Knowledgebase

COMODO the worst SSL company... and security leak!

Posted by easyswiss, 10-23-2014, 06:13 PM
I have there a funny discussion to get an EV certificate provided with COMODO for our company in Switzerland. I think i should post this here They really want that the CEO (me) of this registred corporation to do a phone book entry... or they will - if we do an entry with the callcenter number there - call our callcenter (*wtf* will they do there? I think they want validate that i have ordered the ssl certificate...). I think there is something really wrong with comodo. Read it here (we have no number listed in directories, because we own "special numbers" as a telco provider for low cost local fees not "regular numbers", from where the number which comodo uses for validation.. i do not know... but i think it is dangerous, when a company like comodo call a number which is not owned by us for a verification): A COMODO EV is in my opinion not secure... if they use a phone book entry (this can be done in most countries without validation)! Have others the same problem with this company?
Posted by {wx} JeffH, 10-23-2014, 06:17 PM
Requiring that your business be listed in a public telephone directory is pretty Common place for getting an EV SSL. That said, it's one of several checks you are going to have to go through so I really don't see how that of all things make it a non-secure process.
Posted by {wx} JeffH, 10-23-2014, 06:20 PM
that said, I can' wait to see what you'll think of them asking you to go to a lawyer/notary/accountant to have your banking and identity (passport/birth certificate) validated
Posted by easyswiss, 10-23-2014, 06:34 PM
The problem is... they use a number (799205482) which is not our... they never wanted a passport copy or something... Example why the COMODO verification process have a security leak: Make a copy of a business registration and fill out the form -> make a phone book entry -> Now you have all to create a EV... there is a high potential risk for a security break with COMODO... in my case they never asked for something official like a passport copy. My mobile number in a phone book will turn me to a workaholic! Shame on you COMODO! Last edited by easyswiss; 10-23-2014 at 06:48 PM.
Posted by {wx} JeffH, 10-23-2014, 07:05 PM
You have no idea what you are talking about. And just because they haven't asked for it yet, doesn't mean they won't.
Posted by PJamie, 10-23-2014, 08:29 PM
It's not just Comodo. I don't think any of them employ the sharpest tools in the box. I've had SSL certificates refused for really dumb reasons such as not being able to provide an SSL for a Bank because they require "different security measures" - the domain was www.fashionbank.xxx (not the real domain, but a .com with bank in the name just like the example). It took ages to get them to understand it wasn't actually a Bank, it just had Bank in the name - the site content didn't seem to matter to them. It was the same excuse when we came to renew it with the same provider a couple of years later. I've had them delay a certificate because "there is no web site" when they were presented with a login screen (which can ONLY be presented when a web site actually exists). The SSL was to protect a password-protected admin area. And slightly less alarming - refusing to release a certificate "because there was no web site" when they received a custom error message that was generated by the web server due to no default document existing (on purpose). That error message that could only be generated if there was a site set-up on that server in the first place....they didn't understand that one at all. We eventually had to load a dummy default page just so that they could "see" a web site. Don't ask me to explain their reasoning. I just make sure I renew certificates in plenty of time incase I encounter a problem. Last edited by PJamie; 10-23-2014 at 08:33 PM.
Posted by Mr Terrence, 10-23-2014, 08:39 PM
Here we go again, someone does not get what they want the company is automatically the "worst" The OP does not seem to have a clue what he/she is talking about.
Posted by SkyNetHosting, 10-23-2014, 10:33 PM
Funny indeed! This is the type of customers that a company would hate to do business with.
Posted by Alex Vojacek, 10-23-2014, 11:38 PM
If you want an EV SSL Certificate, please, confirm you are who you say you are. At least call them... that's like a pretty INCREDIBLE BASIC requirement and yeah you will have to certify that you own the company if you want an EV Certificate. Or, you can go cheap and NOT get an EV Certificate, just get a cheap one with no requirements other than e-mail and be done with it. What do you expect?. It's like going out to buy a car and tell the seller you want an expensive car and when the seller ask for some validation of your persona since it's a really expensive car you get mad at him.. !
Posted by FCHosting, 10-24-2014, 02:51 AM
When I got an EV SSL, the validation was very quick and easy as I had listed my companies phone number on a few directory sites (they don't have to specifically be a telephone directory). My EV SSL was issued on the same day that I ordered it on probably because I rang them and insisted them to do the verification at that moment in time.
Posted by wonker, 10-24-2014, 02:58 AM
I use comodo because they accept french legal documentation and don't require a lawers letter. I tried to get one to sign an english version of such a document and he said he would have to pass it on to an international lawer. Such a releif to work with a company that knows and understands the laws in your country. As for refusing to have a registered company phone number, as a consumer I hate companies that don't provide a normal phone number, and I'm pretty sure it's bad for business to not do so, unless you have no compétition of course. With Voip phoning, it doesn't cost much to get such a phone number setup. I do agree that this check doesn't secure much and seems to be more to protect suppliers than actual users.
Posted by cenourinha, 10-24-2014, 06:15 AM
We work with Comodo and have already completed the extended validation (EV) process multiple times. Sometimes it can be a slow and hard process to complete, however we understand that this validation is essential to meet the standards of EV validation. Comodo has been comprehensive with most of cases and never required any document signed by a lawyer, notary or accountant. In our case (Portuguese Company), documents relating to the registration of the company can be found online at the "Portal da Empresa" (Company Portal by Portuguese Government) using a code (Certidão Permanente) and this way they can easily validate the company information and CEO name. You just need to find the easy way to validate your identity and your company in your country.
Posted by didlogic, 10-24-2014, 07:57 AM
We are happy with Geotrust. Much more strict than Comodo. Lawyer's letter, accountant's reference, proof of everything, very tedious. It's worth it. We always tell clients how much checks we have to go through to get Geotrust EV as compared to Comodo. The more checks, the better.
Posted by UENO, 10-24-2014, 04:57 PM
If you don't want to do the whole "Extended Validation" procedure, why did you buy an "Extended Validation" certificate? That's exactly what EV means, they are making sure the name on the order is the one they issue the certificate to. If you don't want to be bothered with the actual validation procedure, just buy a domain validated certificate instead. Technically they're the same, the only difference is that when someone visits a site secured by a EV certificate, they will know that the issuer did some extra checks to make sure they actually issued the certificate to the organization/person who's name is on the certificate.
Posted by {wx} JeffH, 10-24-2014, 05:14 PM
When we got our Comodo EV SSL we had to get our Lawyer to certify documents / identity (etc). I hear the same from our lot of our clients. That said, it has a lot to do with the type of company (sole proprietorship / limited / corp / etc), along with what records the local business registry / government make publicly searchable for SSL companies to check against. Last edited by {wx} JeffH; 10-24-2014 at 05:19 PM.
Posted by ispcircle, 10-25-2014, 05:57 AM
The assurance that an SSL certificate provides the Internet user is that their data is encrypted and then being transmitted and the domain they are browsing is indeed a genuine organization. An Organization validated (OV) or Extended Validated (EV) certificate Certifying Authority (CA) has to take several precautions to ensure that the organization to whom these certificates are issued to are genuine. To validate the organization, different CA have different mechanisms. We selected GlobalSign as a partner for this very purpose - it allows us to sell: * highly secure certificates, * robust and unique infrastructure, * industry-leading issuance practices, * ease of issuance and installation, * interesting price points, * great support!
Posted by brianoz, 10-28-2014, 10:46 PM
How can wanting to verify your existence in a phone directory make it *less* secure? Like, in what scenario could this be actually exploited? Bearing in mind that they will check multiple sources to verify your company and this is only one of them.
Posted by whmcsservices, 10-29-2014, 02:29 AM
If you go with other SSL company I think they all do the same validation process


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
Windows Reseler (Views: 599)
Looking for VPS in european datacenter (Views: 627)
Why the code doesn't work? (Views: 586)
Emails are dropping to Junk Mail Box (Views: 607)
How do I set up a cpanel demo? (Views: 514)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.