Study says SSL-certficate warnings are as good as useless

[nsane.forums]

In a test, 55 to 100 per cent of users (depending on their browsers) ignored warnings of invalid SSL certificates. The reported reason for this is a fundamental misunderstanding of the meaning of the certificates

View: Original Article

[irefay]

Unless you have the certificats installed... all secure government sites will come up yellow.

[Bizarre™]

Just take an example out of ******** making a scapegoat out of COMODO.

I was about to post the link here, but it seems they removed the thread :bag:

[DKT27]

@Bizarre™. I didn't get the point. Great if you describe it.

[Bizarre™]

Since the original thread from COMODO was removed, it'll be hard proving my point.

******** has issued an SSL cert. to a malware / rogue site, and they're insisting that it was COMODO who issued the cert.

[DKT27]

Ohhh! I have seen many rogue SSL certificates. Sometime you have to ignore it as the website may contain some important things. And sometimes there are some prob. in good websites that is why it shows invalid SSL. ANW that happens very rarely. Still I would rec. that never open invalid SSL certificate.

[#return 1337]

Opera won't let me load a page with a bad SSL cert.

It'll forward me to a nice page telling me why it can't load it.

[Bizarre™]

An oversight on my part... the thread is still there :bag:

Link

[DKT27]

Saw what shought said, he said it was fake news, someone had faked the claim on comodo. Or similar.

[demonon]

Nope, Comodo did it.

Comodo issues cheap certifications to everybody, including some rogue sites.

The sole reason Comodo does this because they want to earn their money same as some other companies who do this.

I think the same thing as I said can be found on Melih's blog, but he says it in other words so it doesn't sound so bad.

I don't want to bash Comodo because I don't care what they do, but they are not behaving as a genuinely safe company as they should be behaving. After all, people trust their products to secure their PC.

[DKT27]

OK. Even if I believe you I surly think that shought will have to say something about it.

[demonon]

OK. Even if I believe you I surly think that shought will have to say something about it.

Why Shought?

[shought]

OK. Even if I believe you I surly think that shought will have to say something about it.

Why Shought?

Yeah, I didn't quite catch that comment as well?

I'm not really into SSL certificates :P I couldn't care less if any site I visit has one or not...

[DKT27]

:hehe: ^^. That was a great comment to stop the argument.

We are talking about comodo selling SSL certificates, in-case you missed it.

[Bizarre™]

Nope, Comodo did it.

Comodo issues cheap certifications to everybody, including some rogue sites.

At least they're revoking it.

The sole reason Comodo does this because they want to earn their money same as some other companies who do this.

I think the same thing as I said can be found on Melih's blog, but he says it in other words so it doesn't sound so bad.

Really? To come up with that conclusion, you surely have been following their discussions, right?

I don't want to bash Comodo because I don't care what they do, but they are not behaving as a genuinely safe company as they should be behaving. After all, people trust their products to secure their PC.

Aren't you being biased? I mean, they're not allowed to commit mistakes while others can?

[demonon]

That was just one out of many licenses revoked, it still doesn't mean they stop handing out cheap certs.

Also I clearly stated Comodo does this, because other companies do to. And Comodo doesn't want to leave behind with making money this way.

So I just stated out that Comodo is giving out cheap licenses, just like other companies do.

If Comodo finds out that their license is given to a site hosting rogues, they should obviously revoke the license.

But giving out licenses is not only added security, it's also about trust. So this surely is a bad thing happening to Comodo.

Moreover, if you look at the comments and logic Melih is using, you will surely see that he is using invalid arguments and that he is the one who is biased.

[demonon]

This is the bottom point:

The problem in fact boils down to two issues here.

First, the certs issue. The fact other cert vendors may or may not have standards or systems to investigate and revoke certs is merely part of the solution. Putting a halt on providing free and trial certs as those in question from this moment on by all cert vendors would be the way to go, in combination with fast and solid investigations from already provided sortalike certs.

The tricky part is, these free and trial certs are in fact commercial teasers. All cert vendors do provide them with one goal in mind: selling "the real stuff" in the end. Earning money is what it's all about in the end.

It may not come as a surprise cert vendors are far from willing to drop providing free and trial certs for that reason: it's the start from their main source of revenues.

Comodo is no exception to the rule here. Does this put Comodo off the hook? Certainly not. Although I applaud all sorts of actions as mentioned by its CEO to tackle this issue, it's bound not to work - it never has and never will. Far stronger rules should be applied - see above.

So the ethical versus commercial consideration arises: should Comodo stop issuing free and trial certs? Ethics say: "here and now". Commerce demands: "never. It does cost us far more then we can and wish to affort. Our competitors will laugh all the way to the bank". The conclusion: Comodo picks and will pick the commercial point of view. And Mike will keep on posting over here for years to come about this subject.

Second issue: Comodo is rapidly involving in creating various security related softwares. Fairly all of them do have at least a freeware option. This comes with a hugh price tag (vast team of employees, bandwidth costs etc.). And here the connection with the first issue is obvious: this price tag most probably is mainly coming from the certs revenues.

It's rather obvious, the combo "certs" and "security software" is a fairly impossible one, not to say a contradicto in terminis.

Personally, I do see the overall marketing concept behind this combo concept. It's a rather smart concept as well from Comodo's perspective. Unfortunately, there's one misconception implemented: the real money maker source - the certs as being discussed. This misconception may well backfire in the end.

On a personal note and well intended: I'll take it your lunch invitation in NY from a while ago still stands, Melih :). I do wish you all the wisdom needed in dealing with the situation at hand.

Cheers,

Paul Wilders

(yet another darned Microsoft MVP since say 2002 or so)

[Bizarre™]

It may look that way to you, but put your self in his shoes.

How do you think you would react if someone is destroying your reputation?

[demonon]

It may look that way to you, but put your self in his shoes.

How do you think you would react if someone is destroying your reputation?

I would want to set it straight. But then again, Melih knew handing out these cheap trials would bring these issues along.

IMO, Comodo just needs to make more payed products so they can fund their projects.

[Bizarre™]

They are making paid products, but it seems their marketing strategy is inadequate.

Well, I can't blame them. They are a new face in the IT industry.

If you compare it in reality, it's a dog eat dog world as well.

[demonon]

They are making payed products, but it seems their marketing strategy is inadequate.

Well, I can't blame them. They are a new face in the IT industry.

If you compare it in reality, it's a dog eat dog world as well.

I am not a big kapitalist myself so in that way I may be biased.

Still, I don't care what they do, but like Paul Wilders said, ethically they should stop these SSL-certs and economic-wise they should continue making money.

[Bizarre™]

Paul Wilders ultimatum is a bit farfetched :bag:

If COMODO stops selling cheap SSL certs., they would have no resources to continue developing security programs.

If they resort to selling their security programs, only a few would be interested.

[demonon]

Paul Wilders ultimatum is a bit farfetched :bag:

If COMODO stops selling cheap SSL certs., they would have no resources to continue developing security programs.

If they resort to selling their security programs, only a few would be interested.

If Comodo has so much financial problems, then there should be a massive changes if they want to survive as a genuine safe company. But then again, the average users doesn't even care about what the company is doing to survive and just likes free programs.

[DKT27]

As shought said -

I'm not really into SSL certificates :P: I couldn't care less if any site I visit has one or not...

Hey wait one sec. even I like free security products. ;)

[Bizarre™]

If Comodo has so much financial problems, then there should be a massive changes if they want to survive as a genuine safe company.

Indeed :bag:

But then again, the average users doesn't even care about what the company is doing to survive and just likes free programs.

They don't care for now, but sooner or later they'll change their perspective.