Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cert Slamming, or, Desperate Companies Behaving Badly

Posted by ryuzaki0 on from the must-suck-to-suck dept.

the special sauce writes "A few months back, our customers (we run a regional ISP) started receiving deceptive domain renewal notices from Verisign and Verisign partners such as Interland. A couple of our customers temporarily lost their domains in the process as the registrant, contact information and hosting company was all changed. Yesterday, I received an e-mail from a customer. He was forwarding a "reminder" e-mail he had received. It was an SSL certificate "renewal" notice from a UK company, Comodo. It instructed him to "upgrade" his current certificate (issued by Equifax) before it expired." More information on this charming practice follows... the special sauce Continues: "For those who don't know, Equifax was just bought out by GeoTrust, who offers a QuickSSL product. Comodo's e-mail was advertising an "InstantSSL" product, which I myself mistook for the GeoTrust product on first reading the e-mail. When I realized my mistake, I contacted Comodo and inquired as to their relationships with Equifax and GeoTrust and how they came by my customer's information. The response: "We have no relationship with Equifax or GeoTrust. The information on a certificate is public information which we have used to inform this company that they have an option when they come to buy their certificate."

My interpretation: Comodo is harvesting contact information from certificates in bad faith, to market a competing product. Furthermore, I think they have targeted Equifax customers because the company was just bought out. In any buyout, confusion exists as to the "new" company's identity. I think they are offering a product whose name is confusing similar to a GeoTrust's product. The language in their e-mail does everything possible to obfuscate the fact that they are not affiliated with Equifax, encouraging customers to "renew" and "upgrade" their certificates. In reality, if my customer had clicked the links in the e-mail, he would have been purchasing a new certificate from a company with which he had no previous relationship.

So I ask, is this not cert slamming? I don't expect this to be as big a problem as Verisign's domain slamming: we simply host less certificates than domains so it is easier to warn all of our customers with secured web sites. Nevertheless, I've reported the practice to the FTC."

6 of 186 comments (clear)

  1. So, wait... by Mike+Schiraldi · · Score: 5, Funny

    What exactly does this story have to do with VeriSign?

    If we're going to start working slams against companies we don't like into unrelated stories, we should at least cover all the bases by saying something tangential about Microsoft or an RIAA member while we're at it.

    --

    --
    Mod up a post Rob doesn't like and you'll never mod again

  2. Verisign doesnt care by www.sorehands.com · · Score: 5, Interesting
    Verisign doesnt care, why should anyone else?

    Verisign only complains if anything takes money from them. If they don't lose money, they don't care.

    I spoke with a person at Verisign about an obvously false whois registration, that belongs to a spammer. This clearly violates ICANN rules, but Verisign does not want to hear it.

    --
    Fight Spammers!
  3. Of course it is. by FreeLinux · · Score: 5, Insightful

    Sure it's Cert slamming. There's no doubt about that. The problem is though, that to date there is no law against it. That's right, perfectly legal. For example I have on my desk a letter from "The Admiistrative Office of RPR/OFV Records Division". It looks vaguely like something from the IRS, certainly it is from some government agency. When I open it, it looks like a check for $1600 and a ticket for a cruise. Of course, it is all a bogus marketing scam. Probably trying to sell time shares. It's totally and intentionally misleading but, at the same time it is still legal.

    Furthermore I wouldn't look for a law against it any time soon. Things like certificates and how they work are a bit on the technical side, at least for our poor overworked legislators. They have a lot of catching up to do and are currently bogged down trying to stop the MP3 swappers from being the scurge of humanity that they are.

  4. Office of fair trading by sh0rtie · · Score: 5, Informative


    If this company is UK based i would advise you to report them to the Office of fair trading and the UK Trading Standards , these kinds of practices are despicable and the OFT and TS do not take kindly to this sort of behaviour

  5. Trust by flonker · · Score: 5, Insightful

    SSL and crypto in general is all about trust. Would you trust someone who engages in deceptive marketing? Then again, so does Verisign, with their domain stuff. Are there any good certificate issuers?

  6. Identity Verification by pjrc · · Score: 5, Funny
    It's kind of ironic that the whole point of a SSL cert is to establish your site's true identity to the browser (where most users are not even aware of the certificate, the one true way that can tell who is going to receive their confidential information).

    And here we have a certificate authority (CA) who's masquerading as a competitor, in order to slam "subscribers" and certify their identity to end users.

    --
    PJRC: Electronic Projects, 8051 Microcontroller Tools