Explore the latest news and trends  

Sign up for our weekly security newsletter


Be the first to receive important updates on security





Send

Comodo Deactivates its Imperfect OCR, No More Fake Domains Processed


Two security investigators from Europe in an experimental way exploited the Comodo Internet site's backend mechanisms for acquiring one HTTPS certificate to register an URL that wasn't their own. The purpose for obtaining such a certificate was to make the false URL look like a genuine website and thereby let sensitive information, in particular, passwords get seized from the site's unwitting visitors via man-in-the-middle assaults.

Martin Kluge and Florian Heinz the researchers from Infosec observed that by utilizing OCR (optical character recognition), the CA processed issuing of certificates to people wanting them. The application, which is an image-recognition mechanism, has been created for making sure no one other than a domain's registered owner is issued the server-side certificate. Incidentally, an authentic domain-owner must prove he's the actual owner of his URL by going via a verification procedure by Comodo to which request for the SSL certificate is made for allowing HTTPS traffic.

Moreover, given that Comodo even now dominates the online market of SSL certificates for HTTPS traffic, the verification procedure is done in an automatic manner. The procedure involves dispatching one electronic mail to the person claiming to own the URL for confirming the request to obtain one SSL certificate was from his company. Softpedia.com posted this, October 21, 2016.

Apparently, for maintaining privacy on domains such as .be and .eu, the verification process is important. Also, contact details mustn't be allowed for getting scraped; therefore, a few registrars and registries don't let auto-generated messages from WHOIS extract e-mail ids. Instead, those are exhibited as text within a graphic which an individual can easily read, while no bot can extract.

However, Comodo generally uses automated WHOIS for the verification process of certificate applications.

The researchers' false URL story is currently being investigated at Mozilla. No matter that Comodo has resolved the reported issue; the certificate issuing site may end up troubled with Web-browser companies as it didn't inform about the issue during September last, the month it was resolved. Comodo tells the researchers got in touch with the website directly when the problem was confirmed and after which the website disabled its OCR mechanism.

» SPAMfighter News - 10/26/2016

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Dear Reader

We are happy to see you are reading our IT Security News.

We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!

Go back to previous page
Next