How to Report Abuse, Including Fraudulent or Malicious Use of Certificates Issued by Sectigo
Code Signing Certificates
If you have come across malware signed with a Sectigo- or Comodo-issued Code Signing certificate please send as much detail as possible to: [email protected]
Helpful details include:
- Link to the signed malware
- Screenshots of the certificate details showing the signer organization or certificate serial number or other details which will help us identify the certificate
- A copy of the actual certificate if possible
SSL/TLS Certificates
If you need to report abuse related to a Sectigo- or Comodo-issued SSL/TLS Certificate such as fraud, phishing, etc. please send as much detail as possible to: [email protected]
Helpful details include:
- The web site where the certificate is installed
- Details of the fraudulent behavior
- If others have reported fraudulent activity of this web site in online forums or other online sources, links to those sources are also helpful in investigating and making determinations as to whether or not the situation warrants revocation of the certificate.
- Sectigo is a leading Certification Authority that helps enterprises and consumers address digital ecommerce needs with reliable solutions that authenticate digital transactions and identities. A properly installed and configured SSL/TLS certificate identifies the website and ensures that transactions to and from that website to the consumer are encrypted and safe from third-party influence. The most common of these is the low-level Domain Validation (DV) certificate which is identified by the use of Secure | https:// in the site URL. Industry rules for a Domain Validated (DV) certificate require proof the requesting person has control of the website.
Many companies purchase Extended Validation (EV) certificates so that visitors to their websites have the added trust assurance that the company has undergone extensive validation to verify that the organization is legally registered and active and has exclusive right to use the domain specified in the EV Certificate, that the certificate has been authorized by the organization, and that the organization is not on any government blacklists.
Certificate Authorities like Sectigo do not regulate in any way whatsoever the content of a particular web site, nor do they control or monitor the business practices of any web site operator. Specifically, a Certificate Authority cannot moderate or adjudicate transactions where the consumer has been misled or where the site owner has acted badly.
Ultimately, consumers must decide which vendors to trust on-line before conducting any sort of business with that website.
There are many phishing (fake) websites out there that are made to look like real businesses. Most scammers and phishers use low level certificates on these sites. Therefore, accessing a site with a valid low-level certificate displaying “Secure” in the URL is not an indication that you are safe from phishing attacks. All certificate authorities issue these low-level certificates and they are not intended to be used on websites that take consumers’ personal information or facilitate online financial transactions. Businesses that want to provide their customers with a safe online experience use Extended Validation certificates
Mitigate your risk by restricting your transactions to sites that use an EV certificate, as indicated above. An EV protected website tells the consumer that this is a real business and has been scrutinized by a certificate authority. If you do not see the name in green you may or may not be on a real website regardless of how legitimate the site appears.
Qualified Certificates
If you need to report abuse related to a Sectigo issued Qualified Certificate such as fraud, phishing, etc. please send as much detail as possible to: [email protected]
Helpful details include:
- Link to the signed content (for example, malware)
- Details of the fraudulent behavior
- Screenshots of the certificate details showing the signer organization or certificate serial number or other details which will help us identify the certificate
- A copy of the actual certificate if possible
QWAC:
- The web site where the certificate is installed in case of a QWAC
- If others have reported fraudulent activity of this web site in online forums or other online sources, links to those sources are also helpful in investigating and making determinations as to whether or not the situation warrants revocation of the certificate.