Blogger Troy Hunt recently published a long missive in criticism of Extended Validation SSL, which includes a number of criticisms aimed at the Comodo brand in particular. Since the CA spun out of the larger Comodo Group, Inc. late last year we have been aggressively investigating all aspects of the business to identify where changes are required and to plan and implement them. Much of the team, including senior leadership, is new since that date, and we have been dedicated to ensuring that our practices and systems meet the highest standards for our industry. It’s a classic changing-the-tires-while-driving-down-the-freeway situation in that a very large number of online businesses and systems depend on the Comodo CA certificate platform, with a high volume of certificates requiring authentication, deployment, and lifecycle management each day. The current team is committed to upgrading this business across all aspects until we can fairly call it best of breed in every important way. This effort involves not only attention to our own behavior but also to that of our reseller partners to ensure selling practices are accurate and fair.
Comodo CA continues to believe there is strong value in the ability to know an online entity’s true identity, and that in the TLS space Extended Validation is the best method we presently have. We are disappointed in the gap between the potential EV displayed ten years ago and its actual usage in 2018. Low adoption by businesses failed to create the critical mass necessary for ordinary consumers to understand how to use browser interfaces to protect themselves, which has led to the cycle of EV nay-saying we see today.
CAs deserve a good part of the blame for this low adoption, as the industry has failed to educate site operators and end consumers both. But browsers, industry press, and leaders in online business all have a role to play as well.
We believe this education can still take place and that companies can use EV to improve security for their web users. The EV paradigm works effectively as a huge net add for giving consumers the ability to make more informed decisions. That is positive for everyone except the online criminals. We hope to see industry leaders and online businesses join us in empowering site visitors to make better choices.
Troy correctly notes that the report on the recent DevOps study, which was commissioned by Comodo CA, fails to identify us as the sponsor. Comodo CA should have ensured our name was on that write-up, and the failure to do so is entirely on us. We have contacted the research team to see if they can revise the published paper to include this information.