[SecurityRatty] tag: comodo

Comodo Sells A Public VPN

Sun, 01 Jun 2008 10:11:30 +0000

Do you find yourself leery when on public WiFi networks? You should be. All manner of attacks are possible, especially if the WiFi hardware isn't as up-to-date as it should be. Comodo has the solution: A VPN service named TrustConnect. There are daily, monthly and annual contracts available. Enterprise customers may have their own VPNs, but when you're on personal business you still need to be secure. Your communications will be secure at least up to the point of Comodo, at which point they connect back out to the rest of the Internet, probably in the clear (unless, for example, it's an SSL site), So there's still some exposure there, but it's not likely to happen between Comodo and your surfing destination. Of course, VPNs aren't a cure-all, and a compromised PC connected to a VPN is still compromised, but it can be a powerful tool to protect assets at both ends of the connection.

Comodo Sells a Public VPN

Sun, 01 Jun 2008 10:11:30 +0000

Do you find yourself leery about using public Wi-Fi networks? You should be. All manner of attacks are possible, especially if the Wi-Fi hardware isn't as up-to-date as it should be. Comodo has the solution: a VPN service named TrustConnect. There are daily, monthly and annual contracts available. Enterprise customers may have their own VPNs, but when you're on personal business you still need to be secure. Your communications will be secure at least up to the point of Comodo, at which point they connect back out to the rest of the Internet, probably in the clear (unless, for example, it's an SSL site). So there's still some exposure there, but it's not likely to happen between Comodo and your surfing destination. Of course, VPNs aren't a cure-all, and a compromised PC connected to a VPN is still compromised, but it can be a powerful tool for protecting assets at both ends of the connection.

Free SSL Certs for Debian Bug Victims from Comodo

Thu, 22 May 2008 06:12:19 +0000

Seeking to outdo VeriSign's response to the Debian OpenSSL bug, certificate authority Comodo is offering free replacement SSL certificates to anyone affected, including customers of other CAs. Comodo customers can just go into their accounts and replace their certificates with a new Certificate Signing Request. Customers of other CAs can get their free certificate at this site. Comodo says that the term of the new certificate will be comparable to the old one it is replacing.

Hacker Free Site?...Yeah, right.

Fri, 09 May 2008 15:51:00 +0000

So as not to seemingly pick only on McAfee Hacker Safe, I thought it appropriate to show just how ridiculous the entire premise of calling anything Hacker Safe, Hacker Proof, and now WebSafe Shield Hacker Free Site really is. For you, dear reader, a new video for your streaming pleasure, courtesy of the WebSafe Shield Hacker Free Site.
My brother in arms in the battle against BS, Rafal Los, has already called out Comodo for their Hacker Proof fluff on the Digital Soapbox.
I simply couldn't let this one pass without a little extra scrutiny. I Googled hacker safe to see what else popped up and bam, there's WebSafe Shield in the sponsored links for "70% less than Hacker Safe" to boot!
I had literally about ten minutes to kill, and in less than two minutes, more XSS silliness courtesy of the sites with starring roles in the latest installation in our growing video series. The home page for WebSafe Shield lists frictionent.com and shoppingvale.com with such inanities as "My customers feel more safe and more likely to sign up knowing I operate a secure website." and "If you're interested in increasing your conversions, I'd suggest you sign up for WebSafe Shield." Doesn't that sum it up? Forget protecting the consumer. Let's just blindly lead the sheep to the wolves with some Hacker Free Site logo that means nothing in order to "increase conversions."
WebSafe Shield vaguely discuss their methodology here; I just love:
#6 - How do you conduct your security scans?
"We use industry-standard software and methodologies to scan, test and identify security vulnerabilities. We first scan for open ports, and for each open port, we identify the service and software for that port, and report any security vulnerabilities."
Wow, open ports. Let me guess...you're using Nessus?
The only discussion of web application security is on their rather vague Security Tips page. It's a perfectly generic read and they make no mention of actually scanning for those vulns, only open ports, and that they "report any security vulnerabilities." Maybe they keep it vague intentionally so they can more easily duck the criticism. I can imagine the answer to this question. Why are both the sites proudly listed front and center on your home page vulnerable to XSS and yet showing their WebSafe Shield Hacker Free Site logos? Likely because they only mention XSS, but don't actually scan for it. Probably not SQLi either. Just open ports. Please. Maybe that 70% discount over Hacker Safe means you're not making enough to build a service that can find XSS, the most prevalent of all web application vulnerabilities.
I'll say the same thing to WebSafe Shield that I've said to McAfee. Stop misleading people with some crappy little logo that you wouldn't take down for anything in the world (you wouldn't want to tick off your customer base, right?).
What about the consumers using those sites who actually fall for your misleading false premises? What's your answer to them? XSS doesn't count because you can't hack the server with it? Who is the victim of a well executed XSS attack?
The consumer, not your ill-coding customers.
In case you missed it earlier, here's the video.
The last little gem, and I quote: "Our security professionals are CISSP (Certified Information Systems Security Professional) certified." Oh goody. Maybe you can charge a wee bit more than "70% less than Hacker Safe" and help your customers build secure web apps on behalf of consumers, rather than driving conversions on behalf of your customers, and ultimately your investors.

WebSafe Shield, you're welcome to comment.

del.icio.us | digg

Comodo hails malware removal guarantee

Sun, 24 Feb 2008 21:00:00 +0000

Security outfit Comodo has become the first vendor to offer 'guaranteed' malware removal from PCs protected by its software.

Turns out John found a bargain

Thu, 17 Jan 2008 07:35:00 +0000

Before posting my discussion of code signing cert costs, I took a quick look at my trusted root store and didn't find anything by Comodo. I guess I should have looked more closely. There it is!

Apparently John's found an excellent deal. It turns out that the trusted root cert he had to install was only for the *purchase* of the certificate. It's odd that Comodo didn't use their established trusted root to issue the SSL cert for the site where they sell these certificates.

Mea culpa!!

The cost of a code signing certificate

Thu, 17 Jan 2008 04:31:00 +0000

In my recent post about Windows Live OneCare Firewall and Security, I mentioned that code signing certificates aren't cheap. If you look at the major vendors like VeriSign and Thawte, you'll find they charge between $500 and $300 for a cert that's valid for a year.

Scott commented that you can get cheap code-signing certs, as Jon Robbins points out. 80 bucks sounds like quite a deal, but a quick look at Jon's post reveals that a cheap code signing cert isn't as easy to use as one issued by the big dogs:

I had some trouble with registration process at Comodo. Make sure you add https://secure.comodo.net to the list of trusted sites in Internet Explorer so they can properly get you registered and install their trusted root certificate on your computer.

It's not just ease of use that I'm worried about here though. What's it mean to ask your customer to install a CA certificate into her trusted root store? I'm thinking of a nontechnical person like my mother - what's she going to think when she's asked to approve something that looks like this (the dialog that pops up on Windows XP when you try to install a cert into the trusted root store):

(click image to enlarge)

If you find that your customers tend to choose the default option here, "NO", your code signing cert won't be trusted, which begs the question, why didn't you save yourself the 80 bucks and simply issue your own code signing cert via Windows built-in Certificate Services?

And even worse, what does it mean if you find that your customers tend to choose, "YES"? That leads to the philosophical question: what use is PKI anyway if the end user doesn't understand it? If every software vendor creates one of those web pages (I'm sure you've seen them) instructing users on what to do when they see the above dialog ("press YES"), then ultimately what's the cost to the consumer?

I don't like tithing to my certificate authority any more than the next guy, but buying a "cheap" cert is more costly in the long term. If you need a cheap certificate for testing or for personal reasons, issue it yourself! If you need a real certificate, your best bet is to stick with a vendor that your customers already "trust", for better or for worse.