Support

Comodo trustworthiness

Comodo signs unvalidated SSL Certificates which raises questions about their trustworthiness

In December 2008 it emerged that a Comodo reseller called Certstar had issued a SSL certificate for the domain "mozilla.com" to someone (Eddy Nigg, Startcom Ltd.) with no connection to that domain. The reseller obviously failed to check the validity of this application.

We cannot tell how many times the validation system of this reseller failed with other applications. Also it is not the first time a Comodo reseller issued certificates without validation, about three years ago a SSL certificate was issued by E-BizID without any vetting. You might expect Comodo would have undertaken some steps to prevent this from happening in the future, but to no avail. As Comodo still outsources validation to resellers, and fails to check on them, it is possible many more unvalidated SSL certificates were and are signed by Comodo.

As the SSL infrastructure is based, in a large sense on trust, you might expect that the validation procedure is properly carried out by the trusted certificate authority (CA) and not a reseller. If one CA fails in this validation process, this reflects and brings damage to all certification authorities. The most valuable lesson we can learn from this is to recognize the value of real vetting and validation.

If Comodo's name is to continue to have value, they have to make clear to the public what it expects of resellers and how it enforces a reliable validation policy. Till now Comodo only mentions that the Certstar case was an incident which will not happen again and that all Certstar orders have been revalidated or revoked.

In light of these events our Site Check tool places a warning sign when it encounters Comodo certificates and we advise our clients not to use them.

More details

http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/9c0cc829204487bf
http://jooray.soup.io/post/10105517/State-of-art-certificates-Whom-do-you
https://bugzilla.mozilla.org/show_bug.cgi?id=470897
http://msmvps.com/blogs/hostsnews/archive/2009/07/10/1699205.aspx
http://www.f-secure.com/weblog/archives/00002017.html
http://blogs.technet.com/b/msrc/archive/2011/03/23/microsoft-releases-security-advisory-2524375.aspx