Can You Trust These Tech Firms?
Category: Security
The Comodo Group is a well-known Internet security company founded in 1998. Its slogan is, “Creating Trust Online.†Comodo actually sells trust - the firm is the world’s largest vendor of digital security certificates, with one-third of the market. But now, Comodo has betrayed every one of its customers. And it’s not the only tech firm that has done so recently. Read on for the surprising details...
Comodo And Other Untrustworthy Companies
Comodo’s Internet Security Suite installs a customized version of Google’s Chrome browser that breaks one of the cardinal rules of browser security, according to Tavis Ormandy of Google’s Project Zero security research team. Chromodo ignores the industry-standard “same-origin policy†that prevents a script downloaded at one site from modifying another site’s script. So, a malicious script you picked up on a rogue Web site could hack the scripts on your bank’s site, allowing all sorts of mischief.
Chromodo, as this Chromium perversion is called, looks so much like the Chrome browser that users may not even notice the change. Chromodo imports Chrome’s settings, bookmarks, cookies, etc., and replaces Chrome shortcuts and icons with its own. Chromodo also changes a user’s DNS settings to use Comodo’s Secure DNS service.
On February 3, Comodo finally responded publicly to Google’s alert. Comodo says there’s nothing wrong with Chromodo; the culprit was an add-on that was released with Chromodo (released by Comodo, we should note). That add-on has been removed from existing Chromodo installations and future releases.
Untrustworthy Tech Companies
But this isn’t Comodo’s first sleazy product. In 2015, it promoted a browser called PrivDog which effectively rendered all digital security certificates useless, and installed a proxy server on a user’s machine that enabled “man in the middle†attacks. PrivDog wasn’t developed by Comodo; it’s a product of AdTrustMedia, and its purpose is to replace ads on every Web site with ads from
AdTrustMedia.
Interestingly, AdTrustMedia uses nearly the same words to describe PrivDog as Comodo uses to promote Chromodo; both are supposed to provide "... safer, faster and more private web browsing." It’s almost as if Comodo is in partnership with the bad guys. In fact, Ormandy’s last public comment was, “There's plenty of evidence of the shadiness of Chromodo, it gets pushed via the kind of PUP bundler networks that also push winlocker trojans of Indian origin.â€
The Rogues' Gallery
At this point, I wouldn’t touch anything bearing Comodo’s name with a 39-and-a-half-foot USB cable. The company that sells trust has lost all trustworthiness. The same goes for AVG, which not long ago sacrificed 9 million users’ security just to promote its brand. (See This Antivirus Plugin Makes You LESS Secure.)
Other security software vendors are on thin ice. Ormandy has found serious flaws in Avast’s Chromium port, Avastium, Malwarebytes Anti-Malware, and the password manager component of Trend Micro AntiVirus. Unlike AVG and Comodo, these companies seem to have made dumb mistakes, not conscious decisions to betray their users. But dumb mistakes are not what I need from a security software supplier.
I also don’t need companies that promote themselves at my expense. Avast does it by inserting its self-promoting email signature in all of my emails by default; never mind that it fouls up my outgoing Gmail messages. I turned off that signature in the General tab of the Avast settings console, but it was re-enabled with the next Avast update.
Microsoft has stopped pushing Windows 10 and is now ramming it down every holdout’s throat. The Windows 10 “time to upgrade†nagware is now a “recommended update,†not merely an “optional†one. Many users have Windows Update configured to install recommended updates automatically along with critical updates. Those users now face a devious popup that offers a false forced choice: “Do you want to upgrade to Windows 10 now, or later tonight?â€
