Could you imagine that a large company would be in the business of defrauding its customers, especially if this company positions itself as a guarantor of security? So I couldn't until recently. This article is a cautionary tale to make you think twice before buying a code signing certificate from Comodo.
As part of my work (system administration), I make various useful programs that I actively use in my own work, and at the same time I post them for free for everyone. About three years ago, there was a need to sign programs, otherwise not all of my clients and users could download them without problems just because they were not signed. Signing has been a normal practice for a long time, and no matter how secure the program is, if it is not signed, there will definitely be increased attention to it:
- The browser collects statistics on how often a file is downloaded, and when it is not signed, then at the initial stage it can even be blocked “just in case” and require explicit confirmation from the user to save. Algorithms are different, sometimes a domain is considered trusted, but in general, it is a valid signature that is a confirmation of security.
- After downloading the file, the antivirus looks at it and immediately before starting the OS itself. For antiviruses, the signature is also important, it is easy to trace on virustotal, and as for the OS, starting with Win10, a file with a revoked certificate is immediately blocked and cannot be launched from the explorer. In addition, in some organizations, the launch of unsigned code is generally prohibited (it is configured using the system tools), and this is justified - all normal developers have long taken care that their programs can be checked without additional efforts.
In general, the direction chosen is correct - to the extent possible, make the Internet as safe as possible for inexperienced users. However, the implementation itself is still far from ideal. A simple developer cannot simply obtain a certificate, it must be bought from companies that have monopolized this market and dictate their terms on it. But what if the programs are free? Nobody cares. Then the developer has a choice - to constantly prove the safety of their programs, sacrificing the convenience of users, or to buy a certificate. Three years ago, StartCom, which now lives at the bottom of the ocean, was profitable, they never had problems. At the moment, the minimum price is provided by Comodo, but, as it turned out, there is a catch - for them, the developer is literally nobody and throwing him is a normal practice.
After almost a year of using the certificate I bought in mid-2018, suddenly, without prior notice by mail or phone, Comodo revoked it without explanation. Technical support does not work well for them - they may not respond for a week, but they still managed to find out the main reason - they considered that malware was signed by the issued certificate. And the story could end there, if not for one thing - I never created malware, and my own protection methods make it possible to assert that it is impossible to steal my private key. Only Comodo has a copy of the key, because they issue them without a CSR. And then - almost two weeks of unsuccessful attempts to find out an elementary proof. The company, which allegedly guarantees security protection, flatly refused to provide evidence of a violation of their rules.
From the last chat with tech supportYou 01:20
You have written "We strive to respond to standard support tickets within the same business day." but I have been waiting for a response for a week now.
Vinson 01:20
Hi, Welcome to Sectigo SSL Validation!
Let me check your case status, please hold on for a minute.
I have checked and the order has been revoked due to malware/fraud/phishing by our higher official.
You 01:28
I am sure that this is your mistake, so I ask for proof.
I've never had malware/fraud/phishing.
Vinson 01:30
I'm sorry Alexander. I have double checked and the order has been revoked due to malware/fraud/phishing by our higher official.
You 01:31
In which file did you see the virus? Is there a link to virustotal? I do not accept your answer because there is no proof in it. I paid money for this certificate and I have the right to know why my money is taken from me by force.
If you can not provide proof, then the certificate was revoked unfairly and must return the money. Otherwise, what is the meaning of your work if you revoke certificates without proof?
Vinson 01:34
I understand your concern. The code signing certificate has been reported for distributing malware. As per industry guidelines: Sectigo as a Certificate Authority is required to revoke the certificate.
Also as per refund policy, we will not be able to refund after 30 days from the date of issuance.
You 01:35
Why do you think this is not a mistake or a false positive?
Vinson 01:36
I'm sorry Alexander. As per our higher officials report, the order has been revoked due to malware/fraud/phishing.
You 01:37
No need to apologize, I paid the money and I want to see proof that I violated your rules. It's simple.
I paid for three years, then you came up with a reason and left me without a certificate and without proof of my guilt.
Vinson 01:43
I understand your concern. The code signing certificate has been reported for distributing malware. As per industry guidelines: Sectigo as a Certificate Authority is required to revoke the certificate.
You 01:45
It seems that you don't understand. Where did you see the court that passes the sentence without proof? You did just that. I have never had malware. Why do you not provide proof if it is? What specific proof is a certificate revocation?
Vinson 01:46
I'm sorry Alexander. As per our higher officials report, the order has been revoked due to malware/fraud/phishing.
You 01:47
Who can I find out the real reason for revoking the certificate?
If you can't answer, tell me who to contact?
Vinson 01:48
Please submit a ticket again using the below link so that you should receive a response as earlier as possible.
You 01:48
Thank You.
This result is not isolated, all the time of negotiations in the chat, at best, they answer the same thing, they either do not answer tickets at all, or the answers are just as useless.
Create a ticket againMy request:
I require proof that I violated a rule that led to revocation. I bought a certificate and want to know why my money is taken from me.
"malware/fraud/phishing" is not the answer! In which file did you see the virus? Is there a link to virustotal? Please provide proof or return the money, I'm tired of writing technical support and have been waiting for more than a week.
Thank You.
Their answer:
The code signing certificate has been reported for distributing malware. As per industry guidelines: Sectigo as a Certificate Authority is required to revoke the certificate.
The hope that it is not a monkey who will answer me completely disappears. An interesting diagram emerges:
- We sell certificates.
- We are waiting for more than six months so that it is impossible to open a dispute through PayPal.
- We cancel and wait for the next order. Profit!
Since I have no other means of influencing them, I can only go public with their fraud. When buying a certificate from Comodo, aka Sectigo, you may encounter the same situation.
June 9th update:
Today I notified CodeSignCert (the company through which I bought the certificate) that since they stopped responding, I put the situation up for public discussion with a link to this article. After some time, they finally sent a screenshot of virustotal, where the hash of the program was visible :
VirusTotal-
My assessment of the situation:
I can confidently say that this is a false positive. Signs:
- Generic designation in most positives.
- No positives for antivirus leaders.
It is difficult to say what exactly caused such a reaction of antiviruses, but since the file is very outdated (it was created almost a year ago), I did not have the source code of version 1.6.1 to recreate the file binary. However, I have the latest version 1.6.5, and considering the upstream is unchanged, the changes were minimal there, but there is no such false positive on it:
VirusTotal-
CodeSignCert has been notified of a false positive, after further results of the negotiations the article will be updated until the situation is fully resolved.
Source: habr.com