Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cert Slamming, or, Desperate Companies Behaving Badly

Posted by ryuzaki0 on from the must-suck-to-suck dept.

the special sauce writes "A few months back, our customers (we run a regional ISP) started receiving deceptive domain renewal notices from Verisign and Verisign partners such as Interland. A couple of our customers temporarily lost their domains in the process as the registrant, contact information and hosting company was all changed. Yesterday, I received an e-mail from a customer. He was forwarding a "reminder" e-mail he had received. It was an SSL certificate "renewal" notice from a UK company, Comodo. It instructed him to "upgrade" his current certificate (issued by Equifax) before it expired." More information on this charming practice follows... the special sauce Continues: "For those who don't know, Equifax was just bought out by GeoTrust, who offers a QuickSSL product. Comodo's e-mail was advertising an "InstantSSL" product, which I myself mistook for the GeoTrust product on first reading the e-mail. When I realized my mistake, I contacted Comodo and inquired as to their relationships with Equifax and GeoTrust and how they came by my customer's information. The response: "We have no relationship with Equifax or GeoTrust. The information on a certificate is public information which we have used to inform this company that they have an option when they come to buy their certificate."

My interpretation: Comodo is harvesting contact information from certificates in bad faith, to market a competing product. Furthermore, I think they have targeted Equifax customers because the company was just bought out. In any buyout, confusion exists as to the "new" company's identity. I think they are offering a product whose name is confusing similar to a GeoTrust's product. The language in their e-mail does everything possible to obfuscate the fact that they are not affiliated with Equifax, encouraging customers to "renew" and "upgrade" their certificates. In reality, if my customer had clicked the links in the e-mail, he would have been purchasing a new certificate from a company with which he had no previous relationship.

So I ask, is this not cert slamming? I don't expect this to be as big a problem as Verisign's domain slamming: we simply host less certificates than domains so it is easier to warn all of our customers with secured web sites. Nevertheless, I've reported the practice to the FTC."

7 of 186 comments (clear)

  1. Recent case by essdodson · · Score: 2, Interesting

    There was a recent ruling against Verisign for this activity. Because of their deceptive mailings I will _NEVER_ consider using them as my registrar.

    --
    scott
    1. Re:Recent case by uncoveror · · Score: 3, Interesting

      I got those notices myself for Uncoveror.com, uncoverer.com, and dontbuycds.org, but my e-mail from GoDaddy warning me that they are bogus came first, and I was not fooled. I hope everyone behind this scam goes to the slammer, and finds out several times per day why it's called that.

      --
      The Uncoveror: It's the real news.
  2. Verisign doesnt care by www.sorehands.com · · Score: 5, Interesting
    Verisign doesnt care, why should anyone else?

    Verisign only complains if anything takes money from them. If they don't lose money, they don't care.

    I spoke with a person at Verisign about an obvously false whois registration, that belongs to a spammer. This clearly violates ICANN rules, but Verisign does not want to hear it.

    --
    Fight Spammers!
  3. Bingo... by Rev.LoveJoy · · Score: 3, Interesting
    You're right on. This is simply more slimy marketing tactics from companies with bombing market shares.

    I cannot even count the number of bogus faxes / emails I have received telling me one of my domains (or some clever spelling thereof) is about to expire.

    Gee, marketing people are creepy slimeballs. I'm stunned. No. Really.

    Cheers,
    -- RLJ

  4. We need beneficiary oriented spam laws by Animats · · Score: 4, Interesting

    It's becoming clear that we need spam laws which provide for a penalty against the beneficiary of a spam, even if they did not originate it. An acceptable defense would be that the beneficiary had taken legal action against the spammer. That would make third-party spam actionable. (It may be, anyway, but it's a bigger legal battle under current law. I've been talking to an an anti-spam lawyer, and he's unwilling to take on Verisign because they have too much money.)

  5. whats public infor whats not by linuxislandsucks · · Score: 2, Interesting

    Correct me if I am wrong but

    Registar information was ruled as non public..ie you cannot use for mass mailings through postal office, mass caling telemarketing, and mass emailing..

    Would not cert information be on the same plane?

    --
    Don't Tread on OpenSource
  6. Ver$ign/NetworkSolutions... by Digiover · · Score: 2, Interesting

    We used to use Veri$ign/NetworkSolutions as our Registar, but due to too many problems (changing freeforms/faxforms, parking domainnames for no reason, fscked up database[*], and so on) we are moving all our domains to Tucows/OpenSRS and BulkRegister (trust me, we are not the only hosting provider in NL who does this).

    It also looks to me as if Veri$ign/NetworkSolution has made a pact with NameZero, since every domain which we host and has been registered through NameZero has become "parked" at NetworkSolutions.
    This can be very irritating for our customers (help! my domain doesn't work!), and the worst thing is that they never notify anyone about this (it's even worst because I get all these customers on the phone ;(.

    [*] A simple domaintransfer could take 3 months, only because Veri$ign/NetworkSolutions couldn't find the domain in it's database.

    In my personal opinion: Don't do business with Ver$ign/NetworkSolutions.