Free digital certificate authority Let’s Encrypt says it ready for a long battle if security firm Comodo doesn’t quit pursuing trademark applications containing the ‘Let’s Encrypt’ name.
Comodo says it’s mission is to “create trust online”, but the security firm and digital certificate vendor may have done exactly the opposite by filing three trademark applications with the USPTO containing ‘Let’s Encrypt’.
Let’s Encrypt is a certificate authority (CA) that provides free digital certificates to websites and has over the past year upended the paid-for digital certificate industry that has been dominated by Symantec, GoDaddy, and to a lesser extent Comodo.
The CA, which is run by the Internet Security Research Group (ISRG), say its efforts to convince Comodo to pull the plug on the applications have so far failed.
“Since March of 2016 we have repeatedly asked Comodo to abandon their “Let’s Encrypt” applications, directly and through our attorneys, but they have refused to do so.
We are clearly the first and senior user of “Let’s Encrypt” in relation to Internet security, including SSL/TLS certificates – both in terms of length of use and in terms of the widespread public association of that brand with our organization,” wrote ISRG’s executive director Josh Aas in a blog post on Thursday.
Filings with USPTO show that Comodo applied for “Let’s Encrypt”, “Comodo Let’s Encrypt”, and “Let’s Encrypt with Comodo” in October 2015.
Let’s Encrypt officially launched in April 2016 but started using the name publicly in November 2014. The free CA is backed by Akamai, Mozilla, Cisco, EFF, and Facebook.
Let's Encrypt is aiming to boost the adoption of HTTPS on websites to ensure connections on the web are secure and encrypted. It reported this week that it had issued five million certificates covering seven million domains, up from zero since it launched in December and one million in March.
Comodo appears to be blocking requests for information about its Let’s Encrypt trademark applications. According to one developer, Comodo’s email server has been configured to reject any email with the Let’s Encrypt URL.
CSO Australia’s attempt to send a request for comment to Comodo’s press and sales email accounts about the Let’s Encrypt appeal was returned with a message: “554 Rejected: mail contains virus".
Comodo's name as a CA was tarnished by the so-called “Comodo hacker”, who in 2011 claimed to have breached Comodo and later claimed responsibility for breaching DigiNotar, a Dutch CA.
The DigiNotar breach had far bigger implications than Comodo’s breach since it allowed the attacker to spoof of several Google domains and spy on the communications of millions of Google users. The incident also gave rise to the Google-backed Certificate Transparency initiative, which monitors for mis-issued certificates.
The spotlight on weaknesses in the system that users and internet firms rely on for conveying trustworthiness on the internet also changed its economics. Shortly after Let’s Encrypt launched, Symantec also started offering free digital certificates, seemingly ending the decades-long business model of charging websites for enabling secure connections.
While Let’s Encrypt has backers with deep pockets, Aas says the organisation doesn’t have a huge budget to fight lengthy legal battles. Nonetheless, he says it will dig in if Comodo doesn’t back down.
“If necessary, we will vigorously defend the Let’s Encrypt brand we’ve worked so hard to build. That said, our organization has limited resources and a protracted dispute with Comodo regarding its improper registration of our trademarks would significantly and unnecessarily distract both organizations from the core mission they should share: creating a more secure and privacy-respecting Web. We urge Comodo to do the right thing and abandon its “Let’s Encrypt” trademark applications so we can focus all of our energy on improving the Web.”
- OpenDNS buy is feeding security insights to Cisco's threat-intelligence efforts
- Apple: $1m price for iOS exploit says we’re doing a good job
- How social media is changing what can be said, when and where
- Businesses should get proactive about identifying potential account breaches: Akamai
- OpenSSL: last week’s minor bug patch introduced a critical flaw