Comodo revokes certificates for no reason

    Could you imagine that a large company will deal with the deception of its customers, especially if this company positions itself as a guarantor of security? So I could not until recently. This article is a warning that you first think ten times before buying a certificate for signing a code from Comodo.

    Due to the duty of my work (system administration), I make various useful programs that I actively use in my own work, and at the same time I post free of charge for everyone. About three years ago, there was a need to sign programs, otherwise not all of my clients and users could download them without problems just because they were not signed. For a long time, signature is a normal practice and it doesn’t matter how safe the program is, but if it is not signed, there will certainly be increased attention to it:

    1. The browser collects statistics on how often the file is downloaded, and when it is not signed, at the initial stage it can even be blocked “just in case” and require the user to explicitly confirm the save. The algorithms are different, sometimes the domain is considered trusted, but in general it is a valid signature that is a confirmation of security.
    2. After downloading the file, the antivirus looks and immediately before the OS starts. For antiviruses, the signature is also important, it is easy to track on virustotal, and as for the OS, starting with Win10 the file with the revoked certificate is immediately blocked and it cannot be launched from the explorer. In addition, in some organizations it is generally prohibited to run unsigned code (configured by the system), and this is justified - all normal developers have long made sure that their programs can be checked without additional effort.

    In general, the direction chosen is the right one - to the extent possible, make the Internet as safe as possible for inexperienced users. However, the implementation itself is far from ideal. A simple developer cannot just get a certificate; he needs to buy it from companies that have monopolized this market and dictate their conditions on it. But what if the programs are free? This does not bother anyone. Then the developer has a choice - to constantly prove the security of his programs, sacrificing the convenience of users, or buy a certificate. Three years ago, StartCom was profitable, which now lives on the bottom of the ocean, they have never been a problem. At the moment, Comodo provides the minimum price, but as it turned out, there is a catch - for them, the developer is literally no one and throwing it is normal practice.

    After almost a year of using the certificate, which I bought in mid-2018, suddenly, without prior notice by mail or phone, Comodo revoked it without explanation. Technical support works poorly for them - they may not respond for a week, but they still managed to find out the main reason - they considered that the malware was signed with the issued certificate. And it would be possible to end the story if it weren’t for one thing - I’ve never created malware, and my own protection methods make it possible to claim that it is impossible to steal the private key from me. Only Comodo has a copy of the key, because they issue them without a CSR. And then - almost two weeks of unsuccessful attempts to find out elementary evidence. The company, which supposedly guarantees security in the area of ​​security, flatly refused to provide evidence of a violation of their rules.

    From the last chat with tech support
    You 01:20
    You have written "We strive to respond to standard support tickets within the same business day." but I have been waiting for a response for a week now.

    Vinson 01:20
    Hi, Welcome to Sectigo SSL Validation!
    Let me check your case status, please hold on for a minute.
    I have checked and the order has been revoked due to malware / fraud / phishing by our higher official.

    You 01:28
    I am sure that this is your mistake, so I ask for proof.
    I've never had malware / fraud / phishing.

    Vinson 01:30
    I am sorry, Alexander. I have double checked and the order has been revoked due to malware / fraud / phishing by our higher official.

    You 01:31
    In which file did you see the virus? Is there a link to virustotal? I do not accept your answer because there is no proof in it. I paid money for this certificate and I have the right to know why my money is taken from me by force.
    If you can not provide proof, then the certificate was revoked unfairly and must return the money. Otherwise, what is the meaning of your work if you revoke certificates without proof?

    Vinson 01:34
    I understand your concern. The code signing certificate has been reported for distributing malware. As per industry guidelines: Sectigo as a Certificate Authority is required to revoked the certificate.
    Also as per refund policy, we will not be able to refund after 30 days from date of issuance.

    You 01:35
    Why do you think this is not a mistake or a false positive?

    Vinson 01:36
    I am sorry, Alexander. As per our higher officials report, the order has been revoked due to malware / fraud / phishing.

    You 01:37
    No need to apologize, I paid the money and I want to see proof that I violated your rules. It's simple.
    I paid for three years, then you came up with a reason and left me without a certificate and without proof of my guilt.

    Vinson 01:43
    I understand your concern. The code signing certificate has been reported for distributing malware. As per industry guidelines: Sectigo as a Certificate Authority is required to revoked the certificate.

    You 01:45
    It seems that you do not understand. Where did you see the court that passes the sentence without proof? You did just that. I have never had malware. Why do you not provide proof if it is? What specific proof is a certificate revocation?

    Vinson 01:46
    I am sorry, Alexander. As per our higher officials report, the order has been revoked due to malware / fraud / phishing.

    You 01:47
    Who can I find out the real reason for revoking the certificate?
    If you can not answer, tell me who to contact?

    Vinson 01:48
    Please submit a ticket again using the below link so that you should receive a response as earlier as possible.
    sectigo.com/support-ticket

    You 01:48
    Thank you.

    Such a result is not unique, all the time of negotiations in a chat they answer the same thing at best, either they do not answer tickets at all, or the answers are just as useless.

    I'm creating a ticket again
    My request:
    I require proof that I violated a rule that led to revocation. I bought a certificate and want to know why my money is taken from me.
    “Malware / fraud / phishing” is not the answer! In which file did you see the virus? Is there a link to virustotal? Please provide proof or return the money, I'm tired of writing technical support and have been waiting for more than a week.
    Thank you.

    Their answer:
    The code signing certificate has been reported for distributing malware. As per industry guidelines: Sectigo as a Certificate Authority is required to revoked the certificate.

    The hope that not a monkey will answer me completely disappears. An interesting scheme is emerging:

    1. We sell a certificate.
    2. We are waiting for more than six months so that through PayPal it is impossible to open a dispute.
    3. We recall and wait for the next order. Profit!

    Since I do not have other methods of influence on them, I can only publicize their fraud. Buying a certificate from Comodo, they are also Sectigo, you may encounter the same situation.

    Update # 1 of June 9th:

    Today I notified CodeSignCert (the company through which I bought the certificate) that because they stopped responding, I submitted the situation for public discussion with reference to this article. After a while, they finally sent a screenshot of virustotal, where the hash of the EzvitUpd :
    VirusTotal program was visible - d92299c3f7791f0ebb7a6975f4295792fbbf75440cb1f47ef9190f2a4731d425

    My assessment of the situation:
    I can say with confidence that this is false. Signs:

    1. Generic designation in most operations.
    2. The absence of positives for anti-virus leaders.

    It’s difficult to say what exactly caused this reaction of antiviruses, but since the file is very outdated (it was created almost a year ago), I did not save the source version 1.6.1 to recreate the file binary. However, I have the latest version 1.6.5, and taking into account the immutability of the main branch, the changes were made there minimal, but it doesn’t have such a false positive:
    VirusTotal - c247d8c30eff4449c49dfc244040fc48bce4bba3e0890799de9f83e7a59310eb

    CodeSignCert will be notified of a false positive until the article is fully operational, the article will be triggered before the situation is resolved .

    Update # 2 of June 11th:

    CodeSignCert has set an almost impossible condition - they want VirusTotal to be 100% clean from any positives. This is technically almost impossible, because not all antiviruses respond to feedback, for some, even mail does not work.

    In the comments, gogetssl undertook to help and promised "Symantec Code Signing for a period of 3 years", and then in personal messages refused to fulfill the promise. No one used the channels or apologized.

    At the time the link was provided, there were 17 false positives; at the time of the last scan, 15 antiviruses fixed their error.

    June 23rd Update # 3:

    Almost a month after the start of the proceedings, CodeSignCert agreed to a refund. Correspondence took place extremely slowly, since they did not consider the needs of customers important and did not respond for a very long time, waiting for instructions from Comodo. Comodo himself did nothing to remedy the situation, did not compensate for the costs and did not apologize.

    Resellers often say that the CA / B forum rules are the same for all certificate authorities and they are required to revoke any certificates for which there are positives. This is a blatant lie, since I can find so many files that are miraculously excluded from the rules, for example:
    Comodo - 5fc600351bade74c2791fc526bca6bb606355cc65e5253f7f791254db58ee7fa
    Symantec - 1d894f49930d7dd68277fe86ebb5bb5bb528
    DigiCert - 6baac60a703445e78ed0f55c032fbdf3b03692e61bd1fe8d6ad1243e240ea46e

    Comments are unnecessary, conclusions can be drawn independently.

    Also popular now: