-date=2021-12-13 |url-status=live|access-date=2021-01-13|website=www.youtube.com| date=2 November 2013 }}{{cbignore}}</ref> Though the firm initially reported that the breach was the result of a "state-driven attack", it subsequently stated that the origin of the attack may be the "result of an attacker attempting to lay a false trail.".<ref name="comodo inc1"/><ref name="comodo blog1">{{cite web|title=The Recent RA Compromise|url=http://blog.comodo.com/it-security/data-security/the-recent-ca-compromise/|first=Phillip|last=Hallam-Baker|date=23 March 2011|access-date=24 March 2011|publisher=Comodo Blog}}{{Dead link|date=December 2023 |bot=InternetArchiveBot |fix-attempted=yes }}</ref>


The attack was immediately thwarted, with Comodo revoking all of the bogus certificates. Comodo also stated that it was actively looking into ways to improve the security of its affiliates.<ref>{{Cite news|url=https://www.bbc.com/news/technology-12847072 |title=Iran accused in 'dire' net security attack |work=BBC News |date=24 March 2011 |access-date=23 December 2016}}</ref>
Comodo revoked all of the bogus certificates shortly after the breach was discovered. Comodo also stated that it was actively looking into ways to improve the security of its affiliates.<ref>{{Cite news|url=https://www.bbc.com/news/technology-12847072 |title=Iran accused in 'dire' net security attack |work=BBC News |date=24 March 2011 |access-date=23 December 2016}}</ref>


In an update on 31 March 2011, Comodo stated that it detected and thwarted an intrusion into a reseller user account on 26 March 2011. The new controls implemented by Comodo following the incident on 15 March 2011, removed any risk of the fraudulent issue of certificates. Comodo believed the attack was from the same perpetrator as the incident on 15 March 2011.<ref>{{Cite web|url=https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html |title=Update 31-MAR-2011 |access-date=23 December 2016}}</ref>
In an update on 31 March 2011, Comodo stated that it detected and thwarted an intrusion into a reseller user account on 26 March 2011. The new controls implemented by Comodo following the incident on 15 March 2011, removed any risk of the fraudulent issue of certificates. Comodo believed the attack was from the same perpetrator as the incident on 15 March 2011.<ref>{{Cite web|url=https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html |title=Update 31-MAR-2011 |access-date=23 December 2016}}</ref>
Line 118: Line 116:
For Comodo's lacking response on the issue computer security researcher [[Moxie Marlinspike]] called the whole event extremely embarrassing for Comodo and rethinking [[Secure Sockets Layer|SSL]] security. It was also implied that the attacker followed an online video tutorial and searched for basic [[opsec]]<ref name=":0" />
For Comodo's lacking response on the issue computer security researcher [[Moxie Marlinspike]] called the whole event extremely embarrassing for Comodo and rethinking [[Secure Sockets Layer|SSL]] security. It was also implied that the attacker followed an online video tutorial and searched for basic [[opsec]]<ref name=":0" />


Such attacks are not unique to Comodo – the specifics will vary from CA to CA, RA to RA, but there are so many of these entities, all of them trusted by default, that further holes are deemed to be inevitable.<ref>{{Cite web|url=https://www.wired.com/2011/03/comodo_hack/ |title=Independent Iranian Hacker Claims Responsibility for Comodo Hack |access-date=23 December 2016}}</ref>
Such attacks are not unique to Comodo – the specifics will vary from CA to CA, RA to RA, but there are so many of these entities, all of them trusted by default, that further holes are deemed to be inevitable.<ref>{{Cite magazine |date=2011-03-28 |title=Independent Iranian Hacker Claims Responsibility for Comodo Hack |url=https://www.wired.com/2011/03/comodo_hack/ |archive-url=https://web.archive.org/web/20160324172823/https://www.wired.com/2011/03/comodo_hack/ |archive-date=2016-03-24 |access-date=23 December 2016 |magazine=Wired}}</ref>


=== Association with PrivDog ===
=== Association with PrivDog ===
In February 2015, Comodo was associated with a man-in-the-middle enabling tool known as PrivDog, which claims to protect users against malicious advertising.<ref>http://www.pcworld.com/article/2887632/secure-advertising-tool-privdog-compromises-https-security.html |title=PrivDog Security Advisory (Threat level: LOW) |accessdate=30 December 2016</ref>
In February 2015, Comodo was associated with a man-in-the-middle enabling tool known as PrivDog, which claims to protect users against malicious advertising.<ref>{{Cite magazine|last=Constantin|first=Lucian|url=http://www.pcworld.com/article/2887632/secure-advertising-tool-privdog-compromises-https-security.html |title=Worse than Superfish? Comodo-affiliated PrivDog compromises web security too|accessdate=24 July 2024|magazine=[[PC World]]}}</ref>


PrivDog issued a statement on 23 February 2015, saying, "A minor intermittent defect has been detected in a third party library used by the PrivDog standalone application which potentially affects a very small number of users. This potential issue is only present in PrivDog versions, 3.0.96.0 and 3.0.97.0. The potential issue is not present in the PrivDog plug-in that is distributed with Comodo Browsers, and Comodo has not distributed this version to its users. there are potentially a maximum of 6,294 users in the USA and 57,568 users globally that this could potentially impact. The third party library used by PrivDog is not the same third party library used by Superfish....The potential issue has already been corrected. There will be an update tomorrow which will automatically update all 57,568 users of these specific PrivDog versions."<ref>{{Cite web |url=http://privdog.com/advisory.htm |title=PrivDog Security Advisory (Threat level: LOW) |access-date=23 December 2016 }}{{Dead link|date=November 2019 |bot=InternetArchiveBot |fix-attempted=yes }}</ref>
PrivDog issued a statement on 23 February 2015, saying, "A minor intermittent defect has been detected in a third party library used by the PrivDog standalone application which potentially affects a very small number of users. This potential issue is only present in PrivDog versions, 3.0.96.0 and 3.0.97.0. The potential issue is not present in the PrivDog plug-in that is distributed with Comodo Browsers, and Comodo has not distributed this version to its users. there are potentially a maximum of 6,294 users in the USA and 57,568 users globally that this could potentially impact. The third party library used by PrivDog is not the same third party library used by Superfish....The potential issue has already been corrected. There will be an update tomorrow which will automatically update all 57,568 users of these specific PrivDog versions."<ref>{{Cite web |url=http://privdog.com/advisory.htm |title=PrivDog Security Advisory (Threat level: LOW) |access-date=23 December 2016 }}{{Dead link|date=November 2019 |bot=InternetArchiveBot |fix-attempted=yes }}</ref>
Line 131: Line 129:
In January 2016, [[Tavis Ormandy]] reported that Comodo's Chromodo browser exhibited a number of vulnerabilities, including disabling of the [[same-origin policy]].<ref>https://code.google.com/p/google-security-research/issues/detail?id=704 |title=Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security</ref>
In January 2016, [[Tavis Ormandy]] reported that Comodo's Chromodo browser exhibited a number of vulnerabilities, including disabling of the [[same-origin policy]].<ref>https://code.google.com/p/google-security-research/issues/detail?id=704 |title=Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security</ref>


The vulnerability wasn't in the browser itself, which was based on the open-source code behind Google's Chrome browser. Rather, the issue was with an add-on. As soon as Comodo became aware of the issue in early February 2016, the company released a statement and a fix: "As an industry, software in general is always being updated, patched, fixed, addressed, improved – it goes hand in hand with any development cycle...What is critical in software development is how companies address an issue if a certain vulnerability is found – ensuring it never puts the customer at risk." Those using Chromodo immediately received an update.<ref>{{Cite web|url=http://www.pcworld.com/article/3029690/security/comodo-to-fix-major-flaw-in-knock-off-chrome-browser.html |title=Comodo will fix major flaw in knock-off Chrome browser |date=4 February 2016 |access-date=23 December 2016}}</ref> The Chromodo browser was subsequently discontinued by Comodo.
The vulnerability wasn't in the browser itself. Rather, the issue was with an add-on. As soon as Comodo became aware of the issue in early February 2016, the company released a statement and a fix: "As an industry, software in general is always being updated, patched, fixed, addressed, improved – it goes hand in hand with any development cycle...What is critical in software development is how companies address an issue if a certain vulnerability is found – ensuring it never puts the customer at risk." Those using Chromodo immediately received an update.<ref>{{Cite web|url=http://www.pcworld.com/article/3029690/security/comodo-to-fix-major-flaw-in-knock-off-chrome-browser.html |title=Comodo will fix major flaw in knock-off Chrome browser |date=4 February 2016 |access-date=23 December 2016}}</ref> The Chromodo browser was subsequently discontinued by Comodo.


Ormandy noted that Comodo received a "Excellence in Information Security Testing" award from Verizon despite the vulnerability in its browser, despite having its VNC delivered with a default of weak authentication, despite not enabling address space layout randomization (ASLR), and despite using access control lists (ACLs) throughout its product. Ormandy has the opinion that Verizon's certification methodology is at fault here.<ref>[https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/why-antivirus-standards-of-certification-need-to-change/ Why Antivirus Standards of Certification Need to Change], tripwire, 23 March 2016.</ref>
Ormandy noted that Comodo received a "Excellence in Information Security Testing" award from Verizon despite the vulnerability in its browser, despite having its VNC delivered with a default of weak authentication, despite not enabling address space layout randomization (ASLR), and despite using access control lists (ACLs) throughout its product. Ormandy has the opinion that Verizon's certification methodology is at fault here.<ref>[https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/why-antivirus-standards-of-certification-need-to-change/ Why Antivirus Standards of Certification Need to Change], tripwire, 23 March 2016.</ref>
Line 138: Line 136:
In October 2015, Comodo applied for "Let's Encrypt", "Comodo Let's Encrypt", and "Let's Encrypt with Comodo" trademarks.<ref>{{Cite web|url=http://tsdr.uspto.gov/#caseNumber=86790719&caseType=SERIAL_NO&searchType=statusSearch|title=Trademark Status & Document Retrieval|website=tsdr.uspto.gov|access-date=23 June 2016}}</ref><ref>{{Cite web|url=http://tsdr.uspto.gov/#caseNumber=86790789&caseType=SERIAL_NO&searchType=statusSearch|title=Trademark Status & Document Retrieval|website=tsdr.uspto.gov|access-date=23 June 2016}}</ref><ref>{{Cite web|url=http://tsdr.uspto.gov/#caseNumber=86790812&caseType=SERIAL_NO&searchType=statusSearch|title=Trademark Status & Document Retrieval|website=tsdr.uspto.gov|access-date=23 June 2016}}</ref> These trademark applications were filed almost a year after the Internet Security Research Group, parent organization of [[Let's Encrypt]], started using the name Let's Encrypt publicly in November 2014,<ref>{{Cite web|url=http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm|title=Let's Encrypt, A Free And Automated Certificate Authority, Comes Out Of Stealth Mode|last=Tsidulko |first=Joseph |website=CRN |date=19 November 2014|access-date=23 June 2016}}</ref> and despite the fact Comodo's "intent to use" trademark filings acknowledge that it has never used "Let's Encrypt" as a brand.
In October 2015, Comodo applied for "Let's Encrypt", "Comodo Let's Encrypt", and "Let's Encrypt with Comodo" trademarks.<ref>{{Cite web|url=http://tsdr.uspto.gov/#caseNumber=86790719&caseType=SERIAL_NO&searchType=statusSearch|title=Trademark Status & Document Retrieval|website=tsdr.uspto.gov|access-date=23 June 2016}}</ref><ref>{{Cite web|url=http://tsdr.uspto.gov/#caseNumber=86790789&caseType=SERIAL_NO&searchType=statusSearch|title=Trademark Status & Document Retrieval|website=tsdr.uspto.gov|access-date=23 June 2016}}</ref><ref>{{Cite web|url=http://tsdr.uspto.gov/#caseNumber=86790812&caseType=SERIAL_NO&searchType=statusSearch|title=Trademark Status & Document Retrieval|website=tsdr.uspto.gov|access-date=23 June 2016}}</ref> These trademark applications were filed almost a year after the Internet Security Research Group, parent organization of [[Let's Encrypt]], started using the name Let's Encrypt publicly in November 2014,<ref>{{Cite web|url=http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm|title=Let's Encrypt, A Free And Automated Certificate Authority, Comes Out Of Stealth Mode|last=Tsidulko |first=Joseph |website=CRN |date=19 November 2014|access-date=23 June 2016}}</ref> and despite the fact Comodo's "intent to use" trademark filings acknowledge that it has never used "Let's Encrypt" as a brand.


On 24 June 2016, Comodo publicly posted in its forum that it had filed for "express abandonment" of their trademark applications.<ref>{{Cite web|url=https://forums.comodo.com/general-discussion-off-topic-anything-and-everything/trademark-registration-t115968.0.html;msg837505#msg837505|title=Topic: Trademark registration|access-date=24 June 2016}}</ref>
On 24 June 2016, Comodo publicly posted in its forum that it had filed for "express abandonment" of their trademark applications.<ref>{{Cite web|url=https://forums.comodo.com/general-discussion-off-topic-anything-and-everything/trademark-registration-t115968.0.html;msg837505#msg837505|title=Topic: Trademark registration|access-date=24 June 2016|archive-date=8 November 2020|archive-url=https://web.archive.org/web/20201108141457/https://forums.comodo.com/general-discussion-off-topic-anything-and-everything/trademark-registration-t115968.0.html;msg837505#msg837505|url-status=dead}}</ref>


Comodo's Chief Technical Officer Robin Alden said, "Comodo has filed for express abandonment of the trademark applications at this time instead of waiting and allowing them to lapse. Following collaboration between Let's Encrypt and Comodo, the trademark issue is now resolved and behind us, and we'd like to thank the Let's Encrypt team for helping to bring it to a resolution."<ref>{{Cite web|url=https://www.grahamcluley.com/comodo-stands-trademark-tussle-lets-encrypt/ |title=Comodo Stands Down From Trademark Tussle with Let's Encrypt |date=27 June 2016 |access-date=23 December 2016}}</ref>
Comodo's Chief Technical Officer Robin Alden said, "Comodo has filed for express abandonment of the trademark applications at this time instead of waiting and allowing them to lapse. Following collaboration between Let's Encrypt and Comodo, the trademark issue is now resolved and behind us, and we'd like to thank the Let's Encrypt team for helping to bring it to a resolution."<ref>{{Cite web|url=https://www.grahamcluley.com/comodo-stands-trademark-tussle-lets-encrypt/ |title=Comodo Stands Down From Trademark Tussle with Let's Encrypt |date=27 June 2016 |access-date=23 December 2016}}</ref>


=== Dangling markup injection vulnerability ===
=== Dangling markup injection vulnerability ===
On 25 July 2016, Matthew Bryant showed that Comodo's website is vulnerable to dangling markup injection attacks and can send emails to system administrators from Comodo's servers to approve a wildcard certificate issue request which can be used to issue arbitrary wildcard certificates via Comodo's 30-Day PositiveSSL product.<ref>{{Cite web|url=https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl-certificates-from-comodo-via-dangling-markup-injection/index.html |title=Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection |website=thehackerblog.com |access-date=29 July 2016}}</ref>
On 25 July 2016, Matthew Bryant showed that Comodo's website is vulnerable to dangling markup injection attacks and can send emails to system administrators from Comodo's servers to approve a wildcard certificate issue request which can be used to issue arbitrary wildcard certificates via Comodo's 30-Day PositiveSSL product.<ref>{{Cite web|url=https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl-certificates-from-comodo-via-dangling-markup-injection/index.html |title=Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection |website=thehackerblog.com |date=25 July 2016 |access-date=29 July 2016}}</ref>


Bryant reached out in June 2016, and on 25 July 2016, Comodo's Chief Technical Officer Robin Alden confirmed a fix was put in place, within the responsible disclosure date per industry standards.<ref>{{Cite web|url=https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl-certificates-from-comodo-via-dangling-markup-injection/index.html |title=Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection |access-date=23 December 2016}}</ref>
Bryant reached out in June 2016, and on 25 July 2016, Comodo's Chief Technical Officer Robin Alden confirmed a fix was put in place, within the responsible disclosure date per industry standards.<ref>{{Cite web|url=https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl-certificates-from-comodo-via-dangling-markup-injection/index.html |title=Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection |date=25 July 2016 |access-date=23 December 2016}}</ref>


==See also==
==See also==
Line 161: Line 159:
*{{Official website}}
*{{Official website}}


{{Antivirus software}}
{{Authority control}}
{{Authority control}}


[[Category:Computer security organizations]]
[[Category:Software companies established in 1998]]
[[Category:Software companies established in 1998]]
[[Category:Certificate authorities]]
[[Category:Certificate authorities]]
[[Category:Computer security software companies]]
[[Category:Computer security software companies]]
[[Category:Computer security companies]]
[[Category:International information technology consulting firms]]
[[Category:International information technology consulting firms]]
[[Category:Antivirus software]]
[[Category:Software companies based in New Jersey]]
[[Category:Software companies based in New Jersey]]
[[Category:Software companies of the United Kingdom]]
[[Category:Software companies of the United Kingdom]]
[[Category:Windows security software]]
[[Category:1998 establishments in the United Kingdom]]
[[Category:1998 establishments in the United Kingdom]]
[[Category:Companies based in Passaic County, New Jersey]]
[[Category:Companies based in Passaic County, New Jersey]]

Latest revision as of 17:05, 7 November 2024

Xcitium
FormerlyComodo Security Solutions, Inc.
Company typePrivate
IndustryComputer software
FoundedUnited Kingdom
(1998; 26 years ago (1998))[1]
Headquarters,
United States
Area served
Worldwide
Key people
Melih Abdulhayoğlu (President and Chairman)
Number of employees
1,200+[citation needed]
Websitewww.comodo.com

Comodo Security Solutions, Inc., is a cybersecurity company headquartered in Bloomfield, New Jersey. Under the brand Sectigo, the company acts as a web Certificate authority (CA) and issues SSL/TLS certificates.

History

[edit]

The company was founded in 1998 in the United Kingdom[1] by Melih Abdulhayoğlu. The company relocated to the United States in 2004. Its products are focused on computer and internet security. The firm operates a certificate authority that issues SSL certificates. The company also helped on setting standards by contributing to the IETF (Internet Engineering Task Force) DNS Certification Authority Authorization (CAA) Resource Record.[2]

In October 2017, Francisco Partners acquired Comodo Certification Authority (Comodo CA) from Comodo Security Solutions, Inc. Francisco Partners rebranded Comodo CA in November 2018 to Sectigo.[3][4]

On June 28, 2018, the new organization announced that it was expanding from TLS/SSL certificates into IoT security with the announcement of its IoT device security platform.[5] The company announced its new headquarters in Roseland, New Jersey on July 3, 2018[6] and its acquisition of CodeGuard, a website maintenance and disaster recovery company, on August 16, 2018.[7]

On June 29, 2020, Comodo announced their strategic partnership with the company CyberSecOp.[citation needed] The firm has partnered with Comodo in the past, and seeks to provide a range of cybersecurity products and consulting services.

Companies

[edit]
  • Comodo CA Limited (Sectigo): Based in the City of Salford, Greater Manchester, UK,[8] is a digital certificate authority that issues SSL and other digital certificates. In November 2018, Francisco Partners announced that Comodo Certificate Authority (Comodo CA) is rebranding as Sectigo.[9]
  • Comodo Security Solutions, Inc: Based in Clifton, New Jersey, US, develops security software for commercial and consumer use.[10]
  • DNS.com: Based in Louisville, Kentucky, US, the company provides managed DNS services.[11]

Industry affiliations

[edit]

Comodo is a member of the following industry organizations:

  • Certificate Authority Security Council (CASC): In February 2013, Comodo became a founding member of this industry advocacy organization dedicated to addressing industry issues and educating the public on internet security.[12][13]
  • Common Computing Security Standards Forum (CCSF): In 2009 Comodo was a founding member of the CCSF, an industry organization that promotes industry standards that protect end users. Comodo CEO Melih Abdulhayoğlu is considered the founder of the CCSF.[14]
  • CA/Browser Forum: In 2005, Comodo was a founding member of a new consortium of certificate authorities and web browser vendors dedicated to promoting industry standards and baseline requirements for internet security.[15][16] Melih Abdulhayoğlu invited top browser providers and certification authorities to a round table to discuss the creation of a central authority responsible for delivering digital certificate issuance best practice guidelines.[17]

Products

[edit]

Controversies

[edit]

Symantec

[edit]

In response to Symantec's comment asserting paid antivirus is superior to free antivirus, the CEO of Comodo Group, Melih Abdulhayoğlu had challenged Symantec on 18 September 2010 to see whether paid or free products can better defend the consumer against malware.[19] GCN'S John Breeden understood Comodo's stance on free Antivirus software and challenging Symantec: "This is actually a pretty smart move based on previous reviews of AV performance we've done in the GCN Lab. Our most recent AV review this year showed no functional difference between free and paid programs in terms of stopping viruses, and it's been that way for many years. In fact you have to go all the way back to 2006 to find an AV roundup where viruses were missed by some companies."[20]

Symantec responded saying that if Comodo is interested they should have their product included in tests by independent reviewers.[21]

Comodo volunteered to a Symantec vs. Comodo independent review.[22] Though this showdown did not take place, Comodo has since been included in multiple independent reviews with AV-Test,[23] PC World,[24] Best Antivirus Reviews,[25] AV-Comparatives,[26] and PC Mag.[27]

Certificate hacking

[edit]

On 23 March 2011, Comodo posted a report that 8 days earlier, on 15 March 2011, a user account with an affiliate registration authority had been compromised and was used to create a new user account that issued nine certificate signing requests.[28] Nine certificates for seven domains were issued.[28] The attack was traced to IP address 212.95.136.18, which originates in Tehran, Iran.[28] Moxie Marlinspike analyzed the IP address on his website the next day and found it to have English localization and Windows operating system.[29] Though the firm initially reported that the breach was the result of a "state-driven attack", it subsequently stated that the origin of the attack may be the "result of an attacker attempting to lay a false trail.".[28][30]

Comodo revoked all of the bogus certificates shortly after the breach was discovered. Comodo also stated that it was actively looking into ways to improve the security of its affiliates.[31]

In an update on 31 March 2011, Comodo stated that it detected and thwarted an intrusion into a reseller user account on 26 March 2011. The new controls implemented by Comodo following the incident on 15 March 2011, removed any risk of the fraudulent issue of certificates. Comodo believed the attack was from the same perpetrator as the incident on 15 March 2011.[32]

In regards to this second incident, Comodo stated, "Our CA infrastructure was not compromised. Our keys in our HSMs were not compromised. No certificates have been fraudulently issued. The attempt to fraudulently access the certificate ordering platform to issue a certificate failed."[33]

On 26 March 2011, a person under the username "ComodoHacker" verified that they were the attacker by posting the private keys online[34] and posted a series of messages detailing how poor Comodo's security is and bragging about his abilities:[35][36]

I hacked Comodo from InstantSSL.it, their CEO's e-mail address mfpenco@mfpenco.com

Their Comodo username/password was: user: gtadmin password: globaltrust

Their DB name was: globaltrust and instantsslcms

Enough said, huh? Yes, enough said, someone who should know already knows...

Anyway, at first I should mention we have no relation to Iranian Cyber Army, we don't change DNSes, we

just hack and own.

I see Comodo CEO and other wrote that it was a managed attack, it was a planned attack, a group of

cyber criminals did it, etc.

Let me explain:

a) I'm not a group, I'm single hacker with experience of 1000 hacker, I'm single programmer with

experience of 1000 programmer, I'm single planner/project manager with experience of 1000 project

managers, so you are right, it's managed by 1000 hackers, but it was only I with experience of 1000

hackers.

Such issues have been widely reported, and have led to criticism of how certificates are issued and revoked.[37][38][39][40] As of 2016, all of the certificates remain revoked.[28] Microsoft issued a security advisory and update to address the issue at the time of the event.[41][42]

For Comodo's lacking response on the issue computer security researcher Moxie Marlinspike called the whole event extremely embarrassing for Comodo and rethinking SSL security. It was also implied that the attacker followed an online video tutorial and searched for basic opsec[29]

Such attacks are not unique to Comodo – the specifics will vary from CA to CA, RA to RA, but there are so many of these entities, all of them trusted by default, that further holes are deemed to be inevitable.[43]

Association with PrivDog

[edit]

In February 2015, Comodo was associated with a man-in-the-middle enabling tool known as PrivDog, which claims to protect users against malicious advertising.[44]

PrivDog issued a statement on 23 February 2015, saying, "A minor intermittent defect has been detected in a third party library used by the PrivDog standalone application which potentially affects a very small number of users. This potential issue is only present in PrivDog versions, 3.0.96.0 and 3.0.97.0. The potential issue is not present in the PrivDog plug-in that is distributed with Comodo Browsers, and Comodo has not distributed this version to its users. there are potentially a maximum of 6,294 users in the USA and 57,568 users globally that this could potentially impact. The third party library used by PrivDog is not the same third party library used by Superfish....The potential issue has already been corrected. There will be an update tomorrow which will automatically update all 57,568 users of these specific PrivDog versions."[45]

Certificates issued to known malware distributors

[edit]

In 2009 Microsoft MVP Michael Burgess accused Comodo of issuing digital certificates to known malware distributors.[46] Comodo responded when notified and revoked the certificates in question, which were used to sign the known malware.[47]

Chromodo browser, ACL, no ASLR, VNC weak authentication

[edit]

In January 2016, Tavis Ormandy reported that Comodo's Chromodo browser exhibited a number of vulnerabilities, including disabling of the same-origin policy.[48]

The vulnerability wasn't in the browser itself. Rather, the issue was with an add-on. As soon as Comodo became aware of the issue in early February 2016, the company released a statement and a fix: "As an industry, software in general is always being updated, patched, fixed, addressed, improved – it goes hand in hand with any development cycle...What is critical in software development is how companies address an issue if a certain vulnerability is found – ensuring it never puts the customer at risk." Those using Chromodo immediately received an update.[49] The Chromodo browser was subsequently discontinued by Comodo.

Ormandy noted that Comodo received a "Excellence in Information Security Testing" award from Verizon despite the vulnerability in its browser, despite having its VNC delivered with a default of weak authentication, despite not enabling address space layout randomization (ASLR), and despite using access control lists (ACLs) throughout its product. Ormandy has the opinion that Verizon's certification methodology is at fault here.[50]

Let's Encrypt trademark registration application

[edit]

In October 2015, Comodo applied for "Let's Encrypt", "Comodo Let's Encrypt", and "Let's Encrypt with Comodo" trademarks.[51][52][53] These trademark applications were filed almost a year after the Internet Security Research Group, parent organization of Let's Encrypt, started using the name Let's Encrypt publicly in November 2014,[54] and despite the fact Comodo's "intent to use" trademark filings acknowledge that it has never used "Let's Encrypt" as a brand.

On 24 June 2016, Comodo publicly posted in its forum that it had filed for "express abandonment" of their trademark applications.[55]

Comodo's Chief Technical Officer Robin Alden said, "Comodo has filed for express abandonment of the trademark applications at this time instead of waiting and allowing them to lapse. Following collaboration between Let's Encrypt and Comodo, the trademark issue is now resolved and behind us, and we'd like to thank the Let's Encrypt team for helping to bring it to a resolution."[56]

Dangling markup injection vulnerability

[edit]

On 25 July 2016, Matthew Bryant showed that Comodo's website is vulnerable to dangling markup injection attacks and can send emails to system administrators from Comodo's servers to approve a wildcard certificate issue request which can be used to issue arbitrary wildcard certificates via Comodo's 30-Day PositiveSSL product.[57]

Bryant reached out in June 2016, and on 25 July 2016, Comodo's Chief Technical Officer Robin Alden confirmed a fix was put in place, within the responsible disclosure date per industry standards.[58]

See also

[edit]

References

[edit]
  1. ^ a b "How US entrepreneur's global internet security firm started life in Bradford". Telegraph & Argus. 3 September 2014. Retrieved 3 September 2014.
  2. ^ Hallam-Baker, P.; Stradling, R. (2013). "DNS Certification Authority Authorization – Comodo". doi:10.17487/RFC6844. S2CID 46132708. Retrieved 14 January 2013.
  3. ^ "Comodo Sells Certificate Business to Private Equity Firm | SecurityWeek.Com". www.securityweek.com. 31 October 2017. Retrieved 29 October 2019.
  4. ^ Murphy, Ian (2 November 2018). "Comodo CA becomes Sectigo and expands to cover IoT -". Enterprise Times. Retrieved 21 November 2019.
  5. ^ "Comodo CA launches IoT security platform". BetaNews. 28 June 2018. Retrieved 29 October 2019.
  6. ^ Perry, Jessica (3 July 2018). "Comodo CA global HQ coming to Roseland". NJBIZ. Retrieved 29 October 2019.
  7. ^ Novinson, Michael (16 August 2018). "Comodo CA Buys Website Disaster Recovery Startup CodeGuard". CRN. Retrieved 29 October 2019.
  8. ^ "Comodo – Contact Us".
  9. ^ "Comodo CA Rebrands as Sectigo". Sectigo® Official. Retrieved 18 June 2024.
  10. ^ "Comodo Security Solutions, Inc". Icsalabs.com. Retrieved 30 March 2015.
  11. ^ Joe Callan. "Domainers Magazine – DNS.com : The Next Geo-Targeting Solution – Jul–Aug (Issue 22)". Domainersmagazine.com. Archived from the original on 12 April 2015. Retrieved 30 March 2015.
  12. ^ Ellen Messmer (14 February 2013). "Multivendor power council formed to address digital certificate issues". Network World. Archived from the original on 28 July 2013.
  13. ^ "Authentication Security News, Analysis, Discussion, & Community". Darkreading.com. Archived from the original on 10 April 2013. Retrieved 30 March 2015.
  14. ^ "SecurityPark". Archived from the original on 2 April 2015. Retrieved 30 March 2015.
  15. ^ "CA/Browser Forum". Cabforum.org. Retrieved 23 April 2013.
  16. ^ Wilson, Wilson. "CA/Browser Forum History" (PDF). DigiCert. Retrieved 23 April 2013.
  17. ^ "Industry Round Table May 17th 2005 – New York" (PDF). Retrieved 17 May 2005.
  18. ^ "Xcitium EDR".
  19. ^ Abdulhayoğlu, Melih (18 September 2010). "Challenge to Symantec from Comodo CEO". Comodo Group. Archived from the original on 25 January 2011. Retrieved 22 September 2010.
  20. ^ John Breeden II (27 September 2010). "Is free virus protection inferior?". gcn.com. Retrieved 23 December 2016.
  21. ^ Rubenking, Neil J. (22 September 2010). "Comodo Challenges Symantec to Antivirus Showdown". PC Magazine. Ziff Davis, Inc. Retrieved 22 September 2010.
  22. ^ "Challenge to Symantec from Comodo CEO!". Archived from the original on 15 August 2016. Retrieved 23 December 2016.
  23. ^ Ms. Smith. "AV-test Lab tests 16 Linux antivirus products against Windows and Linux malware". www.networkworld.com. Archived from the original on 7 October 2015. Retrieved 23 December 2016.
  24. ^ Erik Larkin (24 August 2009). "Comodo Internet Security Free Antivirus Software". www.pcworld.com. Retrieved 23 December 2016.
  25. ^ Daniele P. "Comodo 2016 Review: Malware Protection & Online Security". www.bestantivirus.com. Archived from the original on 28 December 2016. Retrieved 23 December 2016.
  26. ^ "Independent Tests of Anti-Virus Software". www.av-comparatives.org. Retrieved 23 December 2016.
  27. ^ Neil P. Rubenking. "The Best Free Antivirus Protection of 2016". www.pcmag.com. Retrieved 23 December 2016.[permanent dead link]
  28. ^ a b c d e "Report of incident on 15-MAR-2011: Update 31-MAR-2011". Comodo group. Retrieved 24 March 2011.
  29. ^ a b "DEF CON 19 - Moxie Marlinspike - SSL And The Future Of Authenticity - YouTube". www.youtube.com. 2 November 2013. Archived from the original on 13 December 2021. Retrieved 13 January 2021.
  30. ^ Hallam-Baker, Phillip (23 March 2011). "The Recent RA Compromise". Comodo Blog. Retrieved 24 March 2011.[permanent dead link]
  31. ^ "Iran accused in 'dire' net security attack". BBC News. 24 March 2011. Retrieved 23 December 2016.
  32. ^ "Update 31-MAR-2011". Retrieved 23 December 2016.
  33. ^ "Update 31-Mar-2011". Retrieved 23 December 2016.
  34. ^ Graham, Robert. "Verifying the Comodo Hacker's key".
  35. ^ Bright, Peter (28 March 2011). "Independent Iranian Hacker Claims Responsibility for Comodo Hack" (WIRED). Wired. Retrieved 29 March 2011.
  36. ^ "ComodoHacker's Pastebin". Pastebin.com. 5 March 2011. Retrieved 30 March 2015.
  37. ^ Eckersley, Peter (23 March 2011). "Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get?". EFF. Retrieved 24 March 2011.
  38. ^ "Iran accused in 'dire' net security attack" (BBC). BBC News. 24 March 2011. Retrieved 24 March 2011.
  39. ^ "Detecting Certificate Authority compromises and web browser collusion". TOR. 22 March 2011. Retrieved 24 March 2011.
  40. ^ Elinor Mills and Declan McCullagh (23 March 2011). "Google, Yahoo, Skype targeted in attack linked to Iran". CNET. Archived from the original on 25 March 2011. Retrieved 24 March 2011.
  41. ^ "Microsoft Security Advisory (2524375)" (Microsoft). Microsoft. 23 March 2011. Retrieved 24 March 2011.
  42. ^ "Microsoft Security Advisory: Fraudulent Digital Certificates could allow spoofing". Microsoft. 23 March 2011. Retrieved 24 March 2011.
  43. ^ "Independent Iranian Hacker Claims Responsibility for Comodo Hack". Wired. 28 March 2011. Archived from the original on 24 March 2016. Retrieved 23 December 2016.
  44. ^ Constantin, Lucian. "Worse than Superfish? Comodo-affiliated PrivDog compromises web security too". PC World. Retrieved 24 July 2024.
  45. ^ "PrivDog Security Advisory (Threat level: LOW)". Retrieved 23 December 2016.[permanent dead link]
  46. ^ "Comodo continue to to[sic] issue certificates to known Malware - May 2009 - Forums".
  47. ^ "Microsoft MVP Mike Burgess Responds To Comodo's CEO On Comodo Certificates Issued To Malware Distributors". Retrieved 23 December 2016.
  48. ^ https://code.google.com/p/google-security-research/issues/detail?id=704 |title=Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security
  49. ^ "Comodo will fix major flaw in knock-off Chrome browser". 4 February 2016. Retrieved 23 December 2016.
  50. ^ Why Antivirus Standards of Certification Need to Change, tripwire, 23 March 2016.
  51. ^ "Trademark Status & Document Retrieval". tsdr.uspto.gov. Retrieved 23 June 2016.
  52. ^ "Trademark Status & Document Retrieval". tsdr.uspto.gov. Retrieved 23 June 2016.
  53. ^ "Trademark Status & Document Retrieval". tsdr.uspto.gov. Retrieved 23 June 2016.
  54. ^ Tsidulko, Joseph (19 November 2014). "Let's Encrypt, A Free And Automated Certificate Authority, Comes Out Of Stealth Mode". CRN. Retrieved 23 June 2016.
  55. ^ "Topic: Trademark registration". Archived from the original on 8 November 2020. Retrieved 24 June 2016.
  56. ^ "Comodo Stands Down From Trademark Tussle with Let's Encrypt". 27 June 2016. Retrieved 23 December 2016.
  57. ^ "Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection". thehackerblog.com. 25 July 2016. Retrieved 29 July 2016.
  58. ^ "Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection". 25 July 2016. Retrieved 23 December 2016.
[edit]