"Instead, that data is displayed as text in an image that can be easily read by a person but not pulled by bot."
Seems the fail is partially at the WHOIS service end, in using a font that is ambiguous.
Two European security researchers exploited Comodo's crappy backend systems to obtain a HTTPS certificate for a domain they do not own. That cert could be used to impersonate the website, allowing passwords and other sensitive information to be swiped from victims in man-in-the-middle attacks. The infosec bods, Florian Heinz …
Or possibly a problem in that a business needs data from another business and does not have some proper arrangement whereby they get the actual data instead of the proverbial faxed photocopy of a five pound note.
Just to be a bit devil's-advocate here, are Comodo a true villain here or simply a victim (admittedly unwise) of the circumstances?
Well, I once signed up a school for Microsoft's volume licensing program.
The sign-up is all electronic, they verify everything via Microsoft Live accounts, you log into the VLSC with those same accounts, you add others (e.g. billing) via the same accounts, and so on.
At no point do you fill out a piece of paper or write anything down.
Yet, one year when I was signing a school up they were taking forever. We eventually got to the bottom of it - someone had "misspelled" administrator in our email address. My first question was, how the hell have you misspelled a word that we've only submitted ever to you electronically?
Someone at Microsoft sits and types in volume licence administrator email addresses by hand, from entirely electronic forms and emails.
So:
* Someone wants an internet presence and registers an address.
* They want a SSL cert to assert their identity
* They want to remain anonymous
"The issue, it seems, is due to privacy protections in place on the .eu and .be domains. In order to prevent the scraping of contact details, some registries and registrars do not allow automated WHOIS lookups to pull email addresses. Instead, that data is displayed as text in an image that can be easily read by a person but not pulled by bot."
You can't both be who you say you are and remain anonymous. So Comodo should not put in a funky bodge unless it really is human or as good as.
"The obvious replacement of the OCR by humans seems likely to bring a positive error rate as well, quite possibly in the same range as the OCR system. It is not even unlikely that the human error rate would be larger as they get fatigued, unlike the OCR software."
Quite. .... With the work outsourced to the best people available on the globe - oops - I mean somewhere with the cheapest possible labour rates where the cross eyed staff work 29 hour days squatting in a shed lit by the equivalent of a couple of hurricane lamps trying to parse a character set totally different to that used by their own language ....
Internet of 'fings. That'll fix it. Well, someone had to say it.
> "a SSL cert to assert their identity"
> "You can't both be who you say you are and remain anonymous."
Normal SSL certificates don't have anything to do with real-world identity, so they can certainly be anonymous.
Normal SSL certificates assert that "the person who has the private key matching public key 12345 is the owner of example.com". This is called "Domain Validation", or DV, and is the most common kind of SSL certificate.
There's also Extended Validation (EV) certificates, which check the real-world identity of the company. They assert that "the person who has the private key matching public key 12345 is Example Corporation and is the owner of example.com". In that case, the browser's address bar will go green and show the company name. These certificates are much more expensive, because the CA has to do more manual checking of identity.
These certificates are much more expensive, because the CA has to do more manual checking of identity.
In the case of Comodo, they are also want you to sign a contract that is ridiculously unacceptable even to the non-legal eye ("if there is a problem, you pay us damages and we owe you nothing"), but that's just by-the-by.
So some registrars are displaying e-mail addresses at images to prevent automated harvesting, and those images are harvested with less than perfect reliability. It sounds 100% blame should be put on those registrars for implementing a solution that breaks things to fix nothing.
that trust is regularly abused...what makes you think that the trust endpoint won't receive a secret order that forces it to harvest data?
Cisco's firmware&hardware has been regularly backdoored while in transit, the Lavabit debacle, the current Microsoft-overseas-data jurisdiction issue and the recently revealed gag&spy company-wide email interception at Yahoo! proved beyond all doubts that such a whitelist/endpoint can and WILL be abused by Uncle Sam.
Comodo is no different in this aspect than Cisco, Yahoo, Microsoft or Lavabit ... they all are (or were) US-registered companies and at the mercy of the secret gag&spy orders..
Comodo:
Registrant Organization: Comodo Group, Inc.
Registrant Street: 1255 Broad Street
Registrant City: Clifton
Registrant State/Province: NJ
Registrant Postal Code: 07013
Registrant Country: US
The last paragraph of Comodo's report (linked to by the original article):
Comodo finds it regrettable that some registries choose to offer a port 43 WHOIS service which redacts information for all registrants which even the registry themselves would normally consider to be public. We find it even more regrettable that a sub-set of those registries refuse to consider offering unredacted access to that information even when contractual and/or commercial terms (including binding restrictions on the use of that information) are offered.
Well spotted, a million upvotes for getting that far.
I had wondered WTF was going on that they couldn't get actual data and although that answers the question it's borderline unbelievable (or on reflection maybe it isn't) that businesses could have such uselessness in their paid-for services.