Comodo withdraws certificates for no reason.
Could you imagine that a large company will engage in deceiving its customers, especially if this company is positioning itself as a security guarantor? So I could not until recently. This article is a warning that you think about it ten times before buying a certificate to sign a code from Comodo.
On duty of my work (system administration), I make various useful programs that I actively use in my own work, and at the same time I post for free for everyone. About three years ago, there was a need to sign programs, otherwise not all of my clients and users could easily download them only because they were not signed. For a long time, a signature is a normal practice and it doesn’t matter how safe the program is, but if it is not signed, it will definitely be heightened attention:
In general, the direction chosen is correct - as far as possible to make the Internet as safe as possible for inexperienced users. However, the implementation itself is far from ideal. A simple developer can not just get a certificate, you need to buy it from companies that have monopolized this market and dictate their conditions on it. But what if the programs are free? It doesn't bother anyone. Then the developer has a choice - to constantly prove the safety of their programs, sacrificing the convenience of users, or buying a certificate. Three years ago, StartCom, which now lives at the bottom of the ocean, was profitable, with them never had problems. At the moment, the minimum price is provided by Comodo, but as it turned out, there is a catch - for them, the developer is literally nobody and throwing it is a normal practice.
')
After nearly a year of using the certificate, which I bought in mid-2018, suddenly, without prior notice by mail or phone, Comodo withdrew it without giving reasons. Their technical support works poorly - they may not respond for a week, but they managed to find out the main reason - they felt that the certificate issued was signed with malware. And the story could have been completed if it were not for one thing - I never created malware, and my own protection methods allow us to state that it is impossible to steal the private key from me. Only Comodo has a copy of the key, because they give them out without CSR. And then - almost two weeks of unsuccessful attempts to find out the elementary evidence. The company, which allegedly guarantees security protection, flatly refused to provide evidence of violation of their rules.
Such a result is not unique, all the negotiations in the chat are at best the same thing, the tickets are either not answered at all, or the answers are just as useless.
The hope that the monkey will not answer me, finally disappears. An interesting scheme emerges:
Since I do not have other methods of influence on them, I can only make their fraud public. Buying a certificate from Comodo, they are also Sectigo, you can face the same situation.
Update # 1 of June 9:
Today I notified CodeSignCert (the company through which I bought the certificate) that since they stopped responding, I submitted the situation to a public discussion with reference to this article. After some time, they finally sent a screenshot of virustotal, where the hash of the EzvitUpd program was visible:
VirusTotal - d92299c3f7791f0ebb7a6975f4295792fbbf75440cb1f47ef9190f2a4731d425
My assessment of the situation:
I can say with confidence that this is a false positive. Signs:
It is difficult to say what exactly caused this antivirus reaction, but since the file is very outdated (it was created almost a year ago), I did not have the source version 1.6.1 to re-create the file in binary. However, I have the latest version 1.6.5, and taking into account the invariance of the main branch, minimal changes were made there, but there is no such false response for it:
VirusTotal - c247d8c30eff4449c49dfc244040fc48bce4bba3e0890799de9f83e7a59310eb
CodeSignCert notified of false positives, after the appearance of further results of the negotiations, the article will be updated until the situation is completely resolved.
Update # 2 of June 11:
CodeSignCert put an almost impossible condition - they want VirusTotal to be 100% clean of any positives. This is technically almost impossible, because not all antiviruses respond to feedback, some even mail does not work.
In the comments, gogetssl undertook to help and promised "Symantec Code Signing for a period of 3 years," and then refused to fulfill the promise in personal messages. Nobody involved channels and did not apologize.
At the time the link was provided, there were 17 false positives; at the time of the last check, 14 antiviruses corrected their mistake.
On duty of my work (system administration), I make various useful programs that I actively use in my own work, and at the same time I post for free for everyone. About three years ago, there was a need to sign programs, otherwise not all of my clients and users could easily download them only because they were not signed. For a long time, a signature is a normal practice and it doesn’t matter how safe the program is, but if it is not signed, it will definitely be heightened attention:
- The browser collects statistics on how often the file is loaded, and when it is not signed, then at the initial stage it may even be blocked “just in case” and require an explicit confirmation from the user to save. Algorithms are different, sometimes the domain is considered trusted, but in general it is a valid signature that confirms the security.
- After downloading the file looks antivirus and immediately before running the OS itself. For antiviruses, the signature is also important, it is easy to trace on virustotal, and as for the OS, starting with Win10, the file with the revoked certificate is immediately blocked and cannot be launched from the explorer. In addition, in some organizations it is generally forbidden to run unsigned code (configured by the system), and this is justified - all normal developers have long taken care of that their programs can be checked without additional efforts.
In general, the direction chosen is correct - as far as possible to make the Internet as safe as possible for inexperienced users. However, the implementation itself is far from ideal. A simple developer can not just get a certificate, you need to buy it from companies that have monopolized this market and dictate their conditions on it. But what if the programs are free? It doesn't bother anyone. Then the developer has a choice - to constantly prove the safety of their programs, sacrificing the convenience of users, or buying a certificate. Three years ago, StartCom, which now lives at the bottom of the ocean, was profitable, with them never had problems. At the moment, the minimum price is provided by Comodo, but as it turned out, there is a catch - for them, the developer is literally nobody and throwing it is a normal practice.
')
After nearly a year of using the certificate, which I bought in mid-2018, suddenly, without prior notice by mail or phone, Comodo withdrew it without giving reasons. Their technical support works poorly - they may not respond for a week, but they managed to find out the main reason - they felt that the certificate issued was signed with malware. And the story could have been completed if it were not for one thing - I never created malware, and my own protection methods allow us to state that it is impossible to steal the private key from me. Only Comodo has a copy of the key, because they give them out without CSR. And then - almost two weeks of unsuccessful attempts to find out the elementary evidence. The company, which allegedly guarantees security protection, flatly refused to provide evidence of violation of their rules.
From the last chat with tech support
You 01:20
You have written "We need you to write support tickets within the same business day." But I have been written.
Vinson 01:20
Hi, Welcome to Sectigo SSL Validation!
Let me check your case status, please hold on for a minute.
I have checked my order for malware.
You 01:28
I ask for proof.
I've never had malware / fraud / phishing.
Vinson 01:30
I am sorry, Alexander. I have double checked my order.
You 01:31
In which file did you see the virus? Is there a link to virustotal? I do not accept your answer because there is no proof in it. I have to pay for it.
If you can not provide proof, then the certificate was revoked unfairly and must return the money. Otherwise, if you revoke certificates without proof?
Vinson 01:34
I understand your concern. For code signing certificate has been reported for distributor malware. As per industry guidelines, a certificate authority is required to revoked the certificate.
For 30 days from the date of issuance.
You 01:35
False positive?
Vinson 01:36
I am sorry, Alexander. The order has been revoked due to malware / fraud / phishing.
You 01:37
I want to see that I violated your rules. It's simple.
I paid for it for three years, then I’ve received my certificate.
Vinson 01:43
I understand your concern. For code signing certificate has been reported for distributor malware. As per industry guidelines, a certificate authority is required to revoked the certificate.
You 01:45
It seems that you do not understand. Where is the sentence? You did just that. I have never had malware. Why don't you provide proof if it is? What specific proof is a certificate revocation?
Vinson 01:46
I am sorry, Alexander. The order has been revoked due to malware / fraud / phishing.
You 01:47
Who can I find out the certificate?
If you can’t answer, tell me who to contact?
Vinson 01:48
Please note as soon as possible.
sectigo.com/support-ticket
You 01:48
Thank you.
You have written "We need you to write support tickets within the same business day." But I have been written.
Vinson 01:20
Hi, Welcome to Sectigo SSL Validation!
Let me check your case status, please hold on for a minute.
I have checked my order for malware.
You 01:28
I ask for proof.
I've never had malware / fraud / phishing.
Vinson 01:30
I am sorry, Alexander. I have double checked my order.
You 01:31
In which file did you see the virus? Is there a link to virustotal? I do not accept your answer because there is no proof in it. I have to pay for it.
If you can not provide proof, then the certificate was revoked unfairly and must return the money. Otherwise, if you revoke certificates without proof?
Vinson 01:34
I understand your concern. For code signing certificate has been reported for distributor malware. As per industry guidelines, a certificate authority is required to revoked the certificate.
For 30 days from the date of issuance.
You 01:35
False positive?
Vinson 01:36
I am sorry, Alexander. The order has been revoked due to malware / fraud / phishing.
You 01:37
I want to see that I violated your rules. It's simple.
I paid for it for three years, then I’ve received my certificate.
Vinson 01:43
I understand your concern. For code signing certificate has been reported for distributor malware. As per industry guidelines, a certificate authority is required to revoked the certificate.
You 01:45
It seems that you do not understand. Where is the sentence? You did just that. I have never had malware. Why don't you provide proof if it is? What specific proof is a certificate revocation?
Vinson 01:46
I am sorry, Alexander. The order has been revoked due to malware / fraud / phishing.
You 01:47
Who can I find out the certificate?
If you can’t answer, tell me who to contact?
Vinson 01:48
Please note as soon as possible.
sectigo.com/support-ticket
You 01:48
Thank you.
Such a result is not unique, all the negotiations in the chat are at best the same thing, the tickets are either not answered at all, or the answers are just as useless.
I create a ticket again
My request:
I require proof that I violated a rule that led to revocation. I’m bought from me.
"Malware / fraud / phishing" is not the answer! In which file did you see the virus? Is there a link to virustotal? For technical support and technical assistance.
Thank you.
Their answer:
For code signing certificate has been reported for distributor malware. As per industry guidelines, a certificate authority is required to revoked the certificate.
I require proof that I violated a rule that led to revocation. I’m bought from me.
"Malware / fraud / phishing" is not the answer! In which file did you see the virus? Is there a link to virustotal? For technical support and technical assistance.
Thank you.
Their answer:
For code signing certificate has been reported for distributor malware. As per industry guidelines, a certificate authority is required to revoked the certificate.
The hope that the monkey will not answer me, finally disappears. An interesting scheme emerges:
- We sell the certificate.
- We are waiting for more than six months, so that through PayPal it was impossible to open a dispute.
- Call back and wait for the next order. Profit!
Since I do not have other methods of influence on them, I can only make their fraud public. Buying a certificate from Comodo, they are also Sectigo, you can face the same situation.
Update # 1 of June 9:
Today I notified CodeSignCert (the company through which I bought the certificate) that since they stopped responding, I submitted the situation to a public discussion with reference to this article. After some time, they finally sent a screenshot of virustotal, where the hash of the EzvitUpd program was visible:
VirusTotal - d92299c3f7791f0ebb7a6975f4295792fbbf75440cb1f47ef9190f2a4731d425
My assessment of the situation:
I can say with confidence that this is a false positive. Signs:
- Generic designation in most positives.
- Lack of triggers by antivirus leaders.
It is difficult to say what exactly caused this antivirus reaction, but since the file is very outdated (it was created almost a year ago), I did not have the source version 1.6.1 to re-create the file in binary. However, I have the latest version 1.6.5, and taking into account the invariance of the main branch, minimal changes were made there, but there is no such false response for it:
VirusTotal - c247d8c30eff4449c49dfc244040fc48bce4bba3e0890799de9f83e7a59310eb
CodeSignCert notified of false positives, after the appearance of further results of the negotiations, the article will be updated until the situation is completely resolved.
Update # 2 of June 11:
CodeSignCert put an almost impossible condition - they want VirusTotal to be 100% clean of any positives. This is technically almost impossible, because not all antiviruses respond to feedback, some even mail does not work.
In the comments, gogetssl undertook to help and promised "Symantec Code Signing for a period of 3 years," and then refused to fulfill the promise in personal messages. Nobody involved channels and did not apologize.
At the time the link was provided, there were 17 false positives; at the time of the last check, 14 antiviruses corrected their mistake.
Source: https://habr.com/ru/post/455236/
All Articles