How to Report Abuse, Fraudulent or Malicious Use of Certificates Issued by Comodo

Code Signing Certificates

If you have come across malware signed with a Comodo CA issued Code Signing certificate please send as much detail as possible to: signedmalwarealert@comodoca.com​

Helpful details include:

  • Link to the signed malware
  • Screenshots of the certificate details showing the signer organization or certificate serial number or other details which will help us identify the certificate
  • A copy of the actual certificate if possible


SSL/TLS Certificates

If you need to report abuse related to a Comodo CA issued SSL/TLS Certificate such as fraud, phishing, etc. please send as much detail as possible to: ssl_abuse@comodoca.com​

Helpful details include:

  • The web site where the certificate is installed
  • Details of the fraudulent behavior
  • If others have reported fraudulent activity of this web site in online forums or other online sources, links to those sources are also helpful in investigating and making determinations as to whether or not the situation warrants revocation of the certificate.

Comodo CA is a leading Certification Authority that helps enterprises and consumers address digital ecommerce needs with reliable solutions that authenticate digital transactions and identities. A properly installed and configured SSL/TLS certificate identifies the website and ensures that transactions to and from that website to the consumer are encrypted and safe from third-party influence. The most common of these is the low-level Domain Validation (DV) certificate which is identified by the use of Secure | https:// in the site URL. Industry rules for a Domain Validated (DV) certificate require proof the requesting person has control of the website, and that the data between the browser and web server is encrypted.

Many companies purchase Extended Validation (EV) certificates so that visitors to their website have the added trust assurance that the company has undergone extensive validation to verify that the organization is legally registered and active, has exclusive right to use the domain specified in the EV Certificate, that the certificate has been authorized by the organization, and that the organization is not on any government blacklists.

An EV protected website looks like this in your browser:

EV Browser Bar Comparison

Your browser will display the name of the company you are doing business with, as registered with their government, in green font. This will replace or augment the domain name. Please note that a minority of browsers may not display the company name, such as Chrome on Android OS. For your important transactions, consider using a browser which supports EV.

Certificate Authorities like Comodo CA do not regulate in any way whatsoever the content of a particular web site, nor do they control or monitor the business practices of any web site operator. Specifically, a Certificate Authority cannot moderate or adjudicate transactions where the consumer has been misled or where the site owner has acted badly.

Ultimately, consumers must decide which vendors to trust on-line before conducting any sort of business with that website.

There are many Phishing (fake) websites out there that are made to look like real businesses. Most scammers and phishers use low level certificates on these sites. Therefore, accessing a site with a valid low level certificate displaying “Secure” in the URL is not an indication that you are safe from phishing attacks. All certificate authorities issue these low level certificates and they are not intended to be used on websites that take consumers’ personal information or facilitate online financial transactions. Businesses that want to provide their customers with a safe online experience use Extended Validation (EV) certificates. That certificate will display the company name in green.

Mitigate your risk by restricting your transactions to sites that use an EV certificate, as indicated above. An EV protected website tells the consumer that this is a real business and has been scrutinized by a certificate authority. If you do not see the name in green you may or may not be on a real website regardless of how legitimate the site appears.
 

Check Out the Phishing Attacks Whitepaper to Learn More