SSL Certificate Vendor Sells Cert to Some Guy

By Larry Seltzer  |  Posted 2008-12-24 Print this article Print

In the absence of standards for applicant verification for standard SSL certificates, CAs need to promulgate strong policies and publicize their contractual obligations for resellers, and they need to audit those relationships.

The SSL infrastructure is based, in a large sense, on trust. We trust that vendors of the software that checks certificates will only trust the roots of certificate authorities that are trustworthy, and that means CAs that check to see that the applicant for a certificate is who he says he is.

Unfortunately, there are no real standards for how to verify identity of an applicant for a conventional SSL certificate. This is one of the main motivations behind EV-SSL, for which there is a defined standard for authentication of applicants.

But even for conventional SSL certs, you'd think there would be some verification done, but it's not always the case. Thus, we have the case of a Comodo reseller attempting to scam users into buying certs under false pretenses and then selling a cert for to someone with no affiliation with that organization.

Eddy of had been getting annoying "reminder" e-mails for renewing his certificate from a company from which he did not buy that certificate. If you own a domain name, you've probably gotten these notes from other, shady domain registrars. Some even send them snail mail. As part of attempting to learn who these clowns were, Eddy bought a certificate from them for the domain If you do a whois on, you'll see it's listed to DNS Admin, Mozilla Corporation, with a real Mountain View, Calif., address and what look like real phone numbers and e-mail addresses.

The certificate vendor that Eddy was dealing with is Certstar, apparently a Danish company and a reseller for Comodo, a legitimate CA (although Certstar's own certificate comes from Equifax). I sent a note to Comodo about this not too long ago, so they haven't got back to me yet, but in the meantime I found a response they posted to an e-mail list operated by Eddy:


As I noted in my prior correspondence, Comodo has undertaken an internal review of the Certstar reseller account. We have informed CertStar that their email violates their contractual obligation to refrain from sending unsolicited emails and that their email could be interpreted as misleading and confusing to the customer. During our review, we discovered that Certstar had apparently issued a certificate to without validating control of the domain. We immediately revoked the certificate (prior to your posting) and have suspended Certstar's reseller activities until our investigation has been completed. Please let me know if you have any further problems.

Robin Alden
Under the circumstances, they seem to be doing what they can, although the circumstances are somewhat of their own making. It all raises a lot of questions:
  • It appears that Comodo affiliates do the verification, not Comodo itself. This surprises me. Is it typical of SSL affiliate relationships?
  • How about EV-SSL? Is it sold through affiliates?
  • Will Comodo now review other sales that Certstar has made for such problems?
  • Which other CAs have affiliate relationships, and are they reviewing them as well?
EV-SSL can't be the answer for the mainstream because it's very expensive, essentially by design. It's meant to protect very high-value sites. There are, as I said, no standards for plain old vanilla SSL, but there are CA policies and the contracts they have with resellers. If Comodo's name is to continue to have value, it can't say this problem begins and ends with this incident, or even just with Certstar. It has to make clear to the public what it expects of resellers and how it enforces that policy. In fact, all CAs need to do this.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

For insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's blog Cheap Hack.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel