请输入您要查询的百科知识:

 

词条 Comodo Group
释义

  1. History

  2. Companies

  3. Industry affiliations

  4. Products

  5. Controversies

     Symantec  Certificate hacking {{anchor|2011 breach incident}}   Association with PrivDog  Certificates issued to known malware  Chromodo browser, ACL, no ASLR, VNC weak authentication    Let's Encrypt trademark registration application    Dangling markup injection vulnerability  

  6. See also

  7. References

  8. External links

{{short description|American technology company}}{{Infobox company
| name = Comodo Group, Inc.
| logo = Comodo Group logo.svg
| logo_size =
| type = Private
| industry = Computer software
| foundation = United Kingdom
({{Start date and age|1998}})[1]
| hq_location_city = Clifton, New Jersey
| hq_location_country = United States
| area_served = Worldwide
| key_people = Melih Abdulhayoğlu (President and CEO)
| num_employees = 1,200+{{Citation needed|date=February 2018}}
| homepage = {{URL|https://www.comodo.com/}}
}}

Comodo is a cybersecurity company headquartered in Clifton, New Jersey in the United States.

History

The company was founded in 1998 in the United Kingdom[1] by Melih Abdulhayoğlu. The company relocated to the United States in 2004. Its products are focused on computer and internet security. The firm operates a Certificate Authority that issues SSL certificates, and offers information security products for both enterprises and consumers.[2] The company also helped on setting standards by contributing to the IETF (Internet Engineering Task Force) DNS Certification Authority Authorization (CAA) Resource Record.[3]

Companies

  • Comodo CA Limited: Based in City of Salford, Greater Manchester, UK,[4] is a digital certificate authority that issues SSL and other digital certificates. On November 1, 2018, Comodo CA announced that the company is rebranding as Sectigo.[5][6]
  • Comodo Security Solutions, Inc: Based in Clifton, NJ, develops security software for commercial and consumer use.[7]
  • DNS.com: Based in Louisville, Kentucky, the company provides managed DNS services.[8]

Industry affiliations

Comodo is a member of the following industry organizations:

  • Certificate Authority Security Council (CASC): In February 2013, Comodo became a founding member of this industry advocacy organization dedicated to addressing industry issues and educating the public on internet security.[9][10]
  • Common Computing Security Standards Forum (CCSF): In 2009 Comodo was a founding member of the CCSF, an industry organization that promotes industry standards that protect end users. Comodo CEO Melih Abdulhayoğlu is considered the founder of the CCSF.[11]
  • CA/Browser Forum: In 2005, Comodo was a founding member of a new consortium of Certificate Authorities and web browser vendors dedicated to promoting industry standards and baseline requirements for internet security.[12][13] Melih Abdulhayoğlu invited top browser providers and certification authorities to a round table to discuss creation of a central authority responsible for delivering digital certificate issuance best practice guidelines.[14]

Products

  • Comodo Dragon (web browser)
  • Comodo Ice Dragon (web browser)
  • Comodo Internet Security
  • Comodo System Utilities
  • Comodo Mobile Security
  • Comodo SSL

Controversies

Symantec

In response to Symantec's comment asserting paid antivirus is superior to free antivirus, the CEO of Comodo Group challenged Symantec on September 18, 2010 to see whether paid or free products can better defend the consumer against malware.[15] GCN'S John Breeden understood Comodo's stance on free Antivirus software and challenging Symantec: "This is actually a pretty smart move based on previous reviews of AV performance we've done in the GCN Lab. Our most recent AV review this year showed no functional difference between free and paid programs in terms of stopping viruses, and it's been that way for many years. In fact you have to go all the way back to 2006 to find an AV roundup where viruses were missed by some companies." [16]

Symantec responded saying that if Comodo is interested they should have their product included in tests by independent reviewers.[17]

Comodo volunteered to a Symantec vs. Comodo independent review.[18] Though this showdown did not take place, Comodo has since been included in multiple independent reviews with AV-Test,[19] PC World,[20] Best Antivirus Reviews,[21] AV-Comparatives,[22] and PC Mag.[23]

Certificate hacking {{anchor|2011 breach incident}}

On March 23, 2011, Comodo posted a report that 8 days earlier, on 15 March 2011, a user account with an affiliate registration authority had been compromised and was used to create a new user account that issued nine certificate signing requests.[24] Nine certificates for seven domains were issued.[24] The attack was traced to IP address 212.95.136.18, which originates in Tehran, Iran.[24] Though the firm initially reported that the breach was the result of a "state-driven attack", it subsequently stated that the origin of the attack may be the "result of an attacker attempting to lay a false trail.".[24][25]

The attack was immediately thwarted, with Comodo revoking all of the bogus certificates. Comodo also stated that it was actively looking into ways to improve the security of its affiliates.[26]

In an update on March 31, 2011, Comodo stated that it detected and thwarted an intrusion into a reseller user account on March 26, 2011. The new controls implemented by Comodo following the incident on March 15, 2011, removed any risk of the fraudulent issue of certificates. Comodo believed the attack was from the same perpetrator as the incident on March 15, 2011.[27]

In regards to this second incident, Comodo stated, "Our CA infrastructure was not compromised. Our keys in our HSMs were not compromised. No certificates have been fraudulently issued. The attempt to fraudulently access the certificate ordering platform to issue a certificate failed." [28]

On March 26, 2011, a person under the username "ComodoHacker" made several posts to Pastebin.com claiming to be an Iranian responsible for the attacks.[29][30]

Such issues have been widely reported, and have led to criticism of how certificates are issued and revoked.[31][32][33][34] As of 2016, all of the certificates remain revoked.[24] Microsoft issued a security advisory and update to address the issue at the time of the event.[35][36]

Such attacks are not unique to Comodo – the specifics will vary from CA to CA, RA to RA, but there are so many of these entities, all of them trusted by default, that further holes are deemed to be inevitable.[37]

Association with PrivDog

In February 2015, Comodo was associated with a man-in-the-middle enabling tool known as PrivDog, which claims to protect users against malicious advertising.[38]

PrivDog issued a statement on February 23, 2015, saying, "A minor intermittent defect has been detected in a third party library used by the PrivDog standalone application which potentially affects a very small number of users. This potential issue is only present in PrivDog versions, 3.0.96.0 and 3.0.97.0. The potential issue is not present in the PrivDog plug-in that is distributed with Comodo Browsers, and Comodo has not distributed this version to its users. there are potentially a maximum of 6,294 users in the USA and 57,568 users globally that this could potentially impact. The third party library used by PrivDog is not the same third party library used by Superfish....The potential issue has already been corrected. There will be an update tomorrow which will automatically update all 57,568 users of these specific PrivDog versions." [39]

Certificates issued to known malware

In 2009 Microsoft MVP Michael Burgess accused Comodo of issuing digital certificates to known malware.[40]

Comodo responded when notified and revoked the issued certificates that contained the rogue malware.[41]

Chromodo browser, ACL, no ASLR, VNC weak authentication

In January 2016, Tavis Ormandy reported that Comodo's Chromodo browser exhibited a number of vulnerabilities, including disabling of the same-origin policy.[42]

The vulnerability wasn't in the browser itself, which was based on the open-source code behind Google's Chrome browser. Rather, the issue was with an add-on. As soon as Comodo became aware of the issue in early February 2016, the company released a statement and a fix: "As an industry, software in general is always being updated, patched, fixed, addressed, improved – it goes hand in hand with any development cycle...What is critical in software development is how companies address an issue if a certain vulnerability is found – ensuring it never puts the customer at risk." Those using Chromodo immediately received an update.[43] The Chromodo browser was subsequently discontinued by Comodo.

Ormandy noted that Comodo received a "Excellence in Information Security Testing" award from Verizon despite the vulnerability in its browser, despite having its VNC delivered with a default of weak authentication, despite not enabling address space layout randomization (ASLR), and despite using access control lists (ACLs) throughout its product. Ormandy has the opinion that Verizon's certification methodology is at fault here.[44]

Let's Encrypt trademark registration application

In October 2015, Comodo applied for "Let's Encrypt", "Comodo Let's Encrypt", and "Let's Encrypt with Comodo" trademarks.[45][46][47] These trademark applications were filed almost a year after the Internet Security Research Group, parent organization of Let's Encrypt, started using the name Let's Encrypt publicly in November 2014,[48] and despite the fact Comodo's "intent to use" trademark filings acknowledge that it has never used "Let's Encrypt" as a brand.

On June 24, 2016, Comodo publicly posted in its forum that it had filed for "express abandonment" of their trademark applications.[49]

Comodo's Chief Technical Officer Robin Alden said, "Comodo has filed for express abandonment of the trademark applications at this time instead of waiting and allowing them to lapse. Following collaboration between Let's Encrypt and Comodo, the trademark issue is now resolved and behind us, and we'd like to thank the Let's Encrypt team for helping to bring it to a resolution." [50]

Dangling markup injection vulnerability

On July 25, 2016, Matthew Bryant showed that Comodo's website is vulnerable to dangling markup injection attacks and can send emails to system administrators from Comodo's servers to approve a wildcard certificate issue request which can be used to issue arbitrary wildcard certificates via Comodo's 30-Day PositiveSSL product.[51]

Bryant reached out in June 2016, and on July 25, 2016, Comodo's Chief Technical Officer Robin Alden confirmed a fix was put in place, within the responsible disclosure date per industry standards.[52]

See also

  • Comparison of antivirus software
  • Comparison of computer viruses
  • Internet Security
  • Antivirus software
  • Comparison of firewalls
{{Portalbar|Computer security|Information technology|Companies|United States}}

References

1. ^{{cite news|url=http://www.thetelegraphandargus.co.uk/news/11449076.Global_internet_security_firm_s_Bradford_roots/|title=How US entrepreneur's global internet security firm started life in Bradford|date=3 Sep 2014|accessdate=3 Sep 2014|newspaper=Telegraph & Argus}}
2. ^{{cite web|url=https://www.crunchbase.com/organization/comodo|title=Comodo Company Overview|accessdate=14 August 2015}}
3. ^{{cite web|url=https://tools.ietf.org/html/rfc6844|title=DNS Certification Authority Authorization – Comodo |accessdate=14 January 2013}}
4. ^{{cite web|url=https://www.comodo.com/contact-comodo/contact-us.php?key5sk0=2128&key5sk1=b80c454519459017187cf9cada5815e5414f518c|title=Comodo – Contact Us}}
5. ^{{cite news |url=https://www.thesslstore.com/blog/comodo-ca-changes-its-name-to-sectigo/ |title=Comodo CA changes its name to Sectigo |date=2018-11-01 |first=Patrick |last=Nohe}}
6. ^{{cite news |url=https://www.prnewswire.com/news-releases/comodo-ca-rebrands-as-sectigo-300741808.html |title=Comodo CA Rebrands as Sectigo |date=2018-11-01}}
7. ^{{cite web|url=https://www.icsalabs.com/vendor/comodo-security-solutions-inc|title=Comodo Security Solutions, Inc.|work=Icsalabs.com|accessdate=2015-03-30}}
8. ^{{cite web|url=http://www.domainersmagazine.com/Jul-Aug-Issue-22/DNS.com-The-Next-Geo-Targeting-Solution.html|title=Domainers Magazine – DNS.com : The Next Geo-Targeting Solution – Jul–Aug (Issue 22)|author=Joe Callan|work=Domainersmagazine.com|accessdate=2015-03-30|deadurl=yes|archiveurl=https://web.archive.org/web/20150412125418/http://www.domainersmagazine.com/Jul-Aug-Issue-22/DNS.com-The-Next-Geo-Targeting-Solution.html|archivedate=2015-04-12|df=}}
9. ^{{cite web|url=http://www.networkworld.com/news/2013/021413-council-digital-certificate-266728.html |title=Multivendor power council formed to address digital certificate issues |author=Ellen Messmer |date=14 February 2013 |work=Network World |deadurl=yes |archiveurl=https://web.archive.org/web/20130728114851/http://www.networkworld.com/news/2013/021413-council-digital-certificate-266728.html |archivedate=2013-07-28 |df= }}
10. ^{{cite web|url=http://www.darkreading.com/authentication/167901072/security/news/240148546/major-certificate-authorities-unite-in-the-name-of-ssl-security.html|title=Authentication Security News, Analysis, Discussion, & Community|work=Darkreading.com|accessdate=2015-03-30|deadurl=yes|archiveurl=https://archive.is/20130410174711/http://www.darkreading.com/authentication/167901072/security/news/240148546/major-certificate-authorities-unite-in-the-name-of-ssl-security.html|archivedate=2013-04-10|df=}}
11. ^{{cite web|url=http://www.securitypark.co.uk/|title=SecurityPark|work=SecurityPark|accessdate=2015-03-30}}
12. ^{{cite web | url=https://www.cabforum.org/ | title=CA/Browser Forum|publisher=Cabforum.org | accessdate=2013-04-23}}
13. ^{{cite web | url=http://docbox.etsi.org/workshop/2012/201201_CA_DAY/5_Wilson_CAB-Forum.pdf | title=CA/Browser Forum History | last = Wilson | first = Wilson | publisher = DigiCert | accessdate=2013-04-23}}
14. ^{{cite web|url=https://cabforum.org/pipermail/public/attachments/20150511/65e05471/attachment.pdf|title=Industry Round Table May 17th 2005 – New York|accessdate=17 May 2005|format=pdf}}
15. ^{{cite web |url = http://www.melih.com/2010/09/18/challenge-to-symantec-from-comodo-ceo/ |title = Challenge to Symantec from Comodo CEO |first = Melih |last = Abdulhayoğlu |authorlink = Melih Abdulhayoğlu |date = 18 September 2010 |publisher = Comodo Group |accessdate = 2010-09-22}}
16. ^{{Cite web|url=https://gcn.com/articles/2010/09/27/antivirus-paid-vs-free.aspx |title=Is free virus protection inferior? | author=John Breeden II |work=gcn.com |accessdate=23 Dec 2016}}
17. ^{{cite news |url = https://www.pcmag.com/article2/0,2817,2369524,00.asp |title = Comodo Challenges Symantec to Antivirus Showdown |first = Neil J. |last = Rubenking |work = PC Magazine |publisher = Ziff Davis, Inc. |date = 22 September 2010 |accessdate = 2010-09-22}}
18. ^{{Cite web|url=https://www.melih.com/2010/09/18/challenge-to-symantec-from-comodo-ceo/ |title=Challenge to Symantec from Comodo CEO! |accessdate=23 Dec 2016}}
19. ^{{Cite web|url=http://www.networkworld.com/article/2989137/linux/av-test-lab-tests-16-linux-antivirus-products-against-windows-and-linux-malware.html| title=AV-test Lab tests 16 Linux antivirus products against Windows and Linux malware | author=Ms. Smith|work=www.networkworld.com |accessdate=23 Dec 2016}}
20. ^{{cite web |url=http://www.pcworld.com/article/170640/comodo_internet_security.html |title=Comodo Internet Security Free Antivirus Software |author=Erik Larkin |work=www.pcworld.com |accessdate=23 Dec 2016}}
21. ^{{cite web|url=https://bestantivirus.reviews/review/comodo |title=Comodo 2016 Review: Malware Protection & Online Security | author=Daniele P. |work=www.bestantivirus.com |accessdate=23 Dec 2016}}
22. ^{{Cite web|url=https://www.av-comparatives.org/av-vendors/ |title=Independent Tests of Anti-Virus Software |work=www.av-comparatives.org |accessdate=23 Dec 2016}}
23. ^{{Cite web|url=https://www.pcmag.com/article2/0.2817.2388652.00.asp |title=The Best Free Antivirus Protection of 2016| author=Neil P. Rubenking |work=www.pcmag.com |accessdate=23 Dec 2016}}
24. ^{{cite web|url=https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html |title=Report of incident on 15-MAR-2011: Update 31-MAR-2011 |publisher=Comodo group |accessdate=2011-03-24 }}
25. ^{{cite web|title=The Recent RA Compromise|url=http://blogs.comodo.com/it-security/data-security/the-recent-ca-compromise/|first=Phillip|last= Hallam-Baker|date=March 23, 2011 |accessdate=2011-03-24|publisher=Comodo Blog}}
26. ^{{Cite web|url=https://www.bbc.com/news/technology-12847072 |title=Iran accused in 'dire' net security attack |accessdate=23 Dec 2016}}
27. ^{{Cite web|url=https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html |title=Update 31-MAR-2011 |access-date=23 December 2016}}
28. ^{{Cite web|url=https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html |title=Update 31-Mar-2011 |accessdate=23 Dec 2016}}
29. ^{{cite news|url=https://www.wired.com/threatlevel/2011/03/comodo_hack/ |title=Independent Iranian Hacker Claims Responsibility for Comodo Hack |last=Bright |first=Peter |date=28 March 2011 |work=Wired |format=WIRED |accessdate=2011-03-29}}
30. ^{{cite web|url=http://pastebin.com/u/ComodoHacker|title=ComodoHacker's Pastebin|publisher=Pastebin.com|accessdate=2015-03-30}}
31. ^{{cite web|title=Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get?|url=https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https|first=Peter |last=Eckersley|date=March 23, 2011|accessdate=2011-03-24|work=EFF}}
32. ^{{cite news|title=Iran accused in 'dire' net security attack|url=https://www.bbc.co.uk/news/technology-12847072|date=March 24, 2011|format=BBC|accessdate=2011-03-24|work=BBC News}}
33. ^{{cite web|title=Detecting Certificate Authority compromises and web browser collusion |url=https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion|date=March 22, 2011|accessdate=2011-03-24|work=TOR}}
34. ^{{cite news|title=Google, Yahoo, Skype targeted in attack linked to Iran|url=http://news.cnet.com/8301-31921_3-20046340-281.html|date=March 23, 2011|author=Elinor Mills and Declan McCullagh|work=CNET|accessdate=2011-03-24}}
35. ^{{cite web|title=Microsoft Security Advisory (2524375)|url=http://www.microsoft.com/technet/security/advisory/2524375.mspx|date=March 23, 2011|accessdate=2011-03-24|format=Microsoft}}
36. ^{{cite web|title=Microsoft Security Advisory: Fraudulent Digital Certificates could allow spoofing|url=http://support.microsoft.com/kb/2524375|date=March 23, 2011|accessdate=2011-03-24|work=Microsoft}}
37. ^{{Cite web|url=https://www.wired.com/2011/03/comodo_hack/ |title=Independent Iranian Hacker Claims Responsibility for Comodo Hack |accessdate=23 Dec 2016}}
38. ^http://www.pcworld.com/article/2887632/secure-advertising-tool-privdog-compromises-https-security.html |title=PrivDog Security Advisory (Threat level: LOW) |accessdate=2016-12-30
39. ^{{Cite web|url=http://privdog.com/advisory.htm |title=PrivDog Security Advisory (Threat level: LOW) |accessdate=23 Dec 2016}}
40. ^http://www.cnet.com/forums/discussions/comodo-continue-to-to-issue-certificates-to-known-malware-343022/
41. ^{{Cite web|url=http://blogs.msmvps.com/donna/2009/05/18/microsoft-mvp-mike-burgess-respond-to-comodo-s-ceo-on-comodo-certificates-issued-to-malware-distributors/|title=Microsoft MVP Mike Burgess Responds To Comodo’s CEO On Comodo Certificates Issued To Malware Distributors |accessdate=23 Dec 2016}}
42. ^https://code.google.com/p/google-security-research/issues/detail?id=704 |title=Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security
43. ^{{Cite web|url=http://www.pcworld.com/article/3029690/security/comodo-to-fix-major-flaw-in-knock-off-chrome-browser.html |title=Comodo will fix major flaw in knock-off Chrome browser |accessdate=23 Dec 2016}}
44. ^[https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/why-antivirus-standards-of-certification-need-to-change/ Why Antivirus Standards of Certification Need to Chang], tripwire, 2016-03-23.
45. ^{{Cite web|url=http://tsdr.uspto.gov/#caseNumber=86790719&caseType=SERIAL_NO&searchType=statusSearch|title=Trademark Status & Document Retrieval|website=tsdr.uspto.gov|access-date=2016-06-23}}
46. ^{{Cite web|url=http://tsdr.uspto.gov/#caseNumber=86790789&caseType=SERIAL_NO&searchType=statusSearch|title=Trademark Status & Document Retrieval|website=tsdr.uspto.gov|access-date=2016-06-23}}
47. ^{{Cite web|url=http://tsdr.uspto.gov/#caseNumber=86790812&caseType=SERIAL_NO&searchType=statusSearch|title=Trademark Status & Document Retrieval|website=tsdr.uspto.gov|access-date=2016-06-23}}
48. ^{{Cite web|url=http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm|title=Let's Encrypt, A Free And Automated Certificate Authority, Comes Out Of Stealth Mode|last=Tsidulko |first=Joseph |website=CRN |access-date=2016-06-23}}
49. ^{{Cite web|url=https://forums.comodo.com/general-discussion-off-topic-anything-and-everything/trademark-registration-t115968.0.html;msg837505#msg837505|title=Topic: Trademark registration|access-date=2016-06-24}}
50. ^{{Cite web|url=https://www.grahamcluley.com/comodo-stands-trademark-tussle-lets-encrypt/ |title=Comodo Stands Down From Trademark Tussle with Let's Encrypt |accessdate=23 Dec 2016}}
51. ^{{Cite web|url=https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl-certificates-from-comodo-via-dangling-markup-injection/index.html |title=Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection |website=thehackerblog.com |access-date=2016-07-29}}
52. ^{{Cite web|url=https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl-certificates-from-comodo-via-dangling-markup-injection/index.html |title=Keeping Positive – Obtaining Arbitrary Wildcard SSL Certificates from Comodo via Dangling Markup Injection |accessdate=23 Dec 2016}}

External links

  • {{Official website|https://www.comodo.com}}
{{Antivirus software}}{{authority control}}

13 : Computer network security|Computer security organizations|Software companies established in 1998|Certificate authorities|Computer security software companies|Computer companies of the United States|Computer security companies|International information technology consulting firms|Antivirus software|Software companies of the United States|Software companies of the United Kingdom|Technology companies established in 1985|Windows security software
随便看

 

开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。

 

Copyright © 2023 OENC.NET All Rights Reserved
京ICP备2021023879号 更新时间:2024/9/20 14:29:59