Comodo is shady

A few minutes ago I got a cold call on my cell phone. I almost didn’t answer, I tend not to answer calls to my cellphone from unknown numbers. I have teams of lawyers and medical people out there looking for me sometimes, so sometimes I must.

The caller said that my SSL certificate was expiring soon with Company A (who I forget because it’s an old certificate for email I don’t use anymore since I switched to Google for mail) and they’d like the chance to win me over. I paused as I added this all up in my head. After I realized it was just telemarketing, I said “No, thanks” and hung up. Then I get an email from them. Scroll down and read it, them come back.

I like the Creating Trust Online part. Is this a strong arm technique meant to scare me into purchasing from them? Are they trying to create some kind of trust in a “we know more than you, buy our stuff” way? Is this Louis character rogue or is this standard operating procedure?

Ways to get me to never buy products or services from you:
1) Call me
2) Call me, then send me an email

I almost filed the call under weird and forgot about it, thanks for the email that I can search for later when I’m shopping for SSL certificates so I know who not to call.

                                                                                                                                                                                                                                                               
Delivered-To: btm@loftninjas.org
Received: by 10.142.215.17 with SMTP id n17cs645196wfg;
        Thu, 12 Mar 2009 10:48:23 -0700 (PDT)
Received: by 10.150.95.15 with SMTP id s15mr422861ybb.247.1236880102854;
        Thu, 12 Mar 2009 10:48:22 -0700 (PDT)
Return-Path: 
Received: from sharon.nj.office.comodo.net (mail.nj.office.comodo.net [38.104.66.254])
        by mx.google.com with ESMTP id 1si2384323gxk.79.2009.03.12.10.48.18;
        Thu, 12 Mar 2009 10:48:19 -0700 (PDT)
Received-SPF: pass (google.com: domain of louis.cicero@comodo.com designates 38.104.66.254 as permitted sender) client-ip=38.104.66.254;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of louis.cicero@comodo.com designates 38.104.66.254 as permitted sender) smtp.mail=louis.cicero@comodo.com
Received: (qmail 13908 invoked by uid 1001); 12 Mar 2009 17:48:17 -0000
Received: from mmonroe.comodo.net (HELO louisc) (192.168.68.79)
    by sharon.nj.office.comodo.net (qpsmtpd/0.40) with ESMTP; Thu, 12 Mar 2009 13:48:17 -0400
From: "Louis Cicero" 
To: 
Subject: Info on compromised root key
Date: Thu, 12 Mar 2009 13:48:16 -0400
Message-ID: <00a201c9a33a$b955fa20$4f44a8c0@comodo.net>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_000_00A3_01C9A319.32445A20"
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcmjOrkMPeS02oldT1mZI5bKFnL3rA==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
X-Comodo-Virus-Checked: Checked by ClamAV on sharon.nj.office.comodo.net
X-Comodo-ClamAV-Virus-Program: ClamAV 0.92.1

This is a multi-part message in MIME format.

------=_NextPart_000_00A3_01C9A319.32445A20
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

http://www.computerworld.com/action/article.do?command=viewArticleBasic
 &articleId=9124558&intsrc=it_blogwatch

 

http://bits.blogs.nytimes.com/2008/12/30/outdated-security-software-threaten
s-web-commerce/

 

 

 

1024-bit encryption is 'compromised'

Upgrade to 2048-bit, says crypto expert

Written by James Middleton

vnunet.com  

According to a security debate sparked off by cryptography expert Lucky
Green on Bugtraq yesterday, 1,024-bit RSA encryption should be "considered
compromised".

The Financial Cryptography conference earlier this month, which largely
focused on a paper   published by
cryptographer Dan Bernstein last October detailing integer factoring
methodologies, revealed "significant practical security implications
impacting the overwhelming majority of deployed systems utilising RSA as the
public key algorithm".

Based on Bernstein's proposed architecture, a panel of experts estimated
that a 1,024-bit RSA factoring device can be built using only commercially
available technology for a price range of several hundred million to $1bn.

These costs would be significantly lowered with the use of a chip fab. As
the panel pointed out: "It is a matter of public record that the National
Security Agency [NSA] as well as the Chinese, Russian, French and many other
intelligence agencies all operate their own fabs."

And as for the prohibitively high price tag, Green warned that we should
keep in mind that the National Reconnaissance Office regularly launches
Signal Intelligence satellites costing close to $2bn each.

"Would the NSA have built a device at less than half the cost of one of its
satellites to be able to decipher the interception data obtained via many
such satellites? The NSA would have to be derelict of duty to not have done
so," he said.

The machine proposed by Bernstein would be able to break a 1,024-bit key in
seconds to minutes. But the security implications of the practical
'breakability' of such a key run far deeper.

None of the commonly deployed systems, such as HTTPS, SSH, IPSec, S/MIME and
PGP, use keys stronger than 1,024-bit, and you would be hard pushed to find
vendors offering support for any more than this.

What this means, according to Green, is that "an opponent capable of
breaking all of the above will have access to virtually any corporate or
private communications and services that are connected to the internet".

"The most sensible recommendation in response to these findings at this time
is to upgrade your security infrastructure to utilise 2,048-bit user keys at
the next convenient opportunity," he advised.

But a comment   from
well known cryptographer Bruce Schneier casts doubt on Bernstein's findings
in practical application.

"It will be years before anyone knows exactly whether, and how, this work
will affect the actual factoring of practical numbers," he said.

But Green, much to the clamour of "overreaction" from the Slashdot
community, added: "In light of the above, I reluctantly revoked all my
personal 1,024-bit PGP keys and the large web-of-trust that these keys have
acquired over time. The keys should be considered compromised."

Whatever the practical security implications, one sharp-witted Slashdot
reader pointed out: "Security is about risk management. If you have
something to protect that's worth $1bn for someone to steal, and the only
protection you have on it is 1,024-bit crypto, you deserve to have it stolen

 

 

 

Louis Cicero

Business Development Executive - Comodo 

Direct Line 1- 908- 376-0145

Main Office US: +1 888.COMODO1 (888.266.6361) ext.4062

Fax US: +1 866-405-5816

Louis.Cicero@Comodo.com 

Creating Trust Online

Comodo   Helps
Leading Cutlery eTailer Increase Individual Transactional Value By Over 250%

16 thoughts on “Comodo is shady

  1. Jason Hicks

    Came across this blog entry and wanted to offer my apologies for how you perceived the situation. No one is trying to strong arm you; we are simply letting people know that technology seems to have caught up to the 1024-bit public key. Many people we call everyday are appreciative of the info as they didn’t know; obviously thats not the case with you as the call was unwelcome, so again, my apologies.

  2. btm Post author

    The point is that it’s unsolicited and unrelated. It’s not a matter of if the recipient knows the information or not. My phone conversation amount to “Hi. No, thanks.” I didn’t ask to be emailed about Comodo’s products and services, nor did I express any interest in the Comodo News service. Hopefully the many people that appreciate the information are asked if they would like to be emailed news relating to SSL. Otherwise you’re just saying “Sure, it’s Spam, but hey, like, a bunch of people bought the viagra, so we’re ethically okay, right?” No, not really.

    Spam is bad, the irony was in getting spam as a result of a cold call, which is bad. While these practices may be standard, they’re invasive.

    It’s not an article about people who forget to renew they SSL keys getting taken advantage of. It’s a completely out of context article about the dangers of ‘the man’ and how vulnerable you are. Your intentions be what they may, this is the equivalent of trying to sell someone a home security system, and when they refuse emailing them an article about how cheap security systems are easily thwarted by murderers and rapists.

  3. Jason Hicks

    Understood and agreed. While many of the people we speak with do request an informational email to recap the conversation as well as to have a point of reference to do their own research, you were not one of those people and you should not have been sent a follow up email. Again, my apologies for the inconvenience.

  4. comodo unwanted calls

    Yes, just got the same unwanted phone calls and have been for several months, unfortunately the bozos thinks its funny to keep calling back 15 times in the same day from 201-963-0004, Jersey City, NJ they even tried calling from a cell 2016889303 which has been disconnected.

  5. waldo

    welp, they continue… just got cold-called by comodo. did scraping contact data from WHOIS for marketing purposes suddenly become acceptable?

    Looking forward to my email…

  6. comodo sucks

    Just got cold-called by them today to become a reseller of their products. It’ll be a cold day in hell before I do. In fact, I am going to advise against anyone using or selling their products in the future as a result.

  7. JS

    I just got a call from Comodo this morning. Something about web site security. I told the lady up front to hang up on him. Do they really think that cold calling software developers at work is going to earn them money? Who comes up with this stuff?

  8. Antiques Collector

    It’s my first time to get an SSL Certificate. bought one from namecheap. cost 49$

    i forwarded my CSR and bought a dedicated IP. it cost me about 150$.

    comodo emailed me asking for whois registrant and some docs that should match the registrant… since my whois is private i made it public. i cancelled my subscription of being private…

    I emailed them the documents.. then it came lot of emails from Den S. Madelyn, Karl and etc. asking me different docs… i replied to them providing again and again the docs and then they keep on emailing to forward them neccessary info..

    i emailed them again then i add national Id,. then it came another email they don’t accept my docs…

    what? that is what you are asking for… and i realized the docs are about 2-4 months ago so i scanned new docs… ( they did not tell me its the reason – they won’t point out why – they just say we don’t accept this kinds of documents)

    i emailed them… they are not checking the scanned image, they say… we don;t accept cellphone bill… they did not bother to see my bank statement…

    what i provided… my national Id, celphone bill, bank statement and sreenshot of whois..

    they said in email atleast to provide a utility bill, ID, bank statement.. i provided the 3…

    now they won’t validate it and they are not reading my full email and not checking email attachment

    and now again they are asking for my landline bill! I don’t have one… If i provide that in case what would they asked next time my birthday my credit card?? wow comodo… could that be comodo is shady??

    I am beginning to think that COMODO Sucks!!! or Comodo support sucks!

    namecheap on the other hand has a very good customer support..

    I should blog this for everyone trying to buy COMODO SSL check on them first…

  9. Paige Thompson

    btm — I was looking for some reasons to not buy a certificate from Comodo and came across your blog by coincidence… yeah … screw those guys. Companies that use fear mongering to sell their products are lame, no matter how you try to cut it. Hi an0nymou5, please DoS us.

  10. Andrew

    Comodo…. what an IDIOTIC “service”. I just registered for a free SITEINSPECTOR by COMODO. There was no field to provide them with my website’s URL, so what website and how are they going to scan for visrtuses and malware if they don;t even know what website I’ve got? They’re shady….

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.