Comodo’s broken OCR issues certs to the wrong organizations

A recent bug report on Mozilla’s Bugzilla states that Comodo’s broken OCR is issuing certificates to the wrong organizations. Details in the report outline that Comodo issued an incorrect certificate to the domain of a major Australian provider. What makes this worse is that the developers of the OCR software were aware of the faults. This issue also has an impact on the .eu and .be top-level domains.

steffen on Bugzilla provided a translated summary of the report from

  • Comodo uses WHOIS service to obtain the authorised email address for a domain.
  • This is not possible for .eu and .be as those do not give email addresses with the WHOIS service.
  • So for such TLDs Comodo deemed it appropriate to use OCR to parse the picture of the email address returned by web-whois.
  • The OCR has a reproducible bug and has trouble differentiating small l and the number 1. It also has trouble differentiating the number 0 and the small o. Instead of fixing the bug or not using such obviously unsuitable software the software apparently evaluates the following characters – if there is a number after the small l it reads the l as the number 1. Similar issues with o/0.
  • This was tested with the domain, which had the email registered. As feared Comodo misread this as and sent the email to the wrong address.
  • The testers registered and were able to receive the email, use the link and thereby obtain a trusted certificate for

It took Comodo 26 days to notify Mozilla according to the timestamp from the mail archive. Based upon that and the comments in the Bugzilla report, it looks like Comodo only disclosed this after it became public information.

I know this not the first time Comodo has made mistakes issuing certificates. In fact, there have been numerous occasions where Comodo issued certificates to known malware distributors. Your best and safest thing to do is avoid Comodo products, and practice safe browsing.