Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
The Internet

Cert Slamming, or, Desperate Companies Behaving Badly 186

the special sauce writes "A few months back, our customers (we run a regional ISP) started receiving deceptive domain renewal notices from Verisign and Verisign partners such as Interland. A couple of our customers temporarily lost their domains in the process as the registrant, contact information and hosting company was all changed. Yesterday, I received an e-mail from a customer. He was forwarding a "reminder" e-mail he had received. It was an SSL certificate "renewal" notice from a UK company, Comodo. It instructed him to "upgrade" his current certificate (issued by Equifax) before it expired." More information on this charming practice follows...
the special sauce Continues: "For those who don't know, Equifax was just bought out by GeoTrust, who offers a QuickSSL product. Comodo's e-mail was advertising an "InstantSSL" product, which I myself mistook for the GeoTrust product on first reading the e-mail. When I realized my mistake, I contacted Comodo and inquired as to their relationships with Equifax and GeoTrust and how they came by my customer's information. The response: "We have no relationship with Equifax or GeoTrust. The information on a certificate is public information which we have used to inform this company that they have an option when they come to buy their certificate."

My interpretation: Comodo is harvesting contact information from certificates in bad faith, to market a competing product. Furthermore, I think they have targeted Equifax customers because the company was just bought out. In any buyout, confusion exists as to the "new" company's identity. I think they are offering a product whose name is confusing similar to a GeoTrust's product. The language in their e-mail does everything possible to obfuscate the fact that they are not affiliated with Equifax, encouraging customers to "renew" and "upgrade" their certificates. In reality, if my customer had clicked the links in the e-mail, he would have been purchasing a new certificate from a company with which he had no previous relationship.

So I ask, is this not cert slamming? I don't expect this to be as big a problem as Verisign's domain slamming: we simply host less certificates than domains so it is easier to warn all of our customers with secured web sites. Nevertheless, I've reported the practice to the FTC."

This discussion has been archived. No new comments can be posted.

Cert Slamming, or, Desperate Companies Behaving Badly

Comments Filter:
  • Recent case (Score:2, Interesting)

    by essdodson ( 466448 )
    There was a recent ruling against Verisign for this activity. Because of their deceptive mailings I will _NEVER_ consider using them as my registrar.
    • Re:Recent case (Score:3, Interesting)

      by uncoveror ( 570620 )
      I got those notices myself for Uncoveror.com, uncoverer.com, and dontbuycds.org, but my e-mail from GoDaddy warning me that they are bogus came first, and I was not fooled. I hope everyone behind this scam goes to the slammer, and finds out several times per day why it's called that.
  • Slamming? (Score:3, Informative)

    by doc_traig ( 453913 ) on Wednesday July 24, 2002 @06:16PM (#3947728) Homepage Journal

    Don't customers have to have their service provider actually changed (w/o authorization) for the practice to be considered slamming?

    I mean, what's described here is disgusting, but I don't know that the terminology fits.

    - DDT
    • The supposedly deceptive letter linked doesn't seem too deceptive to me. To quote:
      So why not upgrade your Certificate with Comodo and join our many customers,
      including the US Government and some of the world's largest organisations.
      This is obnoxious spam, but it's not nearly as bad as it's being made to sound.
    • It should probably be considered "deceptive advertising" - I know there's a law against making advertisements that look like invoices (which this one does) in the US - instead of "slamming".

      Regardless of what you call it, though, it's a sleazy practice. If a company has to trick you into buying their services, what does that say about them and their services?
    • What exactly is disgusting about it? I mean did you actually read the email? It's plain english that they are not trying to slam in any way. It doesn't say anywhere "we are your registrar". It's a solicitation of service that is targeted, no different from other mailing lists and everything else used. People should grow a clue and if they're going to bitch at least bitch about the right things.
  • So, wait... (Score:5, Funny)

    by Mike Schiraldi ( 18296 ) on Wednesday July 24, 2002 @06:16PM (#3947734) Homepage Journal
    What exactly does this story have to do with VeriSign?

    If we're going to start working slams against companies we don't like into unrelated stories, we should at least cover all the bases by saying something tangential about Microsoft or an RIAA member while we're at it.
    • Re:So, wait... (Score:3, Informative)

      by sylvester ( 98418 )
      What exactly does this story have to do with VeriSign?

      This. [slashdot.org] I'll refrain from snide comments. :-)

      • I'll refrain from snide comments.

        That's probably for the best, because you would just be more wrong. Verisign was sending out deceptive notices. There is NOTHING deceptive about this. It's just a simple advertisement.

        • Don't you think that calling their offering a RENEWAL is deceptive? It is a new and different certificate from the one that is expiring. It is not a renewal, it is a replacement.
          • Don't you think that calling their offering a RENEWAL is deceptive?

            Let's review the wording:

            "Did you know that your current SSL Certificate protecting [customer domain] will expire in only 60 days? "Before you renew please read the following important information from Comodo. "We offer SSL certificates that provide;"

            Note the "BEFORE you renew". Note the "We offer". Note that a list of services follows this, along with pricing. Please explain how this can be interpreted as a renewal notice coming from your certificate authority.

            As for the "upgrade", I certainly would consider it an upgrade of service to pay only $49 rather than the rip-off $1000 that Verisign charges.

            • Lets review the rest of the wording:

              1 year renewal ($49):
              2 year renewal ($89):
              3 year renewal ($125):

              If you renew now with Comodo we will extend the lifetime of your new Certificate by 60 days at no extra cost - allowing you to begin using your upgraded Certificate immediately.

              What they are selling is not an renewal nor an upgrade of the current certification. It is a new certificate. I understand your arguement about the meaning of "upgrade", but I still think it is deceptive. If they were trying to be up front about what they are selling you, then they would say something like "Instead of renewing your old certificate before it expires, you should buy a new, better certificate from us. Its a better deal and we promise you won't regret it." But they don't, they make an ambiguous pitch.
              • I think you're being a little over critical of the wording. We can debate the exact meaning of "upgrade" or what word might be better, but the overall point is whether this e-mail can be misinterpreted as a renewal notice from your current certificate provider. And I don't think there is any chance of that.

                In fact, that's not even the overall question. The pertinent question is whether there is any deliberate attempt at deception, and I think that's even harder to make the claim. If they are trying to deceive people, then it's pretty damn piss-poor job of it.

                • Well, it's really easy to not be fooled by the notice when you already know it's not from your provider. The customers in question, however, are receiving a timely "renewal" notice at a time when their current provider's identity is in flux. It's quite easy to see how they can be confused.

                  The wording is not the sole reason for the spam being (decidedly) deceptive. The repeated use of "renewal" and "upgrade" only help to assure the already unsuspecting customer that the notice is from their current, recently bought-out provider. Those who go in with more caution will have the red flag raised by a more careful reading (as you've done) of the actual language of the notice.

                  Without question, people should be more cautious when it comes to such things. However, not everyone's going to catch on to everything all of the time -- a lot of bright people have been known to fall for April Fool's jokes every now and then. It's much easier to overlook the clues that more objective/critical readers spot when you don't have a reason to suspect something's wrong.

              • What they are selling is not an renewal nor an upgrade of the current certification. It is a new certificate.

                You can't really renew a certificate, because the validity dates are (and must be) part of the certificate. So a new certificate will be needed after the existing one expires, whether or not the domain holder gets it from the same CA.

                • It is a renewal. You had a valid certificate before, you will have a valid certificate after. It MAY be borderline sleazy, just as I consider legit cold calls from MCI to be sleazy (anyone have that lawyer from Washington's info? The one that sues spammers and telemarketers after he tells them to cease and desist?). It ISN'T decepetive, as near as I can tell though. You can't fool all of the people all the time, but you can for some of the people whether you want to or not.
    • Verisign started the trend and provided a similar case. Thus, including them as an example of what's going on provides a nice context for the story.
  • I switched from one of the big evil registar companys to Go Daddy [godaddy.com] and I've gotten far less of this sort of spam.
  • sure verisign doesn't have a stake in Comodo? heh..
  • Verisign doesnt care (Score:5, Interesting)

    by www.sorehands.com ( 142825 ) on Wednesday July 24, 2002 @06:20PM (#3947746) Homepage
    Verisign doesnt care, why should anyone else?

    Verisign only complains if anything takes money from them. If they don't lose money, they don't care.

    I spoke with a person at Verisign about an obvously false whois registration, that belongs to a spammer. This clearly violates ICANN rules, but Verisign does not want to hear it.

    • by Anonymous Coward
      Do you even know what you're talking about? I worked for Verisign for a couple of years and saw a totally different picture. Verisign does alot of work for the internet community. They pump millions each year into investigating violations into the ICANN rules. The problem is that the problem is that rule breaking has become to widespread for them to tackle every situation. The system is flawed, but good companies like Verisign recieve the blame. I suggest you actually look into the situation before you start making accusations at a single company.
      • Wow.

        So Mr. Coward worked for VeriSign? This explains the penis bird and the goat trolling.

        - RLJ

      • Verisign is not "a good company." It is, other than one particular tow-truck company, the worst company I have ever done business with, or had to deal with in any other way. Over that last six years, I have never had what I would call a good experience with them. Each and every one has been annoying, agonizing, and more time-consuming than necessary.

        I don't care what your internal view of the company was like. From the outside -- which is what counts to us consumers -- Verisign and Network "Solutions" suck. There is no two ways about it.
        • ..other than one particular tow-truck company...

          You live in Blacksburg, Va, don't you? You're of course refering to Tek Tow [tektowsucks.com]. The company that had over 3000 signatures on Petition Online [petitiononline.com] overnight wanting to shut it down, and remember how small Blacksburg is.

          One time they towed a mail truck. On sept 11, they towed people that had parked their cars at meters and lined up to give blood. They tow DD's from the bars downtown. And so forth.


      • As a Verisign customer (still - against my will) - I'll say they have the absolute worst customer service I've run across on the web.

        My domain was slammed over to Verisign. Called my old registrar to ask what was going on, they said it'd been transferred, so I called Verisign. They first told me that my registrar had been bought by them - complete fabrication. To retrieve my new "customer ID" and password, I had to fax something in to them (why not just send it to my registered e-mail address?) and wait 2 weeks.

        By now I was thinking "oh yay, I can transfer away now". But no - even though their WHOIS records say that the domain expires in March 2004, they rejected my transfer because it had "already expired". I'm still trying to get it back and am thinking I'll have to sue them.

        So, as a short response to Do you even know what you're talking about? - the answer is "yes, we do - Verisign sucks ass".
  • Of course it is. (Score:5, Insightful)

    by FreeLinux ( 555387 ) on Wednesday July 24, 2002 @06:23PM (#3947765)
    Sure it's Cert slamming. There's no doubt about that. The problem is though, that to date there is no law against it. That's right, perfectly legal. For example I have on my desk a letter from "The Admiistrative Office of RPR/OFV Records Division". It looks vaguely like something from the IRS, certainly it is from some government agency. When I open it, it looks like a check for $1600 and a ticket for a cruise. Of course, it is all a bogus marketing scam. Probably trying to sell time shares. It's totally and intentionally misleading but, at the same time it is still legal.

    Furthermore I wouldn't look for a law against it any time soon. Things like certificates and how they work are a bit on the technical side, at least for our poor overworked legislators. They have a lot of catching up to do and are currently bogged down trying to stop the MP3 swappers from being the scurge of humanity that they are.

    • The problem is though, that to date there is no law against it.

      Does every new kind of fraud require a new law? Isn't it enough to say that they are deceiving consumers and shut them down?

      These sorts of scams look to me something for enforcement agents and courts to worry about, not lawmakers.

      • Exactly what kind of fraud is being commited here?

        All they did was to offer their services as a cert provider. They never claimed anyting untrue. Heck, their letter actually sounds down right friendly... but you would know that if you had read the letter.
        • Use of the word "upgrade" implies they have a legitimate connection with Equifax. I'd say they were misrepresenting themselves as agents of Equifax. Don't know if that is illegal, if they're defrauding anybody it's probably Equifax (i.e. they get the customer's money not Equifax).
    • Sure it's Cert slamming. There's no doubt about that.

      Did you actually read the letter? Please quote me the passages that could be misinterpreted as anything other than an advertisement.

    • "The Admiistrative Office of RPR/OFV Records Division"

      Usually I decide if they misspell "Administrative" it's probably a scam. Come to think of it that would sure explain of a lot of stories on slashdot...
    • Sure it's Cert slamming. There's no doubt about that.

      Yes there is. There's lots of doubt about it. It's not slamming at all. Weasely, perhaps, but not slamming.

    • The problem is though, that to date there is no law against it.

      Maybe not in the US, but as they are based in the UK I'm sure this would come under decpetive marketing.

      I'd report them to the UK Trading Standards [tradingstandards.gov.uk].

      (Miss representing yourself and products like that is very illegal. Quite a few of the electricity commpanies have been fined in the UK for deciving customers [readersdigest.co.uk] to sign for information, but in reality changing there electricity suplier)

  • I really think that whois records should be kept more private to stop things like this.

    What pisses me off is that I get SPAM snailmail from companies that get my address off my whois.

    I have gotten numerous emails from companies doing the same thing.

    Unfornutately it is legal because they have a size 5 disclaimer at the bottom
  • While I don't condone the spam advertising methods here, this is NOT comparable to Versign's shady practices. Verisign was sending out notices that tried to make people believe they were renewing their domains, but were actually switching providers.

    There is no deception here. It's a simple advertisement asking you to switch.

    Nothing to see here.

    • by uberdave ( 526529 )
      There is no deception here. It's a simple advertisement asking you to switch.

      The words renew, remind, upgrade, and expire (or variants thereof) occur 15 times

      The words switch, transfer, move (or variants) do not occur.

      The word new does occur once, but in relation to the certificate, not the issuer.
  • Riiiight.. (Score:3, Funny)

    by iONiUM ( 530420 ) on Wednesday July 24, 2002 @06:25PM (#3947778) Journal
    Verisign partners such as Interland

    Is it just me or are these internet companies' names getting more cheesy everyday?
    Soon we'll have CutCo, EdgeCom, and the ever waiting CompuGlobalHyperMegaNet joining the leagues of crap companies im sure.
  • by joeflies ( 529536 ) on Wednesday July 24, 2002 @06:25PM (#3947780)
    Anyone know if Comodo's cross-signed with another provider? I dont' see Comodo listed with their own top-level pre-trusted root in Konq 3.0 or Mozilla 1.0, so I sure hope they are cross-signed with someone.
    That would be truly unfortunate for the victim to fall for this and end up with a cert that nobody's browser trusts.
  • On a related noted, from CNN.com [cnn.com]
    • I'm disappointed that CNN doesn't even list the names it asserts are confusingly similar to corporate websites. But I have to think that the confusing similarity shouldn't matter in this case. IMHO, this IS a free speech issue, as I think that this man's political commentary that relates directly to the domain names in question SHOULD be considered a valid interest in the domain name.
  • This is nothing new! (Score:4, Informative)

    by Wrexs0ul ( 515885 ) <mmeier&racknine,com> on Wednesday July 24, 2002 @06:28PM (#3947795) Homepage
    Comodo is a spam-laden organization. I run a web hosting and network management firm in Edmonton and we've received countless offers for "CHEAP SSL" and other services from Comodo!

    It's been thoroughly discussed in other location such as WebHostingTalk.com which I suggest anyone interested in pursuing a Comodo service look at first. These guys actually responded in the forum with a nice show that they don't actually care who they spam provided it makes a buck.


  • Beware of con letters from "Domain Registry of
    Europe" (based in UK). They are trying the same
    scam as Verisign.
    • There's also the "Domain Registry of Canada" and the "Domain Registry of America". Wonder if it's the same outfit... they make 'em look like official govt. documents.
      • I had this with one of the afore-mentioned companies a few months ago. (I'm a coward and don't want to get into trouble, so I won't mention names [droa.com].) They got e-mail addresses for every listed contact from our whois record, and sent off letters to anyone for whom they could find an address, warning that our domain name registration was about to expire.

        Including our CEO.

        Who, not understanding what it was, and also not realizing that I'd only just renewed the domain name for five years and we weren't in any danger of losing our domain name until 2007, passed it on to the secretary with instructions to pay the bill.

        Now, in fairness, the letter is cunningly worded, and probably can't be technically construed as slamming; it gives you the option. But, hoo boy, is it slimey!

        The first I knew about it was when I started getting automated e-mails from our original registrar asking me to go through certain steps to authorize the name transfer. I tracked down what was happening, and got on the phone to Dom. Reg. of ***.

        Forget the long, boring, tedious arguments. And the appalling insolence and downright rudeness of their people. Just a few points...

        * They're used to complaints. Despite their protestation that I was only the second person who'd ever complained about this, as soon as you mention the word slamming they've got a rehearsed speech about the wording of paragraph five which they quote to prove it's not slamming. Uh-huh. Try doing a Google search on them and see if it's that rare a complaint.
        * They're unhelpful buggers. No matter when I called, I was always told that nobody who was there could help me with my complaint, and I'd have to call back.

        In the end, it works out okay. All you have to do is not authorize the transfer and they can't do anything about it, and they have to refund your money. Except for a processing fee. Trust me -- I argued and bitched and generally made a nuisance of myself by pointing out there was nothing in any of the correspondence we'd received or on their website about a processing fee, and we got the money back.

        But believe me; there is one company who is now boycotted for life in my books.
  • by pongo000 ( 97357 ) on Wednesday July 24, 2002 @06:30PM (#3947803)
    "Slamming" is generally recognized as the process of subscribing a user to a new product or service without their express permission. Sounds to me like Comodo is simply taking advantage of publicly-available information to market their own product. Since when is this a crime? Here are some other examples of companies using public information to market their own products:
    • A company uses publicly-available vehicle registration information to pitch extended warranties.
    • A tax company uses public appraisal tax rolls to offer their assistance in filing appraisal appeals.
    • A company sends a homeowner a form and fee request to file a homestead exemption, again using information from public tax rolls.
    • An insurance company sends a "reminder" about homeowner insurance renewal, using information publicly available in some states (usually loan information).
    • A doctor's office uses publicly-available information to notify a pilot that it's time for he/she to renew their medical certificate.
    In all these cases, companies are pitching their wares using public information, knowing full well that a small percentage of the population will choose not to check the details. Exploitive? Maybe...but certainly not illegal. And it can't even remotely be considered slamming.

    It even looks like Comodo was very straightforward with you when you requested additional information. I see no attempt by Comodo to obfuscate their purpose.
    • Bingo... (Score:3, Interesting)

      by Rev.LoveJoy ( 136856 )
      You're right on. This is simply more slimy marketing tactics from companies with bombing market shares.

      I cannot even count the number of bogus faxes / emails I have received telling me one of my domains (or some clever spelling thereof) is about to expire.

      Gee, marketing people are creepy slimeballs. I'm stunned. No. Really.

      -- RLJ

      • This is simply more slimy marketing tactics from companies with bombing market shares.

        Actually, Comodo's market share has been increasing dramatically, considering how small they started at. We use them at and they're great. Very responsive and sell a great product.

        In fact, I'm surprised more Slashdot-ians aren't ENCOURAGING Comodo. These are guys who are selling basic 128-bit certs for only $49! A FAR more reasonable price than either VeriSign (evil) or Thawte are charging...

      • If you're receiving a lot of unsolicited advertising faxes, you may want to check out http://www.junkfax.org/ to see how to fight back.

    • In all these cases, companies are pitching their wares using public information, knowing full well that a small percentage of the population will choose not to check the details. Exploitive? Maybe...but certainly not illegal. And it can't even remotely be considered slamming.

      I completely agree! And what you didn't point out (enough, I think) is that they had the CHOICE to read the email, the CHOICE to examine whether or not this was a good purchase decision, the CHOICE to get further information from Comodo (and Comodo made a good CHOICE by being honest), and the CHOICE to purchase the cert from Comodo, or any other company for that matter.

      Nevertheless, I've reported the practice to the FTC."

      This is exactly what's wrong with the Internet, at this point (IMHO). People are too used to government stepping in and 'protecting' them from 'overpowering' capitalist companies. ("Oh no -- look away, the SSL cert is too inviting ... don't stare directly at the cert!")

      Also, what happens if this was an overseas company? Who are you going to cry to then? Interpol?

      Give me a break -- Comodo is ingenius. I'm kicking myself for not starting up a company that sells certs and doing the same thing before they did. I'd be willing to bet that more folks will take advantage of this type of public information as they realize that Comodo and other companies are making a killing by 'out foxing' the competition.

    • Who died and made ICANN boss?

      Jon Postel, who is probably spinning in his grave.

      Note to moderators: Self modded down (no score +1) as OT.
    • Wow. That explains why so much of
      the product I endure at poetry-slamming
      night is so godawful - I've been signed up as a member of the audience without my express permission!

      Everything is clear now. Thanks, Slashdot!
    • So can I use my list of UUnet customers to market to them network connectivity from a company not entering into bankruptcy? It is public information.

    • Well... It is Slamming if the email/form/letter looks like you're renewing an existing service with your current provider, even if the fine print states its switching service.

      Basically it comes down to "Permission", if your tricked, did you give permission? Phone companies will ask you to say, "I want to switch service" and record it. Do you see this level of candidness, that the customer is 100% clear on his actions? Nope.

    • "We have no relationship with Equifax or GeoTrust. The information on a certificate is public information which we have used to inform this company that they have an option when they come to buy their certificate."

      They aren't trying to 'inform', they're hard selling, in bad faith. They're misleading consumers into thinking there is no alternative. It's opportunistic, and pretty close to criminal.

      An insurance company sends a "reminder" about homeowner insurance renewal, using information publicly available in some states (usually loan information).

      I get notices from insurance agencies, credit card companies and any number of other bulk mailers. The difference is, they are out in the open about wanting to sell me a product i don't have, or informing me i have an alternative to the products i may already be using.

      These companies are playing dumb. "aww shucks, you mean folks didn't realize they didn't HAVE to re-up with us? well, gosh golly, i guess we'll be more careful next time." A mailing could just as easily be sent out that says "we noticed that your domain name / cert is about to expire. Please consider us as an alternative when you renew." That'd be a company hawking their wares. What they're doing now is a clearly deceptive business practice. Slamming just happens to be the closest description.
      • They aren't trying to 'inform', they're hard selling, in bad faith.

        Doesn't look like this to me. Just look at the following sentence of their e-mail:

        Before you renew please read the following important information from Comodo.

        To me, this looks like they aren't pretending to renew the certificate (prolonging the service with the same company), but rather proposing an alternative (i.e. switching companies). If they were pretending to be the same company they'd have said something like "Please read the following important information from Comodo for instructions on renewing your certificate". And they would also avoid naming two different companies (Equifax and Comodo) in the mail. Indeed, why mention the customer's existing supplier (Equifax) if you attempt to make the customer believe that he is already with you (Comodo)? To me this doesn't look like deception, but merely like the over-reaction from the customer, who wrongly assumes that all businesses are as sleazy as Verisign or those toner companies.

        • The problem with that argument is that the actual company you have a business relationship could also use that language if they want you to switch "plans".

          Couple that with the use of the term "upgrade" and it sounds very much like a sales pitch from your current company to get something with a few more perks on your next cycle.

    • I think they are offering a product whose name is confusing similar to a GeoTrust's product. The language in their e-mail does everything possible to obfuscate the fact that they are not affiliated with Equifax, encouraging customers to "renew" and "upgrade" their certificates.

      IANAL. Now, of course you have to consider that it's up to a court to determine whether a servicemark or trademark is being infringed upon, but "confusingly similar" certainly meets the standard for infringement. However, the special sauce got a different reading than I did - no doubt coloured by the fact that Comodo [brings visions of flushing to mind] spammed his customers for competing (and probably lame) products. I'd be pissed too.

      However, my reading of the spam was that it's pretty straightforward. There's obsfucation, but it's arguable that they consider their product an "upgrade" in much the same way Microsoft salesdrones consider W2K Server an "upgrade" to your favorite Unix/Linux distro. Companies often offer "renewals" or "competitive upgrades" to entice users to switch from Brand X.

      IMHO, what Verisign has done in its spam "renewal" campaign is fraudulent. In a related anecdote, I've found it next to impossible to move my domains to another registrar; hell, I've had problems just moving them between hosting services.

      But, back to the topic, Comodo [flush] ain't slamming, I've experienced that joy on two occasions. BellSouth got a new Access app that had a *required* a selection from a lookup table of long distance providers. The default at the time was AT&T. I went from *no long distance* (I *PAID* a monthly fee for disabling long distance. Not that it mattered, because BellSouth was perfectly happy to sign me up with AT&T for my non-existent long-distance service at a $15 a month fee. I still haven't found out how much they got for it, but after repeated phone calls and legal threats I enjoyed 8 months of free local phone service to settle the matter. Of course, that was after about 8 weeks of haranguing dozens of people - your mileage may vary.

      Second was when I ordered DirecTV DSL for one of my company's East Texas offices. As in most places, the local Bell does the actual activation - molasses slow for competitors' customers, blazing quick (in comparison) for Bell customers. But I signed up for DirecTV DSL and SouthWestern Bell *canceled* that work order, telling DirecTV DSL that we'd already signed up with SouthWestern Bell; a blatant lie. Still dealing with that one.

  • Difference (Score:1, Insightful)

    I read both notices and it seems like the VeriSign one was much more confusing then the one from Comondo.

    In the VeriSign renewal form, it had no indication that they were not your registar to begin with. However in the Comondo email it had wording such as...

    why not upgrade your Certificate with Comodo and join our many customers

    That made it clear to me that this wasn't sent to a current customer of Comondo.
  • by sh0rtie ( 455432 ) on Wednesday July 24, 2002 @06:31PM (#3947817)

    If this company is UK based i would advise you to report them to the Office of fair trading [oft.gov.uk] and the UK Trading Standards [tradingstandards.gov.uk] , these kinds of practices are despicable and the OFT and TS do not take kindly to this sort of behaviour
  • by Jacco de Leeuw ( 4646 ) on Wednesday July 24, 2002 @06:36PM (#3947838) Homepage
    So Comodo spams website owners. As a result, the website owners might get tricked into buying this cert "renewal".

    But who makes the Certificate Signing Request for website owners? In most cases the company hosting the web site. (Unless it's co-location).

    I expect competent tech support personnel to filter out these bogus certificate renewals immediately.

  • by Audent ( 35893 ) <audent@ilovebiscuits. c o m> on Wednesday July 24, 2002 @06:36PM (#3947843) Homepage
    Yup, even in the southern hemisphere it's happening.
    Internet Name Group (no URL any more that I can find) and Internet Registry have both been trying it on in Ausralia and New Zealand. The ACCC (commerce department in Aus) and the Commerce Commission in NZ are both keeping an eye on the matter.
    Stories on the subject here:
    http://www.idg.net.nz/webhome.nsf/nl/D6AC0A 53F05EC FC6CC256ABF00090DE4

    and here:

    http://www.idg.net.nz/webhome.nsf/nl/A8539751DEE A2 77DCC256BC9000CA1D2

    apologies for the evil links... goddam Notes.
  • Trust (Score:5, Insightful)

    by flonker ( 526111 ) on Wednesday July 24, 2002 @06:42PM (#3947873)
    SSL and crypto in general is all about trust. Would you trust someone who engages in deceptive marketing? Then again, so does Verisign, with their domain stuff. Are there any good certificate issuers?
    • We use Thawte [thawte.com]. I haven't seen any deceptive marketing practices from them. They have a root cert in just about every browser I've seen. Plus their certs are only $150 and $125 to renew. They also offer wildcard certs (*.netmar.com), but those are 1.) rediculously expensive, and 2.) IE doesn't deal with them well, it still gives an error message about the site not matching the name on the cert. Insert random conspiracy theory about verisign's involvemenet with Microsoft.

      Basically, what you look for in an SSL cert is trust, price, and that it's in I.E. And I hate to say it, but of the people that issue certs, the only one that anyone in the general public has heard of is Verisign. (commercials - the value of trust, listed on nasdaq... Would I be proud to be listed on nasdaq nowadays?) If you're a webhosting provider, yes trust is important, and principles are important, but it's not the reason I would choose thawte over verisign, that would be price. Your customers most likely will never see who signs the cert as long as it's included in I.E. You would never want to use a cert that was included in moz, konq, galeon, netscape, but not in I.E. - You'll alienate 90% of the web.

      It just so happens that I trust Thawte, and they are cheaper than Verisign. It's a good combination.


      • I can't bring myself to believe that a wildcard cert could possibly be a good idea. If my browser accepted them, I think I'd be looking for the option to turn them off.
        • I don't think it would be such a bad idea. It would save you from having to buy a different cert, not only for different machines (we're about to buy one for homer.netmar.com), but also aliases - as in www.netmar.com and netmar.com don't need a different cert.

          You'd still have to have the default.key and default.cert, and as long as you held on to them, you wouldn't have problems. Obviously, you wouldn't let your dedicated server clients have access to it, even though they have a primary hostname of company.netmar.com. But having the wildcard would mean that I wouldn't have to buy 3 certs for netmar.com, www.netmar.com, and homer.netmar.com. It would just be easier.

          What do you see as the security risk? If they're only on our shared servers, and only we have access to httpd.conf, I'm missing how it could be used against us.

          Not that it's not a moot point, they're not supported in I.E., so we're not doing it.


  • My interpretation: Comodo is harvesting contact information from certificates in bad faith

    The term "harvesting" seems to imply that they did honest work (like a farmer) to get to the position where they could then reap the rewards. May I suggest that the term "strip mining" might be more accurately descriptive of what's going on here?
  • by Animats ( 122034 ) on Wednesday July 24, 2002 @06:45PM (#3947894) Homepage
    It's becoming clear that we need spam laws which provide for a penalty against the beneficiary of a spam, even if they did not originate it. An acceptable defense would be that the beneficiary had taken legal action against the spammer. That would make third-party spam actionable. (It may be, anyway, but it's a bigger legal battle under current law. I've been talking to an an anti-spam lawyer, and he's unwilling to take on Verisign because they have too much money.)
    • by Anonymous Coward
      How? If any of a number of spammers joe-jobs my site or my resume to a few million people (because I complained to their ISP about spamming me) through an open relay in East Fnordistan with no logs, what sort of "legal action" against an untraceable sender would establish that I didn't consent to the spamvertising? What if I can't afford a lawyer?
    • The problem with what you propose:

      I find an open relay and send out 300,000 spam advertisements claiming to come from Red Hat Linux. I am not affiliated with Red Hat Linux, in fact I actively oppose them as a company. This is the whole reason I sent out the spam.

      Red Hat Linux is forced to absorb a penalty for my actions?
  • Correct me if I am wrong but

    Registar information was ruled as non public..ie you cannot use for mass mailings through postal office, mass caling telemarketing, and mass emailing..

    Would not cert information be on the same plane?
  • They went to all the trouble to blur out the customer's address and items on the invoice, and then missed his info in smaller print, just plain as day.

    I wonder how this guy feels about that:
    Scott Rogers
    Cape Cod Computer Wholesalers
    P.O. Box 2842
    Orleans, MA 02653-6842

  • Just to clarify, Equifax sold just the small part of its business that was concerned with certificate management to GeoTrust. Equifax is still an independent company with lots of other businesses. (Yes, I work for Equifax).
  • I was kind of surprised to see this assertion. So I did a little due dilligence (I looked at the web sites of both parties). Nothing whatsoever in their press releases. I finally found it here http://www.equifax.com/DigitalCertificates/dc_pres s09252001.html Equifax sold their SSL Certificate business, not anything else, close to a year ago... They're still the same credit reporting, marketing and so forth company they've always been.
  • So look forward a few years when there's a possibility that you'll need a cert, or at least verification of your cert, in order to view/listen/watch something on your DRM enabled PC.

    Given the tactics in the story do you want to trust access to media that you own to companies that will screw each other (and us) as part of normal business practice?



  • by Mudcathi ( 584851 ) on Wednesday July 24, 2002 @08:05PM (#3948289) Journal
    In the mundane world of brick-and-mortar business, it's been my experience that sales activities sometimes go into a legal no-no land known as "tortious interference" -- specifically, interference with an existing client/vendor relationship that is based on a written contract.

    My attorney told me that if a contract exists, and I become aware that a competitor is trying to win my customer's business *prior* to the expiration of the contract between me & my customer, then the competitor can be sued for damages due to "tortious interference"...

    Most of the time, the competitor would back off until the contract was within 3 months or so of expiring. There were a couple of times, though, that we went to court - & got money both times for damages (customer for breach of contract, competitor for "TI").

    So how is this situation different from VeriSign, et al, slamming domain registrations? Why aren't the lawyers having a field day with this? Or are they, & I just missed the cloobus?

  • I guess you can complain as loud as you want, but there is no solution to people, trying to make money off "uneducated" customers/people. They will find a way. When founding a company in Germany, you will receive official looking letters asking you to pay a lot of euros to get listed in some register. At the 3rd look, they are scams. The bigger the company the more likely someone is going to pay these fees just be on the secure side (before your founding was illegal because you weren't listed?)
    I was in the same situation, and I'd like to have these companies sued, but they are stepping on a very fine, almost legal, but not 100% illegal line. And to be honest, for me it is easier to ignore and trash those scams than trying to fight someone in court.
  • by pjrc ( 134994 ) <paul@pjrc.com> on Wednesday July 24, 2002 @08:37PM (#3948474) Homepage Journal
    It's kind of ironic that the whole point of a SSL cert is to establish your site's true identity to the browser (where most users are not even aware of the certificate, the one true way that can tell who is going to receive their confidential information).

    And here we have a certificate authority (CA) who's masquerading as a competitor, in order to slam "subscribers" and certify their identity to end users.

  • If you currently have any domains registered by Verisign, immediately change to a different registrant and notify Verisign's customer service department as to exactly why you are doing it. Don't just threaten to do it, really do it. Even if you can't get a refund and have to shell out another $20 to somebody else, even if Verisign offers you incentives not to leave. Leave. And unless it makes you feel better don't waste your time crafting an eloquent manifesto, because they don't care about you or your moral arguments. They care about your money. Be clear, be blunt, and just take your business elsewhere.
    • If you currently have any domains registered by Verisign, immediately change to a different registrant and notify Verisign's customer service department as to exactly why you are doing it.

      But first, before you do that, you should read the article so you know that verisign was mentioned because it tried something similar with domain names, and is not involved in this at all. The company actually causing grief here is Comodo. (Though why anyone would name their company so close to commode I don't know. I'd feel like I was flushing money down the toilet everytime I dealt with them.)

  • Did you read the email? Sorry, I guess this would certainly qualify as a "company I don't want to do business with" but they plainly state that they are Comodo, and offer a supposedly better service/deal than you're getting now, etc. Shady, maybe, but you'd have to be a complete idiot (and hence maybe not the best network admin) to be fooled for even a second. It plainly states the company name "Comodo" many times. "Upgrade to Comodo's product" implies, to me, switching vendors.

    Given that it's obviously a sales email from a company with whom i do not do business, I would file it immediately in the spam bin, no further thought required. But I see no fraud.
  • We used to use Veri$ign/NetworkSolutions as our Registar, but due to too many problems (changing freeforms/faxforms, parking domainnames for no reason, fscked up database[*], and so on) we are moving all our domains to Tucows/OpenSRS and BulkRegister (trust me, we are not the only hosting provider in NL who does this).

    It also looks to me as if Veri$ign/NetworkSolution has made a pact with NameZero, since every domain which we host and has been registered through NameZero has become "parked" at NetworkSolutions.
    This can be very irritating for our customers (help! my domain doesn't work!), and the worst thing is that they never notify anyone about this (it's even worst because I get all these customers on the phone ;(.

    [*] A simple domaintransfer could take 3 months, only because Veri$ign/NetworkSolutions couldn't find the domain in it's database.

    In my personal opinion: Don't do business with Ver$ign/NetworkSolutions.
  • I don't see the problem here. I read the email (did you?) and it looked clearly to be a solicitation from Comodo to leave their current CA and join them.

    So why not upgrade your Certificate with Comodo and join our many customers,
    including the US Government and some of the world's largest organisations.
    Yes, join our many customers. That's clearly a "You're not one now, but we'd like you to be!"

    We are so confident that you will be satisfied with our products and service
    that we offer as standard, a 30 day money back guarantee.

    Does this sound like any company you currently do business with? Most companies I do business with sound like this when you're not a customer. Once you're a customer, it's "Here's your bill for next year."

    Move along, nothing to see. This is nothing more than a solicitation for business and an oversensitive recipient. There are enough valid targets for our annoyance with corporate lack of ethics without targeting a company which did nothing more than find people whose certs are expiring and let them know they have a choice.

  • If you believe this is fraud and/or computer crime committed by a UK individual or company you can report it here:

    http://www.nationalcrimesquad.police.uk/nhtuc/nh tc u.html

Time to take stock. Go home with some office supplies.