Super Slimey: Comodo Tries To Trademark 'Let's Encrypt' [Updated]

from the that's-just-bad dept

See the update at the end

Almost two years ago, we excitedly wrote about the announcement behind Let’s Encrypt, a free certificate authority that was focused on dramatically lowering the hurdles towards protecting much more of the internet with HTTPS encrypted connections. It took a while to launch, but it finally did and people have been gobbling up those certificates at a rapid rate and getting more and more of the web encrypted. This is a good thing.

Unfortunately, it appears the old guard of certificate authorities doesn’t like this very much. Comodo, which has provided certificates for quite some time (and, in fact, is where Techdirt’s certificate comes from) has apparently, somewhat ridiculously, been trying to trademark versions of “Let’s Encrypt.” The most troubling one is the one on purely “Let’s Encrypt,” but the other two (Comodo Let’s Encrypt and Let’s Encrypt with Comodo) are equally problematic — especially since (as Comodo admits directly) it’s never used that phrase in offering its existing certificates.

This seems like a clear situation where Comodo is seeking to confuse the market — and thus the clear case where trademark law actually makes some sense. As we’ve said basically forever, trademark is quite different than copyrights and patents, in that it was really designed as a consumer protection law, to keep consumers from being tricked into buying something that they believe is from a different entity. Trademarks are widely and frequently abused, but there are times where the original intent of consumer protection makes sense, and this seems like one of them. What’s incredible is that when Let’s Encrypt reached out to Comodo about this, the company refused to abandon the attempt to trademark these names.

Since March of 2016 we have repeatedly asked Comodo to abandon their ?Let?s Encrypt? applications, directly and through our attorneys, but they have refused to do so. We are clearly the first and senior user of ?Let?s Encrypt? in relation to Internet security, including SSL/TLS certificates ? both in terms of length of use and in terms of the widespread public association of that brand with our organization.

If necessary, we will vigorously defend the Let?s Encrypt brand we?ve worked so hard to build. That said, our organization has limited resources and a protracted dispute with Comodo regarding its improper registration of our trademarks would significantly and unnecessarily distract both organizations from the core mission they should share: creating a more secure and privacy-respecting Web. We urge Comodo to do the right thing and abandon its ?Let?s Encrypt? trademark applications so we can focus all of our energy on improving the Web.

At the very least, this kind of stupid stunt has me reconsidering if we should ever use Comodo’s certificates on our site going forward. We’ve been a happy Comodo customer for many years, but I hate supporting bullies. Update: And… of course, after this goes public, Comodo suddenly backs down. Of course that doesn’t explain why it refused to do so when asked months ago.

Filed Under: , , , , ,
Companies: comodo, let's encrypt

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Super Slimey: Comodo Tries To Trademark 'Let's Encrypt' [Updated]”

Subscribe: RSS Leave a comment
David says:

I am a happy customer of Let’s Encrypt. This is slimy, indeed. If I were you, Mike, I’d ditch Comodo and make sure they knew exactly why.

However, I disagree that they’re trying to confuse the market so much as put the hurt on Let’s Encrypt. Long term plan: get the marks, then sue LE, hopefully out of existence. Here’s an entity giving away what Comodo sells.

Zarvus (profile) says:

Comodo is also the one who appears to have done some janky shit with their “secure” software. You probably shouldn’t be using them at all.

The one where Comodo replaces Chrome with their own, less-secure (and for Chrome that’s saying something) browser:

“As explained in this advisory today, users who install Comodo Internet Security may not realize that their Chrome installation is replaced with Comodo’s own browser, Chromodo.

That little bit of crapware isn’t secure at all: it’s set as the default browser, and “all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices,” Google’s Tavis Ormandy notes.

Chromodo is promoted as a “private browser” on Comodo’s website, but it’s not only not private, it’s not remotely safe to use, because it also disables Chrome’s same-origin policy.

The same-origin policy enforces a rule that one script can only access data in another script if they’re both from the same site. Without it, users are exposed to malicious sites sniffing private data.

Google went public with the feature bug because Comodo was unresponsive, we’re told.”

The one where Comodo’s security kit installed an unprotected VNC server on host PCs:

“When installing Comodo Anti-Virus, Comodo Firewall, or Comodo Internet Security on a Windows PC, you’ll get a program called GeekBuddy, which Comodo staff can use to carry out remote technical support on people’s PCs (in exchange for money).

GeekBuddy allows this by installing a VNC server that has admin-level privileges, is enabled by default, and is open to the local network. At one point the server had no password protection at all – so anyone could connect and commandeer a system. That was fixed by enabling password protection, although Ormandy discovered the passwords were predictable.

If you’re running Comodo’s software, malware on your PC, miscreants on your network, or perhaps anyone on the internet, could have potentially gained control over your computer.”

I wouldn’t trust them with my money and security. Especially not if they are doing this shady-looking shit with Let’s Encrypt.

Anonymous Coward says:

Re: Re:

There’s also this piece of slimy behavior from Comodo’s CEO:

Software Privdog worse than Superfish

It appears that Comodo is run by dishonest sleazeballs who don’t care about security, privacy or encryption: only their own profits. Time to make sure that everyone knows this. I’ll be spreading the word on Monday morning throughout the corporation that all their products are to be decommissioned and that they are to be placed on the same purchasing blacklist as Sony.

Dave Cortright says:

Dump Comodo now

Mike, if TechDirt dumps Comodo now, and others do too, perhaps that will send them an appropriate message.

Personally I wanted to use Let’s Encrypt for a new site I configured recently, but after spending the better part of a day trying to get it to work, I gave up and went with the option that my host (NameCheap) provided for $2.

Steerpike (profile) says:

Let’s Encrypt can oppose if/when the Comodo applications are published.

Let’s Encrypt should have filed for registration previously, and they wouldn’t be in this situation. Even if Comodo get the registration, however, they can’t stop Let’s Encrypt from using the mark in places where Let’s Encrypt has priority (and when you’re talking about the internet, that’s potentially anywhere, though I guess it would be limited to places where they can show “sales”).

Zarvus (profile) says:

Re: Re:

Just because they may not have legal right to it as a trademark doesn’t mean that a) the trademark office won’t issue it anyway and b) they can’t sue. They can very easily sue and try to drive Let’s Encrypt out of business. From the looks of it they filed one of their three trademark attempts on October 2015:

This one specifically is just for “Let’s Encrypt”. They haven’t been granted that one yet, but it hasn’t been denied, either.

Steerpike (profile) says:

Re: Re: Re:

The trademark examiner might well let it go through to publication, though he shouldn’t. But that’s what the opposition proceeding is for – to make sure that marks the USPTO has let go through wrongfully to publication can still be opposed by a third party before they actually get registered.

The problem is, maintaining an opposition proceeding isn’t exactly cheap.

Zarvus (profile) says:

Re: Re: Re: Re:

That’s the thing I don’t understand – a simple Google search would show no instances of Comodo using that and plenty of instances of EFF etc. using Let’s Encrypt prior to the application, in the same security space. Does the USPTO not have a computer and internet connection? I must not be familiar enough with trademark law and/or confusing it with patent law. It’d be like me finding any business that has a name without an official trademark, filing a trademark application, getting the trademark, and then suing them and making them change their name even though they were clearly using it first. It makes no sense.

Steerpike (profile) says:

Re: Re: Re:2 Re:

They do have the ability to search that. I have received rejections based on non-registered uses that the examiner found on the internet. But often it seems like the trademark examiners just rely on their application/registration database (like patent examiners rely on the pending/issued patent database) and don’t look beyond that.

You can still get a registration even if a non-registered entity is already using the name, but you can’t go in and stop them. Traditionally this is limited by geographic location. For example, if I own a chain of restaurants in Los Angeles, and you’re in New York and we have the same name…if I was there first but didn’t register it and you did, you have presumptive nationwide rights to the name EXCEPT in Los Angeles, where I priority over you. You can’t come into L.A. and stop me using the name.

This was relatively easy to figure out in the pre-internet days, but of course now everyone is online so the boundaries become a bit more fuzzy.

Mike Masnick (profile) says:

Re: Re:

Let’s Encrypt should have filed for registration previously, and they wouldn’t be in this situation.

Blech. I understand this advice, and I understand why lots of lawyers say this, but I think it’s lame and only encourages over registration. Let’s Encrypt has a perfectly viable common law mark on the name without registering it.

Steerpike (profile) says:

Re: Re: Re:

They do have viable common law rights, and it’s too bad you have to do things defensively to protect against abuse of the system. But these days particularly, with every business on the internet, it makes sense to spend the $1000 or so to get the registration. If Comodo hadn’t dropped this, Let’s Encrypt would spend a lot more than that having to oppose these marks or deal with a Comodo registration.

The problem here, apart from Comodo’s bad behavior, is that the trademark examiner didn’t conduct a proper search. If he had, the Let’s Encrypt common law mark would have turned up.

Anonymous Coward says:

Comodo's backdown

And… of course, after this goes public, Comodo suddenly backs down. Of course that doesn’t explain why it refused to do so when asked months ago.

All this means is that they’re cowards who are unwilling to take ownership of their own actions. They’ll do it again — or something similar — as soon as they think nobody’s watching. So not only they sleazeballs, they’re wimps: afraid to take public criticism for their actions, skulking in the shadows, waiting for their next opportunity to rip off the public when they think they can evade scrutiny.


Anonymous Coward says:

Did you see their response to Ars’ request for an interview?

“…these kind of Intellectual copyrights can’t be decided over a forum post or Twitter account or trying to get your loyal but ‘blind’ followers to bully another enterprise via their tweets. It won’t work! This is not wild west and there are legal framework and courts for these kind of disputes. So let’s all stop being the judge and jury and follow the law!”

Anonymous Coward says:

It’s never a good idea to prioritize legal above reputation when your entire business is based upon your reputation. I suspect there’s a schism at Comodo right now, as on the one hand they seem to be making some poor financially-motivated decisions right now, but on the other, they actually do take down certificates (and even blacklist individuals) when complaints are raised.

Anonymous Coward says:

Re: Re: Comodo used to be the only "free" antivirus

I use AVG on my windows machines, and Sophos on my Mac. Both free.

Thank you for actually answering the question VS the “just move to linux” crap answer.

I used to use AVG ’till they did the “we’ve mailed you this bill – please pay it” move. Then moved to Comodo as their license was not “$0 for home” – at the time of the licence reading ANYONE could use it. Guess its time to move back to AVG because the bill thing was a crap move, Comodo is worse at this point.
(Sophos and AVG seem to be $0 for “home”. For commercial use….pay up sucka)

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...