Ask HN: How to report/revoke malicious Comodo code signing certificate?

2 points by bwblabs ↗ HN
Just came across this page: http://update-for-pc-1024.com/?dist_id=365&channel=ac_h1gv&v=icrs&c=e7982022e2acb355c97cb18725d4df5e

Which serves 'adobe_flash_setup.exe' which is signed with COMODO Code Signing certificate of OOO "Finans Servis", proezd Serebryakova 6, 129323 Moscow, Russia. It's also found under different names, see http://www.herdprotect.com/adobe_flash_setup.exe-b6e4cc61a87f6633f5ef683be5525f9686475a4f.aspx .

I think this is at least they violate '1.6. Restrictions. Subscriber shall not: (i) impersonate or misrepresent Subscriber’s affiliation with any entity,' and also '3. Revocation. Comodo may revoke a Certificate if Comodo believes that: (xi) the Certificate was issued to publishers of malicious software; (xii) the Certificate may have been used to digitally sign hostile code, including spyware or other malicious software;' - https://www.comodo.com/repository/docs/code-signing-subscriber-agreement.pdf

But how to report such an issue? I cannot find any security related email address on the Comodo website.

3 comments

[ 10.8 ms ] story [ 190 ms ] thread
Sorry to ask, but what have you tried so far to contact them? (assuming they don't read hackernews)

There is a 'contact us' page on comodo.com with email addresses and toll free phone numbers. More phone numbers on the support page. A live chat on the sales page. Facebook, Twitter, G+ account are linked.

Yes, by email: abuse@comodo.com (the only non sales address I could find), no response yet.

I looked at the Twitter & Facebook but they looked pretty dead. No replies @comododesktop (https://twitter.com/comododesktop/with_replies), idem for FB account (https://www.facebook.com/ComodoHome), no replies on the comments I see on FB.

Also both FB & Twitter are about non CA-products, so I was hoping for a security contact form, email address, chat or phone line..

Ok, just got a (signed) message back from Robin Alden (CTO): "This certificate has been revoked.", in the CC was: signedmalwarealert@comodo.com , so that seems to be the (internal) email address.