Super Slimey: Comodo Tries To Trademark 'Let's Encrypt' [Updated]

from the that's-just-bad dept

See the update at the end

Almost two years ago, we excitedly wrote about the announcement behind Let's Encrypt, a free certificate authority that was focused on dramatically lowering the hurdles towards protecting much more of the internet with HTTPS encrypted connections. It took a while to launch, but it finally did and people have been gobbling up those certificates at a rapid rate and getting more and more of the web encrypted. This is a good thing.

Unfortunately, it appears the old guard of certificate authorities doesn't like this very much. Comodo, which has provided certificates for quite some time (and, in fact, is where Techdirt's certificate comes from) has apparently, somewhat ridiculously, been trying to trademark versions of "Let's Encrypt." The most troubling one is the one on purely "Let's Encrypt," but the other two (Comodo Let's Encrypt and Let's Encrypt with Comodo) are equally problematic -- especially since (as Comodo admits directly) it's never used that phrase in offering its existing certificates.

This seems like a clear situation where Comodo is seeking to confuse the market -- and thus the clear case where trademark law actually makes some sense. As we've said basically forever, trademark is quite different than copyrights and patents, in that it was really designed as a consumer protection law, to keep consumers from being tricked into buying something that they believe is from a different entity. Trademarks are widely and frequently abused, but there are times where the original intent of consumer protection makes sense, and this seems like one of them. What's incredible is that when Let's Encrypt reached out to Comodo about this, the company refused to abandon the attempt to trademark these names.
Since March of 2016 we have repeatedly asked Comodo to abandon their “Let’s Encrypt” applications, directly and through our attorneys, but they have refused to do so. We are clearly the first and senior user of “Let’s Encrypt” in relation to Internet security, including SSL/TLS certificates – both in terms of length of use and in terms of the widespread public association of that brand with our organization.

If necessary, we will vigorously defend the Let’s Encrypt brand we’ve worked so hard to build. That said, our organization has limited resources and a protracted dispute with Comodo regarding its improper registration of our trademarks would significantly and unnecessarily distract both organizations from the core mission they should share: creating a more secure and privacy-respecting Web. We urge Comodo to do the right thing and abandon its “Let’s Encrypt” trademark applications so we can focus all of our energy on improving the Web.
At the very least, this kind of stupid stunt has me reconsidering if we should ever use Comodo's certificates on our site going forward. We've been a happy Comodo customer for many years, but I hate supporting bullies. Update: And... of course, after this goes public, Comodo suddenly backs down. Of course that doesn't explain why it refused to do so when asked months ago.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    David, 24 Jun 2016 @ 1:04pm

    I am a happy customer of Let's Encrypt. This is slimy, indeed. If I were you, Mike, I'd ditch Comodo and make sure they knew exactly why.

    However, I disagree that they're trying to confuse the market so much as put the hurt on Let's Encrypt. Long term plan: get the marks, then sue LE, hopefully out of existence. Here's an entity giving away what Comodo sells.

    reply to this | link to this | view in chronology ]

  • icon
    Zarvus (profile), 24 Jun 2016 @ 1:18pm

    Comodo is also the one who appears to have done some janky shit with their "secure" software. You probably shouldn't be using them at all.

    The one where Comodo replaces Chrome with their own, less-secure (and for Chrome that's saying something) browser:
    http://www.theregister.co.uk/2016/02/02/google_disses_chromodo/

    "As explained in this advisory today, users who install Comodo Internet Security may not realize that their Chrome installation is replaced with Comodo's own browser, Chromodo.

    That little bit of crapware isn't secure at all: it's set as the default browser, and "all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices," Google's Tavis Ormandy notes.

    Chromodo is promoted as a "private browser" on Comodo's website, but it's not only not private, it's not remotely safe to use, because it also disables Chrome's same-origin policy.

    The same-origin policy enforces a rule that one script can only access data in another script if they're both from the same site. Without it, users are exposed to malicious sites sniffing private data.

    Google went public with the feature bug because Comodo was unresponsive, we're told."

    The one where Comodo's security kit installed an unprotected VNC server on host PCs:

    http://www.theregister.co.uk/2016/02/18/comodo_flaw/

    "When installing Comodo Anti-Virus, Comodo Firewall, or Comodo Internet Security on a Windows PC, you'll get a program called GeekBuddy, which Comodo staff can use to carry out remote technical support on people's PCs (in exchange for money).

    GeekBuddy allows this by installing a VNC server that has admin-level privileges, is enabled by default, and is open to the local network. At one point the server had no password protection at all – so anyone could connect and commandeer a system. That was fixed by enabling password protection, although Ormandy discovered the passwords were predictable.

    If you're running Comodo's software, malware on your PC, miscreants on your network, or perhaps anyone on the internet, could have potentially gained control over your computer."

    I wouldn't trust them with my money and security. Especially not if they are doing this shady-looking shit with Let's Encrypt.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Jun 2016 @ 1:51pm

      Re:

      There's also this piece of slimy behavior from Comodo's CEO:

      Software Privdog worse than Superfish

      It appears that Comodo is run by dishonest sleazeballs who don't care about security, privacy or encryption: only their own profits. Time to make sure that everyone knows this. I'll be spreading the word on Monday morning throughout the corporation that all their products are to be decommissioned and that they are to be placed on the same purchasing blacklist as Sony.

      reply to this | link to this | view in chronology ]

      • icon
        Zarvus (profile), 24 Jun 2016 @ 1:57pm

        Re: Re:

        Oh, I'd forgotten about that. It's even worse than the other two examples. They definitely seem interested in profits over providing a quality service and experience, to the detriment of their users.

        reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 24 Jun 2016 @ 2:28pm

      Re:

      Yes, this.

      The best thing I can possibly say about Comodo is that they are not trustworthy.

      reply to this | link to this | view in chronology ]

  • icon
    Dave Cortright (profile), 24 Jun 2016 @ 1:27pm

    Dump Comodo now

    Mike, if TechDirt dumps Comodo now, and others do too, perhaps that will send them an appropriate message.

    Personally I wanted to use Let's Encrypt for a new site I configured recently, but after spending the better part of a day trying to get it to work, I gave up and went with the option that my host (NameCheap) provided for $2.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jun 2016 @ 1:44pm

    Fuck you, Comodo.

    reply to this | link to this | view in chronology ]

  • icon
    Steerpike (profile), 24 Jun 2016 @ 1:48pm

    Let's Encrypt can oppose if/when the Comodo applications are published.

    Let's Encrypt should have filed for registration previously, and they wouldn't be in this situation. Even if Comodo get the registration, however, they can't stop Let's Encrypt from using the mark in places where Let's Encrypt has priority (and when you're talking about the internet, that's potentially anywhere, though I guess it would be limited to places where they can show "sales").

    reply to this | link to this | view in chronology ]

    • icon
      Zarvus (profile), 24 Jun 2016 @ 1:53pm

      Re:

      Just because they may not have legal right to it as a trademark doesn't mean that a) the trademark office won't issue it anyway and b) they can't sue. They can very easily sue and try to drive Let's Encrypt out of business. From the looks of it they filed one of their three trademark attempts on October 2015:

      http://tsdr.uspto.gov/#caseNumber=86790719&caseType=SERIAL_NO&searchType=statusSearch

      Th is one specifically is just for "Let's Encrypt". They haven't been granted that one yet, but it hasn't been denied, either.

      reply to this | link to this | view in chronology ]

      • icon
        Steerpike (profile), 24 Jun 2016 @ 1:56pm

        Re: Re:

        The trademark examiner might well let it go through to publication, though he shouldn't. But that's what the opposition proceeding is for - to make sure that marks the USPTO has let go through wrongfully to publication can still be opposed by a third party before they actually get registered.

        The problem is, maintaining an opposition proceeding isn't exactly cheap.

        reply to this | link to this | view in chronology ]

      • icon
        Steerpike (profile), 24 Jun 2016 @ 1:58pm

        Re: Re:

        Zarvus - with respect to the mark you linked, it looks like the USPTO is about to let that one go through to publication. The Examiner has send there are no confusingly similar registered or pending marks. Just some formalities, and they're going to let it through I predict.

        reply to this | link to this | view in chronology ]

        • icon
          Zarvus (profile), 24 Jun 2016 @ 2:04pm

          Re: Re: Re:

          That's the thing I don't understand - a simple Google search would show no instances of Comodo using that and plenty of instances of EFF etc. using Let's Encrypt prior to the application, _in the same security space_. Does the USPTO not have a computer and internet connection? I must not be familiar enough with trademark law and/or confusing it with patent law. It'd be like me finding any business that has a name without an official trademark, filing a trademark application, getting the trademark, and then suing them and making them change their name even though they were clearly using it first. It makes no sense.

          reply to this | link to this | view in chronology ]

          • icon
            Steerpike (profile), 24 Jun 2016 @ 2:22pm

            Re: Re: Re: Re:

            They do have the ability to search that. I have received rejections based on non-registered uses that the examiner found on the internet. But often it seems like the trademark examiners just rely on their application/registration database (like patent examiners rely on the pending/issued patent database) and don't look beyond that.

            You can still get a registration even if a non-registered entity is already using the name, but you can't go in and stop them. Traditionally this is limited by geographic location. For example, if I own a chain of restaurants in Los Angeles, and you're in New York and we have the same name...if I was there first but didn't register it and you did, you have presumptive nationwide rights to the name EXCEPT in Los Angeles, where I priority over you. You can't come into L.A. and stop me using the name.

            This was relatively easy to figure out in the pre-internet days, but of course now everyone is online so the boundaries become a bit more fuzzy.

            reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Jun 2016 @ 1:56pm

      Re:

      That assumes Let's Encrypt can afford to pay the lawyers to protect their priority rights. In case you haven't notice, in the US in particular, Money beats the letter of the law whenever one entity has vastly more money that another one.

      reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 24 Jun 2016 @ 2:45pm

      Re:

      Let's Encrypt should have filed for registration previously, and they wouldn't be in this situation.

      Blech. I understand this advice, and I understand why lots of lawyers say this, but I think it's lame and only encourages over registration. Let's Encrypt has a perfectly viable common law mark on the name without registering it.

      reply to this | link to this | view in chronology ]

      • icon
        Steerpike (profile), 24 Jun 2016 @ 3:21pm

        Re: Re:

        They do have viable common law rights, and it's too bad you have to do things defensively to protect against abuse of the system. But these days particularly, with every business on the internet, it makes sense to spend the $1000 or so to get the registration. If Comodo hadn't dropped this, Let's Encrypt would spend a lot more than that having to oppose these marks or deal with a Comodo registration.

        The problem here, apart from Comodo's bad behavior, is that the trademark examiner didn't conduct a proper search. If he had, the Let's Encrypt common law mark would have turned up.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jun 2016 @ 2:39pm

    Comodo's backdown

    And... of course, after this goes public, Comodo suddenly backs down. Of course that doesn't explain why it refused to do so when asked months ago.

    All this means is that they're cowards who are unwilling to take ownership of their own actions. They'll do it again -- or something similar -- as soon as they think nobody's watching. So not only they sleazeballs, they're wimps: afraid to take public criticism for their actions, skulking in the shadows, waiting for their next opportunity to rip off the public when they think they can evade scrutiny.

    Disgusting.

    reply to this | link to this | view in chronology ]

  • icon
    Mike Masnick (profile), 24 Jun 2016 @ 2:43pm

    Updated

    with the news that Comodo has now backed down...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jun 2016 @ 3:48pm

    Did you see their response to Ars' request for an interview?

    "...these kind of Intellectual copyrights can't be decided over a forum post or Twitter account or trying to get your loyal but 'blind' followers to bully another enterprise via their tweets. It won't work! This is not wild west and there are legal framework and courts for these kind of disputes. So let's all stop being the judge and jury and follow the law!"

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 24 Jun 2016 @ 7:12pm

      Re:

      Yes, let's follow the law! The law says that I can be as judgmental as I like, and express my opinion publicly as well!

      reply to this | link to this | view in chronology ]

    • icon
      Dan (profile), 25 Jun 2016 @ 5:18am

      Re:

      So let's all stop being the judge and jury and follow the law!

      Translation: We deserve to do whatever the courts and the PTO will let us get away with, without any criticism from anyone else! Only once we've been definitively held to have been violating the law, and all appeals exhausted, can anyone say we were doing the wrong thing!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jun 2016 @ 3:50pm

    It's never a good idea to prioritize legal above reputation when your entire business is based upon your reputation. I suspect there's a schism at Comodo right now, as on the one hand they seem to be making some poor financially-motivated decisions right now, but on the other, they actually do take down certificates (and even blacklist individuals) when complaints are raised.

    reply to this | link to this | view in chronology ]

  • icon
    Will Sizemore (profile), 24 Jun 2016 @ 4:11pm

    Revisionist History Being Made Here

    "Following collaboration between Let's Encrypt and Comodo, the trademark issue is now resolved and behind us and we'd like to thank the Let's Encrypt team for helping to bring it to a resolution."

    Double Plus Good!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Jun 2016 @ 6:25pm

    Comodo used to be the only "free" antivirus

    Given what they've done, what would be the $0 cost antivirus to chose rather then Comodo?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Jun 2016 @ 1:09am

      Re: Comodo used to be the only "free" antivirus

      Linux.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Jun 2016 @ 6:46am

        Re: Re: Comodo used to be the only "free" antivirus

        Linux.

        If I wanted something better and with less problems I'd run a real OS - FreeBSD not some wierd-assed GNU/Linux crap.

        reply to this | link to this | view in chronology ]

      • identicon
        tracyanne, 27 Jun 2016 @ 9:56pm

        Re: Re: Comodo used to be the only "free" antivirus

        Linux

        Already done and dusted, currently converting neighbours as fast as they bring in their Win10 computers.

        reply to this | link to this | view in chronology ]

    • icon
      Dan (profile), 25 Jun 2016 @ 4:33am

      Re: Comodo used to be the only "free" antivirus

      I use AVG on my windows machines, and Sophos on my Mac. Both free.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 25 Jun 2016 @ 7:00am

        Re: Re: Comodo used to be the only "free" antivirus

        I use AVG on my windows machines, and Sophos on my Mac. Both free.

        Thank you for actually answering the question VS the "just move to linux" crap answer.

        I used to use AVG 'till they did the "we've mailed you this bill - please pay it" move. Then moved to Comodo as their license was not "$0 for home" - at the time of the licence reading ANYONE could use it. Guess its time to move back to AVG because the bill thing was a crap move, Comodo is worse at this point.
        (Sophos and AVG seem to be $0 for "home". For commercial use....pay up sucka)

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Jun 2016 @ 1:31pm

      Re: Comodo used to be the only

      BitDefender, mcafee both have free versions.

      reply to this | link to this | view in chronology ]

  • icon
    afn29129 (profile), 25 Jun 2016 @ 2:37am

    What is planned next Comodo?

    What sort of devious plans do you still have up your sleeves Comodo? Now that your reputation has been made everyone will be watching you. Try and keep your nose clean.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Jun 2016 @ 8:48am

    EFF/Chrome/Firefox death penalty for Comodo

    Remove Comodo certs.

    Done.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 25 Jun 2016 @ 11:27am

    Boycott Comodo. Donate to EFF.

    reply to this | link to this | view in chronology ]

  • icon
    Matthew Cline (profile), 25 Jun 2016 @ 9:13pm

    On the positive side, now a lot more people know about Let's Encrypt.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.