Comodo Group

From Wikipedia, the free encyclopedia
Comodo Group, Inc.
Industry Computer software
Founded United Kingdom
(1998; 20 years ago (1998))[1]
Headquarters 1255 Broad Street, Clifton, New Jersey, United States
Area served
Key people
Melih Abdulhayoğlu (President and CEO)
Products Security software, Public key certificates, Advanced Endpoint Protection, Data Loss Prevention, POS Security, Enterprise Cyber Security Solutions
Services Computer security, Enterprise Cyber Security Solutions, Website Security
Number of employees

Comodo is a cyber security company headquartered in Clifton, New Jersey in the United States.

As of February 3rd 2017, Comodo is the largest issuer of SSL certificates.[2]


The company was founded in 1998 in the United Kingdom,[1] by Melih Abdulhayoğlu, who remains its CEO. The company relocated to the United States in 2004. Its products are focused on computer and internet security. The firm operates a Certificate Authority that issues SSL certificates, and offers information security products for both enterprises and consumers.[3] The company also helped on setting standards by contributing to the IETF (Internet Engineering Task Force) DNS Certification Authority Authorization (CAA) Resource Record.[4]


  • Comodo CA Limited: Based in City of Salford, Greater Manchester, UK,[5] is a digital certificate authority that issues SSL and other digital certificates. According to, Comodo is the largest digital certificate provider.[6]
  • Comodo Security Solutions, Inc: Based in Clifton, NJ, develops security software for commercial and consumer use.[7]
  • Based in Louisville, Kentucky, the company provides managed DNS services.[8]

Industry affiliations

Comodo is a member of the following industry organizations:

  • Certificate Authority Security Council (CASC): In February 2013, Comodo became a founding member of this industry advocacy organization dedicated to addressing industry issues and educating the public on internet security.[9][10]
  • Common Computing Security Standards Forum (CCSF): In 2009 Comodo was a founding member of the CCSF, an industry organization that promotes industry standards that protect end users. Comodo CEO Melih Abdulhayoğlu is considered the founder of the CCSF.[11]
  • CA/Browser Forum: In 2005, Comodo was a founding member of a new consortium of Certificate Authorities and web browser vendors dedicated to promoting industry standards and baseline requirements for internet security.[12][13] Melih Abdulhayoğlu invited top browser providers and certification authorities to a round table to discuss creation of a central authority responsible for delivering digital certificate issuance best practice guidelines.[14]



In response to Symantec's comment over the effectiveness of free Antivirus software, on September 18, 2010, the CEO of Comodo Group challenged Symantec to see which products can defend the consumer better against malware.[15] GCN'S John Breeden understood Comodo's stance on free Antivirus software and challenging Symantec: "This is actually a pretty smart move based on previous reviews of AV performance we've done in the GCN Lab. Our most recent AV review this year showed no functional difference between free and paid programs in terms of stopping viruses, and it's been that way for many years. In fact you have to go all the way back to 2006 to find an AV roundup where viruses were missed by some companies." [16]

Symantec responded saying that if Comodo is interested they should have their product included in tests by independent reviewers.[17]

Comodo volunteered to a Symantec vs. Comodo independent review.[18] Though this showdown did not take place, Comodo has since been included in multiple independent reviews with AV-Test,[19] PC World,[20] Best Antivirus Reviews,[21] AV-Comparatives,[22] and PC Mag.[23]

Certificate hacking

On March 23, 2011, Comodo posted a report that 8 days earlier, on 15 March 2011, a user account with an affiliate registration authority had been compromised and was used to create a new user account that issued nine certificate signing requests.[24] Nine certificates for seven domains were issued.[24] The attack was traced to IP address, which originates in Tehran, Iran.[24] Though the firm initially reported that the breach was the result of a "state-driven attack", it subsequently stated that the origin of the attack may be the "result of an attacker attempting to lay a false trail.".[24][25]

The attack was immediately thwarted, with Comodo revoking all of the bogus certificates. Comodo also stated that it was actively looking into ways to improve the security of its affiliates.[26]

In an update on March 31, 2011, Comodo stated that it detected and thwarted an intrusion into a reseller user account on March 26, 2011. The new controls implemented by Comodo following the incident on March 15, 2011, removed any risk of the fraudulent issue of certificates. Comodo believed the attack was from the same perpetrator as the incident on March 15, 2011.[27]

In regards to this second incident, Comodo stated, "Our CA infrastructure was not compromised. Our keys in our HSMs were not compromised. No certificates have been fraudulently issued. The attempt to fraudulently access the certificate ordering platform to issue a certificate failed." [28]

On March 26, 2011, a person under the username "ComodoHacker" made several posts to claiming to be an Iranian responsible for the attacks.[29][30]

Such issues have been widely reported, and have led to criticism of how certificates are issued and revoked.[31][32][33][34] As of 2016, all of the certificates remain revoked.[24] Microsoft issued a security advisory and update to address the issue at the time of the event.[35][36]

Such attacks are not unique to Comodo - the specifics will vary from CA to CA, RA to RA, but there are so many of these entities, all of them trusted by default, that further holes are deemed to be inevitable.[37]

Certificates issued to known malware

In 2009 Microsoft MVP Michael Burgess accused Comodo of issuing digital certificates to known malware.[38]

Comodo responded when notified and revoked the issued certificates that contained the rogue malware.[39]

Chromodo browser, ACL, no ASLR, VNC weak authentication

In January 2016, Tavis Ormandy reported that Comodo's Chromodo browser exhibited a number of vulnerabilities, including disabling of the same-origin policy.[40]

The vulnerability wasn't in the browser itself, which was based on the open-source code behind Google's Chrome browser. Rather, the issue was with an add-on. As soon as Comodo became aware of the issue in early February 2016, the company released a statement and a fix: "As an industry, software in general is always being updated, patched, fixed, addressed, improved - it goes hand in hand with any development cycle...What is critical in software development is how companies address an issue if a certain vulnerability is found - ensuring it never puts the customer at risk." Those using Chromodo immediately received an update.[41] The Chromodo browser was subsequently discontinued by Comodo.

Ormandy noted that Comodo received a "Excellence in Information Security Testing" award from Verizon despite the vulnerability in its browser, despite having its VNC delivered with a default of weak authentication, despite not enabling address space layout randomization (ASLR), and despite using access control lists (ACLs) throughout its product. Ormandy has the opinion that Verizon's certification methodology is at fault here.[42]

See also


  1. ^ a b "How US entrepreneur's global internet security firm started life in Bradford". Telegraph & Argus. 3 Sep 2014. Retrieved 3 Sep 2014. 
  2. ^ "Usage of SSL certificate authorities for websites". W3Techs. Retrieved 2017-02-03. 
  3. ^ "Comodo Company Overview". Retrieved 14 August 2015. 
  4. ^ "DNS Certification Authority Authorization - Comodo". Retrieved 14 January 2013. 
  5. ^ "Comodo - Contact Us". 
  6. ^ "W3Techs - extensive and reliable web technology surveys". 
  7. ^ "Comodo Security Solutions, Inc". Retrieved 2015-03-30. 
  8. ^ Joe Callan. "Domainers Magazine - : The Next Geo-Targeting Solution - Jul-Aug (Issue 22)". Archived from the original on 2015-04-12. Retrieved 2015-03-30. 
  9. ^ Ellen Messmer (14 February 2013). "Multivendor power council formed to address digital certificate issues". Network World. Archived from the original on 2013-07-28. 
  10. ^ "Authentication Security News, Analysis, Discussion, & Community". Archived from the original on 2013-04-10. Retrieved 2015-03-30. 
  11. ^ "SecurityPark". SecurityPark. Retrieved 2015-03-30. 
  12. ^ "CA/Browser Forum". Retrieved 2013-04-23. 
  13. ^ Wilson, Wilson. "CA/Browser Forum History" (PDF). DigiCert. Retrieved 2013-04-23. 
  14. ^ "Industry Round Table May 17th 2005 - New York" (pdf). Retrieved 17 May 2005. 
  15. ^ Abdulhayoğlu, Melih (18 September 2010). "Challenge to Symantec from Comodo CEO". Comodo Group. Retrieved 2010-09-22. 
  16. ^ John Breeden II. "Is free virus protection inferior?". Retrieved 23 Dec 2016. 
  17. ^ Rubenking, Neil J. (22 September 2010). "Comodo Challenges Symantec to Antivirus Showdown". PC Magazine. Ziff Davis, Inc. Retrieved 2010-09-22. 
  18. ^ "Challenge to Symantec from Comodo CEO!". Retrieved 23 Dec 2016. 
  19. ^ Ms. Smith. "AV-test Lab tests 16 Linux antivirus products against Windows and Linux malware". Retrieved 23 Dec 2016. 
  20. ^ Erik Larkin. "Comodo Internet Security Free Antivirus Software". Retrieved 23 Dec 2016. 
  21. ^ Daniele P. "Comodo 2016 Review: Malware Protection & Online Security". Retrieved 23 Dec 2016. 
  22. ^ "Independent Tests of Anti-Virus Software". Retrieved 23 Dec 2016. 
  23. ^ Neil P. Rubenking. "The Best Free Antivirus Protection of 2016". Retrieved 23 Dec 2016. 
  24. ^ a b c d e "Report of incident on 15-MAR-2011: Update 31-MAR-2011". Comodo group. Retrieved 2011-03-24. 
  25. ^ Hallam-Baker, Phillip (March 23, 2011). "The Recent RA Compromise". Comodo Blog. Retrieved 2011-03-24. 
  26. ^ "Iran accused in 'dire' net security attack". Retrieved 23 Dec 2016. 
  27. ^ "Update 31-MAR-2011". Retrieved 23 December 2016. 
  28. ^ "Update 31-Mar-2011". Retrieved 23 Dec 2016. 
  29. ^ Bright, Peter (28 March 2011). "Independent Iranian Hacker Claims Responsibility for Comodo Hack" (WIRED). Wired. Retrieved 2011-03-29. 
  30. ^ "ComodoHacker's Pastebin". Retrieved 2015-03-30. 
  31. ^ Eckersley, Peter (March 23, 2011). "Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get?". EFF. Retrieved 2011-03-24. 
  32. ^ "Iran accused in 'dire' net security attack" (BBC). BBC News. March 24, 2011. Retrieved 2011-03-24. 
  33. ^ "Detecting Certificate Authority compromises and web browser collusion". TOR. March 22, 2011. Retrieved 2011-03-24. 
  34. ^ Elinor Mills and Declan McCullagh (March 23, 2011). "Google, Yahoo, Skype targeted in attack linked to Iran". CNET. Retrieved 2011-03-24. 
  35. ^ "Microsoft Security Advisory (2524375)" (Microsoft). March 23, 2011. Retrieved 2011-03-24. 
  36. ^ "Microsoft Security Advisory: Fraudulent Digital Certificates could allow spoofing". Microsoft. March 23, 2011. Retrieved 2011-03-24. 
  37. ^ "Independent Iranian Hacker Claims Responsibility for Comodo Hack". Retrieved 23 Dec 2016. 
  38. ^
  39. ^ "Microsoft MVP Mike Burgess Responds To Comodo's CEO On Comodo Certificates Issued To Malware Distributors". Retrieved 23 Dec 2016. 
  40. ^ |title=Comodo "Chromodo" Browser disables same origin policy, Effectively turning off web security
  41. ^ "Comodo will fix major flaw in knock-off Chrome browser". Retrieved 23 Dec 2016. 
  42. ^ Why Antivirus Standards of Certification Need to Chang, tripwire, 2016-03-23.

External links

  • Official website
Retrieved from ""
This content was retrieved from Wikipedia :
This page is based on the copyrighted Wikipedia article "Comodo Group"; it is used under the Creative Commons Attribution-ShareAlike 3.0 Unported License (CC-BY-SA). You may redistribute it, verbatim or modified, providing that you comply with the terms of the CC-BY-SA