Cert Slamming, or, Desperate Companies Behaving Badly

the special sauce writes "A few months back, our customers (we run a regional ISP) started receiving deceptive domain renewal notices from Verisign and Verisign partners such as Interland. A couple of our customers temporarily lost their domains in the process as the registrant, contact information and hosting company was all changed. Yesterday, I received an e-mail from a customer. He was forwarding a "reminder" e-mail he had received. It was an SSL certificate "renewal" notice from a UK company, Comodo. It instructed him to "upgrade" his current certificate (issued by Equifax) before it expired." More information on this charming practice follows...

the special sauce Continues: "For those who don't know, Equifax was just bought out by GeoTrust, who offers a QuickSSL product. Comodo's e-mail was advertising an "InstantSSL" product, which I myself mistook for the GeoTrust product on first reading the e-mail. When I realized my mistake, I contacted Comodo and inquired as to their relationships with Equifax and GeoTrust and how they came by my customer's information. The response: "We have no relationship with Equifax or GeoTrust. The information on a certificate is public information which we have used to inform this company that they have an option when they come to buy their certificate."

My interpretation: Comodo is harvesting contact information from certificates in bad faith, to market a competing product. Furthermore, I think they have targeted Equifax customers because the company was just bought out. In any buyout, confusion exists as to the "new" company's identity. I think they are offering a product whose name is confusing similar to a GeoTrust's product. The language in their e-mail does everything possible to obfuscate the fact that they are not affiliated with Equifax, encouraging customers to "renew" and "upgrade" their certificates. In reality, if my customer had clicked the links in the e-mail, he would have been purchasing a new certificate from a company with which he had no previous relationship.

So I ask, is this not cert slamming? I don't expect this to be as big a problem as Verisign's domain slamming: we simply host less certificates than domains so it is easier to warn all of our customers with secured web sites. Nevertheless, I've reported the practice to the FTC."

Of course it is.

[FreeLinux]

Sure it's Cert slamming. There's no doubt about that. The problem is though, that to date there is no law against it. That's right, perfectly legal. For example I have on my desk a letter from "The Admiistrative Office of RPR/OFV Records Division". It looks vaguely like something from the IRS, certainly it is from some government agency. When I open it, it looks like a check for $1600 and a ticket for a cruise. Of course, it is all a bogus marketing scam. Probably trying to sell time shares. It's totally and intentionally misleading but, at the same time it is still legal.

Furthermore I wouldn't look for a law against it any time soon. Things like certificates and how they work are a bit on the technical side, at least for our poor overworked legislators. They have a lot of catching up to do and are currently bogged down trying to stop the MP3 swappers from being the scurge of humanity that they are.

Why this is not cert slamming

[pongo000]

"Slamming" is generally recognized as the process of subscribing a user to a new product or service without their express permission. Sounds to me like Comodo is simply taking advantage of publicly-available information to market their own product. Since when is this a crime? Here are some other examples of companies using public information to market their own products:

• A company uses publicly-available vehicle registration information to pitch extended warranties.
• A tax company uses public appraisal tax rolls to offer their assistance in filing appraisal appeals.
• A company sends a homeowner a form and fee request to file a homestead exemption, again using information from public tax rolls.
• An insurance company sends a "reminder" about homeowner insurance renewal, using information publicly available in some states (usually loan information).
• A doctor's office uses publicly-available information to notify a pilot that it's time for he/she to renew their medical certificate.

In all these cases, companies are pitching their wares using public information, knowing full well that a small percentage of the population will choose not to check the details. Exploitive? Maybe...but certainly not illegal. And it can't even remotely be considered slamming.

It even looks like Comodo was very straightforward with you when you requested additional information. I see no attempt by Comodo to obfuscate their purpose.

Difference

[MattCohn.com]

I read both notices and it seems like the VeriSign one was much more confusing then the one from Comondo.

In the VeriSign renewal form, it had no indication that they were not your registar to begin with. However in the Comondo email it had wording such as...

why not upgrade your Certificate with Comodo and join our many customers

That made it clear to me that this wasn't sent to a current customer of Comondo.

Trust

[flonker]

SSL and crypto in general is all about trust. Would you trust someone who engages in deceptive marketing? Then again, so does Verisign, with their domain stuff. Are there any good certificate issuers?

"Equifax" was not "bought out"

[g051051]

Just to clarify, Equifax sold just the small part of its business that was concerned with certificate management to GeoTrust. Equifax is still an independent company with lots of other businesses. (Yes, I work for Equifax).

Re:We need beneficiary oriented spam laws

[Anonymous Coward]

How? If any of a number of spammers joe-jobs my site or my resume to a few million people (because I complained to their ISP about spamming me) through an open relay in East Fnordistan with no logs, what sort of "legal action" against an untraceable sender would establish that I didn't consent to the spamvertising? What if I can't afford a lawyer?

No switch mentioned.

[uberdave]

There is no deception here. It's a simple advertisement asking you to switch.

The words renew, remind, upgrade, and expire (or variants thereof) occur 15 times

The words switch, transfer, move (or variants) do not occur.

The word new does occur once, but in relation to the certificate, not the issuer.

Obfuscation by obscurity

[Darth_brooks]

"We have no relationship with Equifax or GeoTrust. The information on a certificate is public information which we have used to inform this company that they have an option when they come to buy their certificate."

They aren't trying to 'inform', they're hard selling, in bad faith. They're misleading consumers into thinking there is no alternative. It's opportunistic, and pretty close to criminal.

An insurance company sends a "reminder" about homeowner insurance renewal, using information publicly available in some states (usually loan information).

I get notices from insurance agencies, credit card companies and any number of other bulk mailers. The difference is, they are out in the open about wanting to sell me a product i don't have, or informing me i have an alternative to the products i may already be using.

These companies are playing dumb. "aww shucks, you mean folks didn't realize they didn't HAVE to re-up with us? well, gosh golly, i guess we'll be more careful next time." A mailing could just as easily be sent out that says "we noticed that your domain name / cert is about to expire. Please consider us as an alternative when you renew." That'd be a company hawking their wares. What they're doing now is a clearly deceptive business practice. Slamming just happens to be the closest description.

Re:Obfuscation by obscurity

[TheMidget]

They aren't trying to 'inform', they're hard selling, in bad faith.

Doesn't look like this to me. Just look at the following sentence of their e-mail:

Before you renew please read the following important information from Comodo.

To me, this looks like they aren't pretending to renew the certificate (prolonging the service with the same company), but rather proposing an alternative (i.e. switching companies). If they were pretending to be the same company they'd have said something like "Please read the following important information from Comodo for instructions on renewing your certificate". And they would also avoid naming two different companies (Equifax and Comodo) in the mail. Indeed, why mention the customer's existing supplier (Equifax) if you attempt to make the customer believe that he is already with you (Comodo)? To me this doesn't look like deception, but merely like the over-reaction from the customer, who wrongly assumes that all businesses are as sleazy as Verisign or those toner companies.

Re:WTF? sumbags

[WickerChap]

Equifax should have no hand in your credit rating. They collate the information about your credit HISTORY and let finance companies access that data to score you on how high a risk you are. If your credit history sucks, you caused it. If it is wrong, challenge it. All "credit agencies" have a legal obligation to correct the information, if it is brought to their attention as incorrect.