stories filed under: "let's encrypt"

Super Slimey: Comodo Tries To Trademark 'Let's Encrypt' [Updated]

from the that's-just-bad dept

Fri, Jun 24th 2016 12:45pm — Mike Masnick

See the update at the end

Almost two years ago, we excitedly wrote about the announcement behind Let's Encrypt, a free certificate authority that was focused on dramatically lowering the hurdles towards protecting much more of the internet with HTTPS encrypted connections. It took a while to launch, but it finally did and people have been gobbling up those certificates at a rapid rate and getting more and more of the web encrypted. This is a good thing.

Unfortunately, it appears the old guard of certificate authorities doesn't like this very much. Comodo, which has provided certificates for quite some time (and, in fact, is where Techdirt's certificate comes from) has apparently, somewhat ridiculously, been trying to trademark versions of "Let's Encrypt." The most troubling one is the one on purely "Let's Encrypt," but the other two (Comodo Let's Encrypt and Let's Encrypt with Comodo) are equally problematic -- especially since (as Comodo admits directly) it's never used that phrase in offering its existing certificates.

This seems like a clear situation where Comodo is seeking to confuse the market -- and thus the clear case where trademark law actually makes some sense. As we've said basically forever, trademark is quite different than copyrights and patents, in that it was really designed as a consumer protection law, to keep consumers from being tricked into buying something that they believe is from a different entity. Trademarks are widely and frequently abused, but there are times where the original intent of consumer protection makes sense, and this seems like one of them. What's incredible is that when Let's Encrypt reached out to Comodo about this, the company refused to abandon the attempt to trademark these names.

Since March of 2016 we have repeatedly asked Comodo to abandon their “Let’s Encrypt” applications, directly and through our attorneys, but they have refused to do so. We are clearly the first and senior user of “Let’s Encrypt” in relation to Internet security, including SSL/TLS certificates – both in terms of length of use and in terms of the widespread public association of that brand with our organization.

If necessary, we will vigorously defend the Let’s Encrypt brand we’ve worked so hard to build. That said, our organization has limited resources and a protracted dispute with Comodo regarding its improper registration of our trademarks would significantly and unnecessarily distract both organizations from the core mission they should share: creating a more secure and privacy-respecting Web. We urge Comodo to do the right thing and abandon its “Let’s Encrypt” trademark applications so we can focus all of our energy on improving the Web.

At the very least, this kind of stupid stunt has me reconsidering if we should ever use Comodo's certificates on our site going forward. We've been a happy Comodo customer for many years, but I hate supporting bullies. Update: And... of course, after this goes public, Comodo suddenly backs down. Of course that doesn't explain why it refused to do so when asked months ago.

Filed Under: certificate authority, certificates, competition, https, let's encrypt, trademark
Companies: comodo, let's encrypt

34 Comments

Will New Free Certificate Authority Help Or Hinder Online Security?

Privacy

from the first-things-first dept

Tue, Dec 2nd 2014 9:08pm — Glyn Moody

A couple of weeks ago, Techdirt wrote about Let's Encrypt, an interesting new project from the EFF, Mozilla and others to set up a free certificate authority (CA) that will allow anyone running a website to offer encrypted connections. That sounds like a great idea, since it will make snooping on web traffic much harder. But a post (on LinkedIn, unfortunately) by Alexander Hanff, Chief Privacy Officer at Connect In Private, wonders if it might actually make things worse. Here's why: Creating a new Super Certificate Authority is the equivalent of painting a huge red target onto the backs of all the people who use it.

Let's not mix our words here, it will become a target -- that much is completely indisputable, it would be utterly naive to believe the US Government will not target this new CA with court orders. What's more, given the historical evidence, there is a strong chance that such orders will be for "super master keys" allowing them to pretend to be whomever they like [for man-in-the-middle attacks] and it will be done under the guise of National Security because of course a CA which provides free certificates for everyone is (in the eyes of law enforcement) a hotbed for criminals and terrorists -- why on earth would a terrorist pay Verisign for an SSL certificate, leaving a paper trail, if they can obtain an anonymous certificate for free from Let's Encrypt?
Techdirt asked the EFF to respond to this concern, and Peter Eckersley, the organization's Technology Projects Director, replied as follows: Mr Hanff is right to be concerned about structural flaws in the CA infrastructure, but he hasn't understood the problem. This is something we've been working on for years: https://eff.org/observatory https://www.youtube.com/watch?v=9VAreZZhue4 and we certainly wouldn't have picked a design to make the situation worse.

Anyone who looks at the CA infrastructure is going to think, "oh, there are expensive high security CAs, and weaker low security CAs, and hundreds of others run by various corporations and governments, I'd better pick one I can trust". But it turns out not to matter which one *you* pick, because our web browsers have been designed to trust hundreds of them. So even if you buy from the one with the best combination of security and jurisdictional robustness, a would-be man-in-the-middle attacker will pick a weak one to use against you. We've seen this play out for instance with the Iranian attack on Gmail via a CA in the Netherlands, and a Turkish CA issuing improper certs for Google.

Let's Encrypt's first mission will be to solve the grand problem of HTTPS, which is that hundreds of millions of sites don't use it at all. But it will also be engineered to begin addressing the structural flaws in the whole CA marketplace. For sites that it want it, we'll assist in using mechanisms like pinning to protect against the hundreds of other CAs that the site isn't using (pinning lets a site declare that only a small and specified number of CAs can sign certs for it). And for our own CA, we will use Certificate Transparency or equivalent mechanisms to ensure that if our operations were ever compromised or compelled in any way, that would be recorded and rapidly visible to the whole Internet.
As that points out, the first problem is to get people using encrypted connections; after that, we need to work on those "structural flaws in the CA infrastructure" that Hanff and Eckersley agree are a serious issue that needs addressing.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: alexander hanff, certificate authority, certificates, let's encrypt, privacy, security, surveillance
Companies: eff, let's encrypt

45 Comments

EFF, Others Launch New Free Security Certificate Authority To 'Dramatically Increase Encrypted Internet Traffic'

Privacy

from the very-cool dept

Tue, Nov 18th 2014 12:40pm — Mike Masnick

The EFF and Mozilla along with some others, have teamed up to announce "Let's Encrypt" which is a new, free, certificate authority that is hoping to dramatically increase encrypted internet traffic when it launches next summer. The effort is being overseen by the Internet Security Research Group, which is the non-profit coalition of folks contributing to this effort. Not only is the effort going to offer free certificates, but also make it much easier to enable encryption. We've argued for a long time about the importance of increasing encryption online, so it's great to see this effort.

Filed Under: certificate authority, encryption, https, let's encrypt, security, ssl
Companies: cisco, eff, internet security research group, mozilla

30 Comments

Follow Techdirt

Essential Reading

The Techdirt Greenhouse

Read the latest posts:

read all »

Techdirt Deals

Report this ad | Hide Techdirt ads

Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Older Stuff

Thursday
13:33	Former Employees Say Mossad Members Dropped By NSO Officers To Run Off-The-Books Phone Hacks (2)
12:01	No, Creating An NFT Of The Video Of A Horrific Shooting Will Not Get It Removed From The Internet (18)
10:49	San Francisco Cops Are Running Rape Victims' DNA Through Criminal Databases Because What Even The Fuck (18)
10:44	Daily Deal: The Complete 2022 Java Coder Bundle (0)
09:31	As Expected, Trump's Social Network Is Rapidly Banning Users It Doesn't Like, Without Telling Them Why (44)
06:30	Comcast Continues To Bleed Olympics Viewers After Years Of Bumbling (19)
Wednesday
20:42	Apple Finally Defeats Dumb Diverse Emoji Lawsuit One Year Later (6)
15:39	Clearview Pitch Deck Says It's Aiming For A 100 Billion Image Database, Restarting Sales To The Private Sector (10)
13:41	Peloton Outage Prevents Customers From Using $2,500 Exercise Bikes (16)
12:09	The GOP Knows That The Dem's Antitrust Efforts Have A Content Moderation Trojan Horse; Why Don't The Dems? (16)
10:51	Hertz Ordered To Tell Court How Many Thousands Of Renters It Falsely Accuses Of Theft Every Year (24)
09:21	Even As Trump Relies On Section 230 For Truth Social, He's Claiming In Lawsuits That It's Unconstitutional (34)
06:16	Medical, Home Alarm Industries Warn Of Major Outages As AT&T Shuts Down 3G Network (25)
Tuesday
20:37	Video Game History Foundation: Nintendo Actions 'Actively Destructive To Video Game History' (29)
15:35	Massachusetts Court Says No Expectation Of Privacy In Social Media Posts Unwittingly Shared With An Undercover Cop (17)
13:30	Techdirt Podcast Episode 312: Regulating The Internet (2)
12:03	US Copyright Office Gets It Right (Again): AI-Generated Works Do Not Get A Copyright Monopoly (60)
10:42	LA Sheriff Threatens To 'Subject' City Council To 'Defamation Law' If They Won't Stop Calling His Deputies 'Gang Members' (20)
10:37	Daily Deal: codeSpark Academy Sibling Bundle (0)
09:25	Trump's Truth Social Bakes Section 230 Directly Into Its Terms, So Apparently Trump Now Likes Section 230 (128)
06:22	15 Years Late, The FCC Cracks Down On Broadband Apartment Monopolies (31)
Sunday
12:05	Funniest/Most Insightful Comments Of The Week At Techdirt (11)
Saturday
12:00	This Week In Techdirt History: February 13th - 19th (1)
Friday
19:39	Letter From High-Ranking FBI Lawyer Tells Prosecutors How To Avoid Court Scrutiny Of Firearms Analysis Junk Science (25)
15:52	Nintendo Is Beginning To Look Like The Disney Of The Video Game Industry (44)
13:49	Seattle Public Radio Station Manages To Partially Brick Area Mazdas Using Nothing More Than Some Image Files (44)
12:13	Thankfully, Jay Inslee's Unconstitutional Bill To Criminalize Political Speech Dies In The Washington Senate (8)
10:52	How Our Convoluted Copyright Regime Explains Why Spotify Chose Joe Rogan Over Neil Young (136)
10:47	Daily Deal: The Complete Blocs Website Builder Bundle (0)
09:33	Arizona Prosecutor Who Brought Bogus Gang Charges Against Protesters Files Ridiculous Defamation Suit Against Her Boss (12)

Super Slimey: Comodo Tries To Trademark 'Let's Encrypt' [Updated]

from the that's-just-bad dept

Will New Free Certificate Authority Help Or Hinder Online Security?

from the first-things-first dept

EFF, Others Launch New Free Security Certificate Authority To 'Dramatically Increase Encrypted Internet Traffic'

from the very-cool dept

The Techdirt Greenhouse

Thursday

Wednesday

Tuesday

Sunday

Saturday

Friday

More

Tools & Services

Company

Contact

More

from the that's-just-bad dept

from the first-things-first dept

from the very-cool dept

Techdirt Daily Newsletter

The Techdirt Greenhouse

Tools & Services

Company

Contact

More