1 comment

[ 4.3 ms ] story [ 11.3 ms ] thread
The gist is this: they query whois information for contact email addresses, which are used for domain ownership verification. For some domains, this information is only provided in image form via a web service to prevent scraping. So Comodo ran those images through OCR. However, the OCR system reproducibly mistook a lowercase L for a 1 if the next symbol as a number, or 1 for a lowercase L if it was followed by a letter. The same applies to 0/O.

The whole concept of OCRing whois ownership info and issuing certificates based on that seems like a terrible idea...