TheRegister.co.uk comments on gandi's removal of SSL certificate for googlesharing.net
By Joe on Tuesday 6 April 2010, 10:36 - Internet - Permalink
TheRegister.co.uk ( http://www.theregister.co.uk/2010/04/05/googlesharing_cert_revoked/ ) last night published an article describing how Gandi.net had enforced its policies by removing a certificate for a domain name googlesharing.net that had infringed on our terms and conditions in a number of ways. According to the article the known ‘hacker’ who admitted to falsifying his whois information on the registration was surprised that the certificate was removed.
Our policy has always been to respect our customers and protect their rights, but also protect the rights of other companies and customers. The ‘whois’ accuracy requirement is not only an important part of the ICANN regulations, but also a key aspect in us knowing who are customers are and allowing us to contact them in event of a problem. If you falsify your whois information, we may not be able to contact you if there is a problem, and we don’t know who you are which means we can’t protect you as much as other customers that we can vouch for and validate. Ours is a relationship of mutual trust and respect. Please respect us by giving us accurate information. If you want to enforce privacy, use the various privacy settings to obscure your whois data, but don’t falsify it.
Certificates represent an extra layer of security and trust on the internet. They give customers a sense of security that the website they are visiting can be trusted and the owner is a known individual or entity. If the whois data behind a domain is falsified, a valid certificate cannot be issued, because the owner is not a trusted source. It would be wrong to give an accredited level of trust to a site that is based on deliberately misleading information.
The customer in this case was trying to setup and promote a service to offer users a greater degree of privacy from the information that google collects. This is a noble cause and one that we would be happy to host, but only if it plays by the rules. The customer could have avoided this by:
- Providing accurate whois information so we know who they are and can vouch for them and issue a certificate with certainty
- Register a domain that describes the service but does not risk any potential trademark infringement, e.g. Searchengineprivacy.com (or some combination of that that is avaialbe).
This way we would know who they are and defend their rights to the teeth as we do with all of our customers.
Please note that we weren't contacted by google in this case, but took action based on the falsified Whois data. Google could object to this domain, so it's always good to avoid potential infringement that could cause you to lose a domain in a dispute.
In the spirit of our ‘no bullshit’ policy, what we could have done better in this example was make more of an effort to contact the customer direct at the point when we knew the certificate was going to be revoked. The address and phone number on the Whois were fake but we should have followed up by email. This was our error and we'll do better next time.
Comments
It sounds like you're saying that you would have killed the certificate even if the whois information had been up to date, so why are you harping on that so much? And why are you making judgments about trademark rules when the trademark owner is clearly aware of the service and doesn't claim infringement?
Your only apology here is to say that you would have sent an email at the moment the certificate was revoked? Not even advance notice? I always thought your "no bullshit" thing was for real, but I guess it was just PR all along. Just like this statement.
"The customer in this case was trying to setup and promote a service to offer users a greater degree of privacy from the information that google collects. This is a noble cause and one that we would be happy to host, but only if it plays by the rules."
Calling this a "nobel cause" is quite an about-face from "fraudulent activity." If it wasn't fraudulent activity, and if the trademark holder doesn't agree that this is in violation of their trademark, then it seems like you made a mistake. I agree with the above comment that it sounds like you're trying to emphasize the stale WHOIS information just because that's all you can emphasize without coming off as completely incompetent.
It sounds like this guy was using a SSL certificate to legitimately provide authentication and encryption for a service that he legitimately ran. "No bullshit," to me, would mean recognizing that and working with him to get whatever outstanding policy requirements there were squared away. Or hey, how about before you issued the certificate? The last thing I would expect from you would be to revoke his certificate without warning, or even with a notice as it happened.
Also, yeah, way to daemonize hackers. Could you cut the marketing speak now?
I don't expect you to always act perfectly, but I would feel a lot better if you would admit your mistakes when you make them. I have TLS certificates through Gandi, and would hope that if you discovered any inaccuracies in my account you would contact me so that I could change them, rather than just revoking my certificates without any contact at all. That would seriously damage my business. I think the spirit of this article is correct: a "no bullshit" company wouldn't do that.
So if I understand the situation correctly, some marketing droid at Google contacted you to shut this guy down, and you obliged without stopping and thinking, investigating or contacting the guy. Then you attempt to justify your actions in retrospect, in the meantime ruining his business. Hope you have good lawyers.
This just makes you and Google look bad.
Nils: Our certification job consist in certifying that the real owner of the domain is the one in the whois / our database.
The whois data was incorrect, the certification contract has been broken without prior notice and in this case without any notice
(this process have been improved on our side to prevent this kind of situation in the future)
In parallel, we have launched a procedure for incorrect whois on the domain and gave 15 days to moxy to provide real data. Once it will be corrected, he will have the possibility to regenerate a new certificate.
(sorry for my poor english today)
What a joke, it's bad enough that you guys messed this up, but what really makes me think that gandi.net has turned into just another mediocre registrar is that you can't even admit the mistake you made.
You fucked up. We'd forgive you if you acknowledged that, but we will never forgive you if you just respond with marketing drivel.
Hi guys,
We've said that it was a mistake to not contact the customer prior to the certificate being revoked, and as Nicolas has said above that we have changed our process to make sure this doesn't happen again. And we apologise for not having handled this better.
The reason for the certificate being revoked was the falsified whois data. You cannot have a valid certificate without accurate whois data. This was not a mistake to revoke the certificate in this case, but the way we did it could have been better.
As for all the 'google' stuff, there was no contact from google, and you're quite right it's not our place to speculate about what google would or would not do to or about the domain. The 'google' issue was nothing to do with the certificate being revoked, and again we apologise if there was any confusion about this.
I hope that helps. Thanks,
Joe
Hey Joe, the register article says that when you revoked the certificate you didn't contact the owner for 24 hours, at which point you told him that it was revoked not only for the whois information but also for trademark infringement and fraudulent activity.
Now you're telling us that the reason it was revoked "was nothing to do with" the use of the word "google." Are you telling us that the author of the register story is lying? That you never claimed you'd revoked it because it included the word google? What about fraudulent activity? That was never an issue either?
In your statement you said that you regret not informing the owner when it was being revoked, but now you're saying that you would give advance notice. Which is it? If I change my phone number and forget to update my whois information, are you going to kill my certificate without warning, in conjunction with a notice, or are you going to give me a chance to update my phone number first?
All of these contradictory statements are not helping your image. It sounds a lot like you got caught doing something you shouldn't have done and are now trying to talk yourself out of it. I agree with F9, just admit that you seriously fucked up and people will forgive you.
Obviously, Gandi have decided to dupe everyone with their "no bullshit" bollocks. With this and the SORBS and a couple other recent PR fiascos, this only goes to show that companies such as this may preach their "dedication" to ethical practices, but intentionally do exactly the opposite in practice.
GoDaddy is, quite frankly, more ethical than this group of french cowboys, even with the seedy limit-pornographic advertisements during the superbowl. Maybe Gandi could learn something about how to suceed at being incompetent without having to resort to lying about it at the same time.
Stay away from this band of pirates, folks!
I smell even more bullshit here... If it is Gandi that revoked the certificate then they need to own up publicly to their cockup. If it was comodo which seems to have been suggested in various places then gandi isn't really a certificate authority as they claim on their website but rather just a measly reseller for the fascist CAs. Either way, it stinks of bullshit, and Gandi needs to come clean PUBLICLY!!!!
I am shocked and amazed that you didn't use email as the *very first thing* you tried... given you are an *internet* company and all !
The CEO of gandi.net publicly stated on Twitter that they'd revoked the certificate because of trademark violations. So Joe, it looks like you're straight up lying to us. Again.
http://twitter.com/StephanGandi/sta...
What a load of crap this all is. The first thing anyone with a law degree that's worth a dime does when something like this arises is try to run like hell from it. A lawyer or legal team is not going to permit a company to make utterly stupid statements that could show the true colors of a company.
This situation clearly demonstrates that Gandi was contacted by Google.
The UDRP does not grant Google complete control of *G*O*O*G*L*E*, there is in fact alot of google-like domains out there that one would think google would have fought to get.
I was never aware of the whole no-bullshit thing but as an abuse desk administrator from my many whois requests i've ran I do recall Gandi being one of the top for trouble domains.
Maybe google can move google.com to gandi.
@John, @Nikita - yes Stephan did say that it was related to google, because this was the information he had at the time, which turned out to be incorrect. The certificate was pulled by Comodo (who provide their technology to us as a partner), citing whois and fraud as the reason. The google confusion was introduced by our team and it was a mistake and speculative. We had and have not heard from google.
We're gradually unpicking this story which is complicated because it involves several parties (us, Comodo, Moxie) and Moxie is deliberately providing false information, which doesn't make it easy.
For those worried about their certificates, there is a big difference between incorrect information, and deliberately falsified information. The issue here was falsified information, e.g. fake company names, non-existent addresses, attempts to register using different company names at different times, none of which were real, etc.
The fraud accusation is based on attempting to secure a certificate based on falsified documentation.
If you're a normal customer who isn't playing games with the whois records or company records you have nothing to fear.
We have introduced our own inaccuracies during this period (e.g. the goolge bits), but we continue to stand by the decision to revoke a certificate that was based on deliberately falsified information. We also acknowledge we could have handled it better, and apologise for the confusion this has caused.
We are continuing to investigate with Comodo and will provide a full summary once we have the final facts and proofs. Thanks all,
Joe
Joe, are you saying that gandi.net does not even run the CA that it advertises? And that it is actually run by Comodo, the CA who easily has the worst reputation in the business? How is it possible for you to advertise "no bullshit" when you're just reselling everything to Comodo, the biggest bullshit player of all?
What else? Do you just have register.com handle all your registrar activity too?
@Joe your story keeps changing. The CEO of your company claiming that the certificate was revoked because of trademark violations is very different from the public statement you made that some over zealous support staff got confused. And both of these facts are light years away from what you're now telling us. If you keep lying to us, how can we believe what is going to be in the "report" you're going to issue from Comodo.
And wow, Comodo of all people?
@John - Comodo provides the technology platform but we are the CA for our standard and pro certificates. They provide additional validation for the Business SSL product. All this info is on our SSL page https://www.gandi.net/ssl We use Comodo because they are still an independent player and have good products. Most of the other SSL providers are owned by Verisign, and without additional players it would be a near monopoly market. Gandi tends to shy away from monopoly situations. And no register.com doesn't do our domain registration
we've been an independent registrar for over 10 years.
@Nikita - the story does keep changing, and that's because the real facts are slowly being dug out. The support team responded to Moxie saying the cert was revoked because of 'whois, google trademarks and general fraud'. When the CEO asked why the cert was revoked, he was told the same thing and communicated it. Only as we've picked apart the details have we discovered that the 'google' bit was added by our support and not part of the reasons given by Comodo for revoking the cert. All of this did not happen simultaneously and as I've said before there have been several parties involved and many many people. So only now do we have the full story, which I will be writing up shortly. We have certainly contributed to making it more confusing and the 'google' storyline is part of that. Thanks for bearing with us.
Joe
Joe, can you please stop being vague about your status as a CA and give us specifics? What do you mean by "technology platform?" To be specific:
1) Does Comodo have a copy of the private key that you use to sign certificates?
2) Does Comodo manage, run, or have access to the OCSP server that is used to revoke certificates?
3) Does Comodo manage, run, or have access to the CRL that is used to revoke certificates?
From what I can tell, Comodo has by far the worst security record of any CA in the business. Monopoly or not, if you're putting customer data in their hands, you're putting your customers at risk (as we've seen with this revocation).
John / Nikita : please read my comment on the last post, thanks (http://www.gandibar.net/post/2010/0...)