The googlesharing.net saga – what actually happened
By Joe on Wednesday 7 April 2010, 20:16 - Gandi - Permalink
For those following this story, it’s been a pretty confusing and unsettling ordeal. And we’re certainly sorry for the part we played and adding to the confusion. But this was a play with many players, so let us set out below what happened and why. The major players in this drama were: Gandi.net (us), Moxie (the customer) and Comodo (the SSL technology provider). I could add the the Easter weekend, but I won't. And everyone played a part in this going wrong and shares some of the responsibility. We’ll set out why below.
So here’s what happened: Moxie the customer, bought an SSL certificate for his website googlesharing.net from Gandi.net which uses the technology platform of Comodo (rather than reinvent the wheel for SSL). This was a standard certificate for which Gandi.net acts as the Certification Authority. (see https://www.gandi.net/ssl for details).
What Comodo did
Comodo reviewed the SSL cert issued by Gandi and decided to question the information provided by the applicant (Moxie) relating to the certificate. They did this because Moxie had attempted to get a cert for the same (and other) URLs in the past and had done so with falsified information. When they asked Moxie to prove the existence of the company name and address (which were non existent by searches) he was unable to do so. On this basis they revoked the certificate. Comodo told us:
“Moxie gave false and misleading information in the request which is a clear violation of our subscriber agreement so we revoked the cert. We ask for the address and organization details so we capture who we are doing business with. If they give a misleading answer then they violate the terms of the subscriber agreement so we can revoke. “Subscriber shall: … ensure that all information provided to Comodo is complete and accurate”.
Where Comodo went wrong was that they took action against a Gandi customer without telling us OR asking us to check the details and validate. They had no right to revoke without us agreeing to this decision as we are the Certification Authority in this case. The first we heard about it was when we were contacted by Moxie.
What Gandi did
When Moxie contacted us, we asked Comodo what had happened and why. They told us that it had been revoked because of falsifised whois information and fraudulent activity. The fraudulent activity did not relate to the activity of googlesharing (as Moxie claims) but the attempt to secure a certificate using falsified information, which amounts to fraud. Either of these would have been sufficient to revoke the cert.
We then relayed this information to Moxie, but added the ‘goolge trademark violation’ reason which was a mistake and pure speculation from our customer support team. This was a serious error on our part for which we sincerely apologise. Google has not contacted us, and had nothing to do with this. This was our error and ours alone. Sorry about that.
This information was then passed onto TheRegister.co.uk, who published the article without us having had a chance to comment. In fairness to them, they did email the management team, but at 2am CET and the article was published before we could respond.
We then published a blog article underlining the main reason for the revoked cert, which was the false whois data. This was not an attempt to cover things up, but the real reason for the revocation and it has taken us a while to unpick all the storylines (both real and imaginary) to get to the facts.
What Moxie did
Well, Moxie registered his domains and certificates using made up names of people and companies, and fabricated addresses. The addresses do not exist and the people’s names used changed several times but usually can be found in urban dictionary, e.g. http://www.urbandictionary.com/define.php?term=Amory%20Blaine.
As we’ve said before, a certificate is a stamp of approval that a person or organisation is who they say they are. They cannot be based on fraudulent information. So revoking the cert in this case was the right thing to do, just managed badly.
We understand that Moxie is a guy who values privacy (as his googlesharing service suggests), but the ICANN whois regulations are as they are, and the T&Cs of certificate providers require real people/companies too. We value our customers and trust them, but they must trust us too. And providing fake information to us is not the way to do this.
We would welcome Moxie’s comments on this and we’d be happy to issue him a new certificate but only if he provides real information as we expect from anyone.
So for our other customers, there is nothing to worry about. This matter was picked up because of repeated attempts to get certificates with falsified information, and this was the reason it was revoked. We are not going to randomly cancel other customer certificates, and neither is Comodo.
But activity seeking to fabricate information in the whois directory, or to get hold of certificates for nonexistent companies is a risky business. But that’s why most people don’t do this. If you behave like a bad guy you run a serious risk of being perceived as one. Additionally, registering a domain name with other people's brands in it often raises warning flags.
Anyway, that’s the whole story. Everyone had something to contribute to this mess. We have had many discussions with Comodo about this and will continue to do so to improve our processes and prevent this happening again. We would also welcome discussions with Moxie of course. We’d like to apologise to all our customers who have felt confused, unsure or upset during the last couple of days. This was never our intension and we whole heartedly apologise for errors we made in this, and have learnt from the process.
I hope that helps make things clear.
And just to complete the story, TheRegister updated their article with the following addition:
"Update In a sign that the "no bullshit" promise isn't a mere gimmick, Gandi COO Joe White sent us the following reply to a query we sent yesterday:
We certainly acknowledge that we could have handled this better, particularly in not contacting the customer prior to the revocation of the certificate. The reason for the certificate being revoked was because of the inaccurate whois data. Certificates really are a seal of trust, but that cannot be based on falsified whois data. It was right to revoke the certificate for this reason, but not without being in contact with the customer. We have reviewed and changed our processes to rectify this..."
Comments
Gandi.net has chosen to "reinvent the registrar wheel" for a reason: you think you can provide service which is superior to other registrars. The reason to do that with SSL would obviously be the same, especially if you've branded your SSL product as gandi.net. If I can decode your marketing speak, by "Comodo is our technical provider," you mean that you're just a reseller for Comodo and they run everything. Calling yourselves a CA in that case is definitely a stretch.
We expect you to "reinvent the SSL wheel" because Comodo is a terrible company. The way they handled this incident is a great example. Who knows what *really* happened? Given their track record, I don't trust anything they say. My guess is that it's more likely they saw the name "Moxie Marlinspike," assumed they were a target, and flipped out. You're saying that the information was falsified, but how on earth could they have verified that with enough certainty to revoke a certificate without warning? If my name happens to appear in something like the urban dictionary, will my certificate be revoked as well? Do they just have a team of people over there checking names in the urban dictionary all day?
If you've chosen to outsource this product to someone else, you're responsible for the decisions they make. What else would you expect from a company like Comodo? And given that it's no surprise they acted irresponsibly, gandi.net should be accountable for putting the trust of gandi.net customers in Comodo's hands.
At the end of the day, an SSL certificate is supposed to be issued to the owner of the domain, and there was never any question that this was the case. The certificate owner's name isn't even in your certificates!
Someone pointed me to this thread, so I'll contribute some points of clarification.
1) I did not submit fraudulent information to Comodo. On the contrary, I had a certificate from Comodo for proxy.googlesharing.net which I obtained by fully complying with their validation process. They even took copies of my utility bills to verify my address information. They did not revoke this certificate or any certificate for /any/ domain that I have ever had. The information you're providing on this point is incorrect. Are you just going to keep switching stories until something hits home?
2) This certificate from Comodo was about to expire, and it seemed convenient to get one from gandi.net because they are the registrar for this domain. Gandi has all of my billing information, which I have used to pay for these domains for several years. So they know exactly who I am, down to my financial information, and it's misleading for them to suggest that I have somehow managed to withhold the details of my identity from them. I have a DBA for the name in the whois database (just because it happens to be in an urban dictionary doesn't make it "fraudulent"), and Gandi has all of my other information on file. This was also a "low-assurance" certificate, which means that it is explicitly /not/ to be used for proof of identity, only for identifying a URL. Gandi's own legalese buried within one of the PDFs they provide on the subject even spells this out.
3) I didn't submit anything to Comodo for this exchange. I just clicked the little SSL icon next to the domain in my account manager. I had no idea that Comodo would be involved or that the whois information in my account would be sent to them (from what I remember, gandi.net never even asked if it was acceptable for them to share customer information with another company). The information listed in the whois database wasn't even included in the certificate that was issued to me, and this was a "Standard" SSL certificate which is explicitly not to be used for validating identity, so I'm not sure how that became an issue. Gandi knows who I am, and they definitely know that I'm the owner of the domain.
I also agree with the above comment, it sounds like Gandi is just a reseller for Comodo. Comodo is a super shady company (even for a shady industry). These guys are so bad that the first time I tried to create an account with them, their web app just logged me into someone else's account instead. Every time I went back and tried to create an account, it would just log me into a different person's account instead of creating mine. I actually had to /try/ to do things legitimately, so to suggest that I went out of my way to defraud them is almost insulting given how much of a hassle it was to do otherwise. This is the same CA which has repeatedly issued certificates for popular websites with no verification at all. But the downside of this to us is that no customer information which gandi.net has shared with Comodo is likely safe.
All of the prominent language on gandi.net's website suggests that they are a CA and not just a reseller to a CA, which is why I suppose gandi.net kept making claims about this certificate's revocation instead of just saying "Comodo did it, we're just a reseller, we really have no control over any of this." I'd like to think that gandi.net has changed their process as a result of this experience, such that at least nobody else will have to go through the same thing, but as long as Comodo is involved I don't see how that's possible.
It's also somewhat inconsistent for gandi.net to be simultaneously suggesting that they are in control of these CA procedures, while also claiming that many of these problems are a result of bad communication with the CA that they resell to. The fact is that not only did gandi.net "accidentally" claim that this revocation had something to do with Google trademark violation, but the CEO of gandi.net publicly /defended/ the revocation on those grounds. And those are different things entirely.
I've appreciated gandi.net for years, and I'm hoping that I can eventually begin to appreciate it again. Thanks for your efforts, and I'm hoping for better relations in the future.
Tim/Moxie :
- we are C.A. Point. No marketing bullshit here, we have never hidden the fact we were using tools provided by Comodo. It's not just a reseller contract. It's the same thing than MVNO (Mobile Virtual Network Operator) ... these companies are not resellers, they really become operators. And I can give you countless examples around us (cars ...) similar to what we do here. What matters is who is managing and "owning" the customer relationship, and here it's very clear it's us. The process and contract are very clear on that.
- saying that Comodo is terrible is your opinion. They screwed up in this case believing they were doing the right thing because they thought they had in front of them someone looking like a "bad" guy, YES. They had no right to act without us validating it, again YES. Everybody is doing mistakes, the most difficult part is to recognize and assume it I guess. Which they did with us : after this long easter week end, they clearly told us what happened.
On our side, everybody can see we clearly recognized ours. We also believe we all did some. Including you. As we said, if you want to be seen as a good guy, please just respect the rules (whois) and be careful about other little things like other people's brand (even if here Google has not said anything, I still personally think it's better to avoid this situation). As I told you on Twitter, with the elements we had, it was difficult not to understand why this happened.
Just hope you'll understand where we come from on this.
Stephan, you're reselling to Comodo but continue to claim that you're a CA. And instead of admitting that you're a reseller, you keep using words like "we use their technology platform," or "we use their tools." This sounds like marketing bullshit to me.
You could clear this up by answering some straightforward questions:
1) Does Comodo have a copy of the private key that you use to sign certificates?
2) Does Comodo manage, run, or have access to the OCSP server that is used to revoke certificates?
3) Does Comodo manage, run, or have access to the CRL that is used to revoke certificates?
As for this incident, it sounds like you're still trying to cover up the scope of what happened.
So you guys revoked someone's certificate without warning over a fraudulent name, and it wasn't fraudulent? Just looked like it might have been? Have you done anything to compensate this person?
No the Whois details were falsified and moxie even stated that in the original article published by the register. Thanks, Joe
Joe, your post says the the name in the whois information is fraudulent, but Moxie's comment says that he has a DBA for that name. That's not falsified, that's a mistake on your part.
Personally I fail to see where the issue is, and why all the apologising and repentance.
The rules are clear and we signed up to them. If you don't like them you should take your business elsewhere, but I for one am pleased to know I'm dealing with a serious company who will do exactly as it says on the contract.
I applaud Gandi for taking a firm stance against people who show such a lack of consideration towards those they do business with, their customers, and the public at large.
What this man did was not a mistake or an oversight (by his own admission). It was fraud pure and simple*, and whether it was done through malice, immaturity, or simple incompetence, it is not excusable. Cancelling the provision of the services according to the terms and conditions in force was, obviously, the right thing to do.
*Code de la consommation, L121-1 2º f)
TA
To my knowledge, the concept of "doing business as" as used in America does not extrapolate to French commerce law-at least not for individuals. In any event, when you open a Gandi account as an individual the information being requested is your full legal name, not your trading name (dénomination sociale) or anything else. Too bad if you're an anarchist I suppose
--------
"Moxie" (for lack of a proper name)
Thank you for contributing to the discussion, but as someone told me once: "when you're in a hole, stop digging."
Your rant clearly shows you have no idea where you stand. Let us see:
If your point 1) is to have any bearing on this discussion, it's to show that Gandi do indeed manage the issuance of their own certificates, unless otherwise stated in the agreement (as is the case of EV certs). They would not have had access to any information Comodo allegedly had about you.
Incidentally, you say you sent Comodo a utility bill to verify your address information. That does not imply that they had knowledge of your identity (a utility bill can be on someone else's, or even an entirely made up name).
Your point 2) demonstrates your lack of understanding of this whole e-commerce thing (so much for a self-described "hacker", but anyway). Gandi does not handle the transactions, their bank does, and unless you pay by cheque it's unlikely they will ever get to see much more than a reference number and the amount of the transaction. Not that they should be playing private detective to get information you're supposed to tell them in the first place, mind you.
As regards your point 3) it seems like a rather poor attempt at diverting the attention. You are either playing dumb or you have an appalling lack of knowledge of the very principles of public key cryptography. And you have not read or understood the T&Cs either, by the looks of it. If Comodo got involved it's because they sign Gandi's own certificate and are thus subsidiarily responsible for the certs that Gandi issues, at least in QA terms. Between the two of them the system has worked in this case, seeing as the whole thing relies on trust, which you have tried to subvert and failed miserably.
You are however right on two things. One, it is correct that a Gandi Standard SSL "does not allow guaranteeing an identity", as per the T&Cs (I'm kind of surprised you read that); however that does not absolve you from your obligation of "Identifying Yourself to Our services, and to providing Your contact information that is complete, exact, and reliable, whatever the Gandi SSL Certificate You have chosen", as they put it. Simples, eh? No playing Dick Tracy going through your "financial records" or whatever to guess what your name might be: you just type that in the the two input boxes which Gandi conveniently provides in their registration page and that's it.
Your second point which I consider valid is that *if* Gandi indeed shares any information with Comodo in the context of a non-EV certificate, other than what goes in the unobfuscated WHOIS record (which for a .com includes your name and contact details), then that should be made clear in the terms and conditions, in accordance with French privacy laws and good business practice. Perhaps Gandi can clear up this point.
On a closing note, the whole discussion about whether Gandi is a CA or not... anyone who actually has got a certificate from Gandi can have a look at it and see who the issuer is. Of course I imagine anyone who is not happy are still free to either take their business elsewhere or start their own CA and try to get their certs included in Mozilla/IE/etc.
Stephan wrote:
"- we are C.A. Point."
If Gandi is _really_ a CA, where is the root certificate?
My Nokia E-series phone doesn't trust certs issued by Gandi and nowhere in the SSL documentation on this site can I locate the root cert to import.
El Bunto: We are CA but not yet recognize into all browsers (IE and Mozilla are ok now) that's why we have an intermediary certificate provided by Comodo you will found here http://en.gandi.net/ssl/documentati... You can install this intermediary to be sure of a full compatibility.