Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Security The Internet

Comodo Attempting to Register 'Let's Encrypt' Trademarks, And That's Not Right (letsencrypt.org) 120

Let's Encrypt is a nonprofit aimed at encrypting the entire web. It provides free certificates, and its service is backed by EFF, Mozilla, Cisco, Akamai and others. Despite it being around for years, security firm Comodo, which as of 2015, was the largest issuer of SSL certificates with a 33.6% market share on 6.6% of all web domains, last year in October filed for the trademark Let's Encrypt. The team at Let's Encrypt wrote in a blog post today that they have asked Comodo to abandon its "Let's Encrypt" applications, directly but it has refused to do so. The blog post adds: We've forged relationships with millions of websites and users under the name Let's Encrypt, furthering our mission to make encryption free, easy, and accessible to everyone. We've also worked hard to build our unique identity within the community and to make that identity a reliable indicator of quality. We take it very seriously when we see the potential for our users to be confused, or worse, the potential for a third party to damage the trust our users have placed in us by intentionally creating such confusion. By attempting to register trademarks for our name, Comodo is actively attempting to do just that. Update: 06/23 22:25 GMT by M :Comodo CEO has addressed the issue on company's forum (screenshot).
This discussion has been archived. No new comments can be posted.

Comodo Attempting to Register 'Let's Encrypt' Trademarks, And That's Not Right

Comments Filter:
  • by mrchaotica ( 681592 ) * on Thursday June 23, 2016 @03:02PM (#52376183)

    If you don't want somebody else to use a trademark, register it for yourself!

    • by K. S. Kyosuke ( 729550 ) on Thursday June 23, 2016 @03:04PM (#52376203)
      Well, they can still register the Yrg'f Rapelcg! trademark...
    • by Anonymous Coward

      They don't want the burden of enforcing it, though now they are basically required to do so anyway.

      Thanks Comodoodoo!

      • by PCM2 ( 4486 ) on Thursday June 23, 2016 @03:22PM (#52376345) Homepage

        That "burden" can be as onerous as having a lawyer write a letter, which it sounds like they had to do anyway. If Comodo went ahead with using their mark after receiving said letter, they would then be in the exact situation they are in now -- only they would have legal standing to enforce their mark, which presently they don't.

        "Nonprofit" shouldn't mean you can't afford to pay for basic necessities like registering your business license, paying your fire insurance, and protecting your most basic and fundamental IP (your name).

      • by taustin ( 171655 )

        If their goal is to not have someone else trademark it out from under them, then they register it, and fail to enforce it, thus placing it in the public domain.

        If their goal is to keep anyone else from using it, then they need to register it and enforce it.

    • by zuckie13 ( 1334005 ) on Thursday June 23, 2016 @03:12PM (#52376269)
      Well, for one, they don't have to to be the owner of it. In the US, it's first to use, not first to register. It's pretty clear they have been using it well before this application was submitted - an application that says it's not in use by that company yet. I'd love to hope that the trademark office will just reject it, but they'll probably drag this out.
      • by evolutionary ( 933064 ) on Thursday June 23, 2016 @03:30PM (#52376379)
        It's a leverage game. The courts would favor Let'sEncrypt trademark (as they basically paid the government for it first). It could also be shown that in using it on such a scale it's purpose is to use Let'sEncrypt's name and in the end the group could get damages for Comodo. but first it has to pay for the lawyers to get. So it's not a matter of who is in the right, but who can use their purse strings to draw this out long enough. Our justice isn't really based on a sense of fair play, rather than whose got bling to play. Kinda like Net Neutrality. :D Hopefully Comodo decides the bad PR and litigation isn't worth it. but they might. I have little doubt they'll suggest a number (in essence blackmail) to get the domain at a "minimal fee". While it's true ideally one would register the web domain but domain != trademark. trademark wins, but only if the money exists to drag in out in court.
        • Based on the links in the story, the trademarks are still in the examination stage and have not yet been issued.

          If that is the case, Let's Encrypt can still send in forms and notify the USPTO of the conflict. They don't have much time, but if they passed along that information on their site to the patent examiner that should be enough to trigger additional investigation.

          • Based on the links in the story, the trademarks are still in the examination stage and have not yet been issued.

            If that is the case, Let's Encrypt can still send in forms and notify the USPTO of the conflict. They don't have much time, but if they passed along that information on their site to the patent examiner that should be enough to trigger additional investigation.

            Exactly - why aren't they sending a challenge to the USPTO yesterday?

            Trademarks are registered all the time. In fact, it's a public process - every new application is posted so opposition to registration can be recorded. If the Lets Encrypt folks aren't filing an opposition, (and not done so ages ago), then they're basically letting the ball drop.

            It happens all the time - plenty of companies apply for trademarks only to have them opposed during application.

            In fact, the thornier side of trademarks are marks not necessarily used in commerce - Microsoft, for example, owns two trademarks they don't use on products (NorthWinds and Contoso, I believe). Instead, they're registered so Microsoft can use them in demos and other things freely without running into any trademark issues.

            • by mysidia ( 191772 )

              Any party who is harmed can potentially file a Lanham Act Opposition [nolo.com]

              The problem is, You probably have to appear in person, or pay somebody to appear in person.

              Because the next step after filing opposition is a Proceeding at USPTO to resolve the Dispute between parties

              I don't know about you..... but for me travelling all the way to the USPTO in Washington D.C. would be quite a hardship.

              Not to mention all the time I couldn't be working in my job or working on improving my business or service.....

              • Not to mention all the time I couldn't be working in my job or working on improving my business or service...

                Exactly, it's a transparently anti-competitive operation. The CEO's forum post tacitly admits as such. I don't get what's with all these people here saying that if you haven't sought to have the government enforce monopolies on your behalf, you're actually the bad guy.

                • by mysidia ( 191772 )

                  What's even more bizarre is seeing executives of Comodo claiming LetsEncrypt Stole their business model [comodo.com].

                  Apparently Comodo was the first to issue 90-day Free SSL Certificates, So any future CA who does that is stealing Comodo's business model.

                  Doesn't make sense to me. a Key difference with LetsEncrypt, is the 90-Day certificates can be Renewed Indefinitely.

                  With Comodo, the 90-Day issuance is an Evaluation/Trial per Domain name, and you cannot renew after the 90 days without paying.

      • Correction: You can't trademark if the mark is already used "IN TRADE".

        The foundation is a non-profit organization providing free certificates under that name. That is not "TRADE" (i.e. business, i.e. involving exchange of money for value).

        However, by the same token, the seemingly slimy corporation seeking the trademark should be hard pressed to stop the non-profit's use of the mark for a free service, since that is not competing TRADE since it is not TRADE.

        Besides, if it ever came to a case where they trie

        • Nonetheless, it is utterly stupid to have not registered the trademark in first place given what it will cost them to oppose to Comodo in court.
        • Perhaps that's what Comodo wants to happen. They will get free endorsement of the "Let's Encrypt" term from the "Let's Encrypt" nonprofit and also from "EFF, Mozilla, Cisco, Akamai and others" who currently "back the service".

          So the Comodo product can then use the term to refer to their product(s) and ride on the coattails of the nonprofit service's good name; but no other company will be able to use that term "In Trade". Profit!
        • Your theory that non-profits don't receive trademark protection is novel, and already refuted by existing precedent. Yes, public activities can be "trade" even when the underlying purpose is not profit! Wowsers, Pres., you went loco on that one.

      • Well, for one, they don't have to to be the owner of it. In the US, it's first to use, not first to register.

        I don't think so. Back in the '80s I did tech support for a small startup (long gone by now) marketing specialized software to law firms. The owner of the firm was a lawyer and he trademarked the program's name after doing a proper trademark search. About a year after we started selling, we got a Cease and Desist letter from somebody who'd been marketing a completely different, unrelated progra
    • by Junta ( 36770 )

      I am not a lawyer but I did google for a few seconds...

      It looks like to register a *Trade* Mark, you have to be using it in commerce. Let's encrypt not having any financial anything going on can't say their stuff is in commerce, even if they want to.

      Secondly, in "Let's Encrypt", it only had value in the first place if it had taken off. If it hadn't taken off, then there would have been no point in 'defending' the name (also, no one would really want it). It did take off, and as such it is so well known *

      • Re: (Score:3, Informative)

        by zuckie13 ( 1334005 )
        The definition of use in commerce (my emphasis added) - right from the USPTO: For applications filed under the use-in-commerce basis, you must be using the mark in the sale or transport of goods or the rendering of services in “interstate” commerce between more than one state or U.S. territory, or in commerce between the U.S. and another country. For goods, the mark must appear on the goods (e.g., tags or labels), the container for the goods, or displays associated with the goods. For services,
      • Linux is trademarked. Plenty of non-profits have trademarks. Because of all that, I don't think you need to be having "financial things" going on in order to get a trademark.
        • by Anonymous Coward

          Linux wasn't trade marked at the start. The a con-man named William Della Croce Jr. registered it as a trademark and started demanding money from distros, book publishers, etc. Despite the fact that the names is just Linus with an x at the end replacing the s, it still took about a year to get the trademark away from the slimeball in court.

      • Then how could various charities have trademarks? Google "nonprofit trademark" and find lots of references.
      • All they have to do is use the mark at some point when asking for donations. If they use it in conjunction with soliciting donations, that is trade. Because of the way the activities of non-profits are defined, this means pretty much if they ever use the term, they're using it in trade.

        Technicalities might be more technical than just supposing.

    • by epine ( 68316 )

      If you don't want somebody else to use a trademark, register it for yourself!

      That's one perspective. See red tape, eat red tape. What could possible go wrong?

      Here's another perspective. Have you heard of the Age of Aquarius? How about the Age of Panopticonus?

      I don't know precisely when the age of Panopticonus began. We can bracket this down to sometime between the first transparent-pixel web bug, of which the oldest mention I can find on Google is 15 July 1995, and the Snowden revelations of 5 June 201

      • NEVER use Google Translate with Latin. You'll get complete garbage almost all of the time (e.g. It used to provide "lacus non leo" for "merry Christmas," which actually means "the lake isn't a lion" and seems to come from lorem ipsum).

        Let me help you:
        Rotae iustitiae volvunt lente, sed ruminant optime.
  • Remove Comodo CA (Score:5, Insightful)

    by Anonymous Coward on Thursday June 23, 2016 @03:07PM (#52376221)

    Comodo proved themselves that are not trustwordy.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Comodo proved themselves that are not trustwordy.

      If they are untrustworthy in this respect, can they be trusted to perform due diligence when issuing certificates? After all a CA is supposed to be a "Trusted Third Party". If a CA shows itself not to be trustworthy, then maybe the browser suppliers should remove them from the (default) list of trusted CAs.

      • by HiThere ( 15173 )

        If I understand what I'm seeing correctly, Firefox doesn't mark them as trusted, but it's not clear to me why they are grouped together with AddTrust, which is trusted. And a simple search says it is "powered by Comodo". Does this mean that they should also be untrusted?

    • by flopsquad ( 3518045 ) on Thursday June 23, 2016 @09:50PM (#52378143)
      Read their CEO's asinine post. I will never use a Comodo product. Asshats are one thing, but asshats who abuse the IP system and counter-blame the victims of their asshattery really grind my gears.
      • by iggie ( 183722 )

        Yeah, that's a lot of punctuation. Why do they have a pre-teen for a CEO?

      • by lucm ( 889690 )

        But you're ok with Apple, who sent the swat to break into a reporter's home after he gave them back the new iPhone an Apple employee left in a bar?

        • That's more a problem with the police than with Apple though, isn't it? Not that Apple was right in requesting such action, but the police never should have consented, regardless. Hitmen still get charged with murder, AFAIK.
          • by lucm ( 889690 )

            It was not the regular police, it was a special task force funded in part by big IT companies, including Apple.

        • 1) Apple does not have the power to send a SWAT team to do anything. Even with hundreds of billions in net worth, they are not a paramilitary force, and are not in the chain of command of any law enforcement organization that would have jurisdiction over that reporter's house. Apple asked law enforcement to investigate someone with photographic evidence of, and admitted $5000 payment for, an unreleased prototype device that they ought not to have. A judge issued a warrant (which may or may not have been
        • Apple don't send SWAT anywhere.

        • The reporter had admitted, in a public document, to selling expensive stuff that wasn't his. That's a pretty serious crime. Have you ever tried committing a serious crime and publicizing it widely? I wouldn't be surprised if the police paid you a visit.

  • by BenJeremy ( 181303 ) on Thursday June 23, 2016 @03:19PM (#52376335)

    PrivDog, Chomodo, hacks, and issuing certs to malware, Comodo is one company I'd steer clear from in any case.

    • by PatientZero ( 25929 ) on Thursday June 23, 2016 @03:35PM (#52376409)
      Who is authorized to certify the Certification Authorities, and what would it take to finally have Comodo's cert revoked?
      • Web browser makers "authorize" certificate authorities by accepting money from the CA to include their public keys in the web browser.

        OS makers also can authorize CAs for code signing by including their public keys in the OS.
        (I believe Java, being platform agnostic, has its own code signing methods separate from the OS it can run on)

        So just convince Google (chrome), Mozilla (Firefox), and Microsoft (IE/Edge) to stop accepting Comodo's tens of thousands of dollars each year and no longer include their CA pub

      • Who is authorized to certify the Certification Authorities,

        The software provider that provided the list of root certificate that your browser uses.
        Depending on your setup, it's either your OS provider...
        (e.g.:
        - Windows has a list of root certificates that are considered legit.
        - Most Linux distribution also pack such a list some where in /etc/ssl/certs or /var/lib/ca-certificates/pem) ...or your browser's provider.
        (e.g.:
        - Firefox comes with its own list of root certificates)

        and what would it take to finally have Comodo's cert revoked?

        If the software provider decides that Comodo is not trustworthy, all of the above players can

      • Who is authorized to certify the Certification Authorities, and what would it take to finally have Comodo's cert revoked?

        In your software and/or browsers, you are the ultimate authority. Don't like Comodo? Remove their root cert from your trust store.

    • PrivDog, Chomodo, hacks, and issuing certs to malware, Comodo is one company I'd steer clear from in any case.

      Shit, Namecheap still uses them for their resold SSL certs. If Namecheap doesn't have another option next time I need to renew one, I'm going elsewhere. That would be a pain, but I'm officially done with Comodo after this - seven strikes and I'm stupid for not calling you out on three.

  • Drop Comodo CA (Score:3, Insightful)

    by Anonymous Coward on Thursday June 23, 2016 @03:40PM (#52376425)

    With everything Comodo has done, or not done, that should have gotten them removed, maybe we should push to have the Comodo CA certs dropped from the products and platforms of sponsors "EFF, Mozilla, Cisco, Akamai and others".

  • Comodo have facebook pages, twitter, accounts, contact forms on their website and email addresses. Go and tell them what you think of this.
  • by LetterRip ( 30937 ) on Thursday June 23, 2016 @04:14PM (#52376659)

    In the US if you use a trademark, you own the the trademark even if you haven't registered it. Since it is already being used in commerce for that mark, the application shouldn't be successful and can be challenged in the courts if it is granted.

    • by mysidia ( 191772 )

      They can't exclude LetsEncrypt from Using it, BUT They might be able to stop LestEncrypt from trademarking it.

      Their planned disruption could be not to get the Trademark, but to start using the name for something disreputable.

      Stop LE from getting their mark AND dilute the name by intentionally abusing it.

    • by taustin ( 171655 )

      Have they consistently - every time - claimed a trademark on it? And enforced that claim consistently? If not, then they have no enforceable claim to it.

      They do, however, have an enforceable right to keep using it if they were before the application from slimebags was filed.

  • How does that tagline sound?

    • by GioMac ( 862536 )

      That's a good idea and easy to do, I won't buy anything from Comodo from on now.

      • by mysidia ( 191772 )

        I was thinking more along the lines of requesting that Browsers drop their CAs' from the Trust store for reasons along the line of Bad Faith behavior / Attempting to fraudulently or deceptively appropriate the names of other organizations in a manner unbecoming of a Trusted Authority or ID certification agency.

  • This is like the Linux trade mark wars [wikipedia.org] all over again. There's always some sleazy company trying to benefit from people's good will.

  • by epine ( 68316 ) on Thursday June 23, 2016 @04:38PM (#52376795)

    Moxie Marlinspike tells a story about Comodo at BlackHat 2011 [youtu.be]

    The bit at 8m22 is priceless.

    Comodo founder:

    This [attack] was extremely sophisticated and critically executed. It was a very well orchestrated, very clinical attack, and the attacker knew exactly what they needed to do and how fast they had to operate.

    The hacker turns out to be a script-kiddie who got the technique from an introductory hacking video.

    Comodo continues to embarrass themselves as the story unfolds, with their CEO finally complaining that all this wouldn't be a problem if man-in-the-middle wasn't possible. Huh? Aren't you in the business of selling the solution to the MITM problem?

    What happened to Comodo? Nothing. Their business didn't suffer, they didn't lose customers. In fact, the only thing that happened was that their CEO was named "entrepreneur of the year" at RSA 2011.

  • by ilsaloving ( 1534307 ) on Thursday June 23, 2016 @05:16PM (#52376997)

    How is it that they haven't had their issuer's license revoked already? They've already been found wanting as a cert provider, since they seem to have no qualms about issuing fraudulent certificates.

    And now they're trying to fraudulently use someone else's trademark?

    How much more fraud will they be allowed to perform before someone gives them a serious slap?

    Oh, wait, what am I thinking... This is the US. As long as their shareholders are happy they could rape, pillage and burn entire towns and no one would care.

    • ...They've already been found wanting as a cert provider,...

      I've seen Comodo certs on sites like Comcast's site login.comcast.net. It appears that Comodo has gotten its fingers deep into our infrastructure.

    • After reading their CEO's reply in the update, I'd suggest they try to register the trademark "90." It's their business model. Or maybe they should trademark "FREE!"

  • I stopped using Comodo for my SSL certs when I read about their MitM attacks [emsisoft.com] using SSL certs. To me, it appears that they are not a suitable vendor for anything security related.

    .
    This Let's Encrypt fiasco is just another example of how low Comodo's business practices really are.

    • Given how unprincipled /. moderators are (see any thread [slashdot.org] about whether a /. moderator will pay to see the next Star Wars movie and keep in mind Disney's behavior on DRM and copyright term extension, for instance), I'd say you're sadly in the minority. Cases like this are ample reason to refuse to do business with organizations that treat us badly, but /. moderators became far more concerned with convenience at any price.
  • Horrible statement (Score:5, Informative)

    by Wuhao ( 471511 ) on Thursday June 23, 2016 @07:12PM (#52377569)

    I actually didn't really want to read too deeply into this when the article first came up. I figured it could be a thorny issue and that maybe Comodo had previously used "Let's Encrypt" in marketing somewhere prior to the free campaign. Then I read their CEO's statement, and it's pretty clear that he just plain feels threatened and he acts as if he invented the concept of a 90-day free trial. I can certainly see where he could be losing money; but I guess as an onlooker, if someone can come along and take your money that way, your position was pretty weak in the first place.

    So I guess I'd say I now feel that attempting to register this trademark seems pretty abusive, and the person who convinced me of that was Comodo's CEO in his post on his company's forums.

    • Ditto. After reading his comment I was thinking:

      "You and your company are being jerks....stop it."

      Though the only Comodo product I use is their free s/mime e-mail cert. I used to get them from thawte, but they stopped doing it.

    • by deniable ( 76198 )
      It's funny that he treats "Let's Encrypt" as a legitimate business. His lawyers just face-palmed.
    • he acts as if he invented the concept of a 90-day free trial

      He apparently thinks of it in the same way as a design patent:

      "Of course it's a new invention! We invented the 90-day free trial... for an ssl."

    • as if he invented the concept of a 90-day free trial

      There's a bit of difference between an one-time evaluation that can't be extended, and an automated repeated process that continually renews certs.

  • After reading the post by Comodo's "leader," I'd suggest that Comodo abandon "Let's Encrypt" before a court shames them. If the jackass wants a trademark, I'd suggest he try to register "90."
    • That guy is a embarrassment.

      The very idea that a CEO would respond in an online forum about this kind of thing is ridiculous. To make such a poor argument, on top of the poor judgement to even comment, is inexcusable.

      Gavin Belson would be the only "person" I'd expect to do this.

  • Its like a piece of art. Let's Encrypt made their art, put it out there, and then came along the bully trying to steal the art of the project Let's Encrypt. The question here is, if someone else made the art and Comodo had nothing to do with it, how could they come in and claim ownership of some part of the art? Under the 1st amendment someone else made that art. Should we not honor the ownership and creator of that art? Should we not have a mechanism to stop Comodo from attempting to steal ownership of the

  • by InvisiBill ( 706958 ) <slashdot@invisib ... net minus author> on Thursday June 23, 2016 @11:15PM (#52378409) Homepage
    In the linked forum thread, from robinalden (Comodo Staff):

    With LE now being an operational business, we were never going to take the these trademark applications any further. Josh posted a link to the application and as of February 8th it was already in a state where it will lapse.
    Josh was wrong when he said we’d “refused to abandon our applications”. We just hadn’t told LE we would leave them to lapse.
    We have now communicated this to LE.

  • I've used Comodo's firewall for years. I have now removed it from all but one computer, which I don't use all that much anymore. When I am assured that Comodo has, in fact, abandoned its efforts to steal "Let's Encrypt", I'll go back. I like their firewall, and it will hurt to go through all the little adjustments that get the replacement (Kaspersky Internet Security) working exactly the way I like.

  • Some stats from the CEO's first post:
    Free SSL: mentioned 9 times, 7 of them in one paragraph;
    Comodo: only 3 times

    Seems they should leave Let's Encrypt alone and go with Free SSL instead.

One man's "magic" is another man's engineering. "Supernatural" is a null word. -- Robert Heinlein

Working...