Comodo Attempting to Register 'Let's Encrypt' Trademarks, And That's Not Right

Let's Encrypt is a nonprofit aimed at encrypting the entire web. It provides free certificates, and its service is backed by EFF, Mozilla, Cisco, Akamai and others. Despite it being around for years, security firm Comodo, which as of 2015, was the largest issuer of SSL certificates with a 33.6% market share on 6.6% of all web domains, last year in October filed for the trademark Let's Encrypt. The team at Let's Encrypt wrote in a blog post today that they have asked Comodo to abandon its "Let's Encrypt" applications, directly but it has refused to do so. The blog post adds: We've forged relationships with millions of websites and users under the name Let's Encrypt, furthering our mission to make encryption free, easy, and accessible to everyone. We've also worked hard to build our unique identity within the community and to make that identity a reliable indicator of quality. We take it very seriously when we see the potential for our users to be confused, or worse, the potential for a third party to damage the trust our users have placed in us by intentionally creating such confusion. By attempting to register trademarks for our name, Comodo is actively attempting to do just that. Update: 06/23 22:25 GMT by M :Comodo CEO has addressed the issue on company's forum (screenshot).

Why the Hell didn't Let's Encrypt register it?!

[mrchaotica]

If you don't want somebody else to use a trademark, register it for yourself!

Re:Why the Hell didn't Let's Encrypt register it?!

[K.+S.+Kyosuke]

Well, they can still register the Yrg'f Rapelcg! trademark...

Re:Why the Hell didn't Let's Encrypt register it?!

[zuckie13]

Well, for one, they don't have to to be the owner of it. In the US, it's first to use, not first to register. It's pretty clear they have been using it well before this application was submitted - an application that says it's not in use by that company yet. I'd love to hope that the trademark office will just reject it, but they'll probably drag this out.

Re:Why the Hell didn't Let's Encrypt register it?!

[PCM2]

That "burden" can be as onerous as having a lawyer write a letter, which it sounds like they had to do anyway. If Comodo went ahead with using their mark after receiving said letter, they would then be in the exact situation they are in now -- only they would have legal standing to enforce their mark, which presently they don't.

"Nonprofit" shouldn't mean you can't afford to pay for basic necessities like registering your business license, paying your fire insurance, and protecting your most basic and fundamental IP (your name).

Re:Why the Hell didn't Let's Encrypt register it?!

[evolutionary]

It's a leverage game. The courts would favor Let'sEncrypt trademark (as they basically paid the government for it first). It could also be shown that in using it on such a scale it's purpose is to use Let'sEncrypt's name and in the end the group could get damages for Comodo. but first it has to pay for the lawyers to get. So it's not a matter of who is in the right, but who can use their purse strings to draw this out long enough. Our justice isn't really based on a sense of fair play, rather than whose got bling to play. Kinda like Net Neutrality. :D Hopefully Comodo decides the bad PR and litigation isn't worth it. but they might. I have little doubt they'll suggest a number (in essence blackmail) to get the domain at a "minimal fee". While it's true ideally one would register the web domain but domain != trademark. trademark wins, but only if the money exists to drag in out in court.

Re:Why the Hell didn't Let's Encrypt register it?!

[zuckie13]

The definition of use in commerce (my emphasis added) - right from the USPTO: For applications filed under the use-in-commerce basis, you must be using the mark in the sale or transport of goods or the rendering of services in “interstate” commerce between more than one state or U.S. territory, or in commerce between the U.S. and another country. For goods, the mark must appear on the goods (e.g., tags or labels), the container for the goods, or displays associated with the goods. For services, the mark must be used in the sale or advertising of the services.

Re:Why the Hell didn't Let's Encrypt register it?!

[tlhIngan]

Based on the links in the story, the trademarks are still in the examination stage and have not yet been issued.

If that is the case, Let's Encrypt can still send in forms and notify the USPTO of the conflict. They don't have much time, but if they passed along that information on their site to the patent examiner that should be enough to trigger additional investigation.

Exactly - why aren't they sending a challenge to the USPTO yesterday?

Trademarks are registered all the time. In fact, it's a public process - every new application is posted so opposition to registration can be recorded. If the Lets Encrypt folks aren't filing an opposition, (and not done so ages ago), then they're basically letting the ball drop.

It happens all the time - plenty of companies apply for trademarks only to have them opposed during application.

In fact, the thornier side of trademarks are marks not necessarily used in commerce - Microsoft, for example, owns two trademarks they don't use on products (NorthWinds and Contoso, I believe). Instead, they're registered so Microsoft can use them in demos and other things freely without running into any trademark issues.

Remove Comodo CA

Comodo proved themselves that are not trustwordy.

Re:Remove Comodo CA

Comodo proved themselves that are not trustwordy.

If they are untrustworthy in this respect, can they be trusted to perform due diligence when issuing certificates? After all a CA is supposed to be a "Trusted Third Party". If a CA shows itself not to be trustworthy, then maybe the browser suppliers should remove them from the (default) list of trusted CAs.

Re:Remove Comodo CA

[flopsquad]

Read their CEO's asinine post. I will never use a Comodo product. Asshats are one thing, but asshats who abuse the IP system and counter-blame the victims of their asshattery really grind my gears.

Given history, Comodo should use "Let's Infect!"

[BenJeremy]

PrivDog, Chomodo, hacks, and issuing certs to malware, Comodo is one company I'd steer clear from in any case.

Re:Given history, Comodo should use "Let's Infect!

[PatientZero]

Who is authorized to certify the Certification Authorities, and what would it take to finally have Comodo's cert revoked?

Drop Comodo CA

With everything Comodo has done, or not done, that should have gotten them removed, maybe we should push to have the Comodo CA certs dropped from the products and platforms of sponsors "EFF, Mozilla, Cisco, Akamai and others".

Re:Comodo Shady Ass Sales

[gmack]

Not surprising coming from a company that trolls other SSL Certificate Authorities and tries to steal their customers. Everytime my GoDaddy certs are up for renewal, these bitches from Comodo start calling and telling me how much money they can save me.

That's nothing, they called me and tried to get me to switch away from their own resellers.

Can't trademark if the mark is already used

[LetterRip]

In the US if you use a trademark, you own the the trademark even if you haven't registered it. Since it is already being used in commerce for that mark, the application shouldn't be successful and can be challenged in the courts if it is granted.

Re:Can't trademark if the mark is already used

[Sax+Russell+5449D29A]

They're most likely just trying to prevent Let's Encrypt from entering the commercial arena of issuing TLS certificates by creating legal barriers. Let's Encrypt's popularity is soaring and they're quickly capturing the low-end markets with minimal trust and identification requirements. They might see a possibility that Let's Encrypt might some day become a big player and thus a major competitor to COMODO.

Hence the trademark

[DrYak]

Someone needs to show paying Comodo customers how to use Let's Encrypt to renew their certs for free.

I think that's the reason why Comodo is trying to own the Let's Encrypt name....

Comodo carved by Moxie Marlinspike

[epine]

Moxie Marlinspike tells a story about Comodo at BlackHat 2011

The bit at 8m22 is priceless.

Comodo founder:

This [attack] was extremely sophisticated and critically executed. It was a very well orchestrated, very clinical attack, and the attacker knew exactly what they needed to do and how fast they had to operate.

The hacker turns out to be a script-kiddie who got the technique from an introductory hacking video.

Comodo continues to embarrass themselves as the story unfolds, with their CEO finally complaining that all this wouldn't be a problem if man-in-the-middle wasn't possible. Huh? Aren't you in the business of selling the solution to the MITM problem?

What happened to Comodo? Nothing. Their business didn't suffer, they didn't lose customers. In fact, the only thing that happened was that their CEO was named "entrepreneur of the year" at RSA 2011.

Why does Comodo even still exist?

[ilsaloving]

How is it that they haven't had their issuer's license revoked already? They've already been found wanting as a cert provider, since they seem to have no qualms about issuing fraudulent certificates.

And now they're trying to fraudulently use someone else's trademark?

How much more fraud will they be allowed to perform before someone gives them a serious slap?

Oh, wait, what am I thinking... This is the US. As long as their shareholders are happy they could rape, pillage and burn entire towns and no one would care.

Re:US gun ban

[lordholm]

Yes, it would likely stop a lot of shootings, but obviously not all of them.

Murder rate US: 3.9 / 100k
There is only one place worse in the EU: Lithuania with a whopping 5.5 / 100k, on average the EU is a lot less than the US.

Taking the listed countries you end up with the following.
Austria: 0.5
Belgium: 1.8
France 1.2
UK 1.0
Germany: 0.9

All which are significantly lower than the average of the US.

Horrible statement

[Wuhao]

I actually didn't really want to read too deeply into this when the article first came up. I figured it could be a thorny issue and that maybe Comodo had previously used "Let's Encrypt" in marketing somewhere prior to the free campaign. Then I read their CEO's statement, and it's pretty clear that he just plain feels threatened and he acts as if he invented the concept of a 90-day free trial. I can certainly see where he could be losing money; but I guess as an onlooker, if someone can come along and take your money that way, your position was pretty weak in the first place.

So I guess I'd say I now feel that attempting to register this trademark seems pretty abusive, and the person who convinced me of that was Comodo's CEO in his post on his company's forums.

Re:Given history, Comodo should use "Let's Infect!

[bill_mcgonigle]

PrivDog, Chomodo, hacks, and issuing certs to malware, Comodo is one company I'd steer clear from in any case.

Shit, Namecheap still uses them for their resold SSL certs. If Namecheap doesn't have another option next time I need to renew one, I'm going elsewhere. That would be a pain, but I'm officially done with Comodo after this - seven strikes and I'm stupid for not calling you out on three.

Comodo is dropping it now

[InvisiBill]

In the linked forum thread, from robinalden (Comodo Staff):

With LE now being an operational business, we were never going to take the these trademark applications any further. Josh posted a link to the application and as of February 8th it was already in a state where it will lapse.
Josh was wrong when he said we’d “refused to abandon our applications”. We just hadn’t told LE we would leave them to lapse.
We have now communicated this to LE.