Super Slimey: Comodo Tries To Trademark 'Let's Encrypt' [Updated]
from the that's-just-bad dept
See the update at the end
Almost two years ago, we excitedly wrote about the announcement behind Let’s Encrypt, a free certificate authority that was focused on dramatically lowering the hurdles towards protecting much more of the internet with HTTPS encrypted connections. It took a while to launch, but it finally did and people have been gobbling up those certificates at a rapid rate and getting more and more of the web encrypted. This is a good thing.
Unfortunately, it appears the old guard of certificate authorities doesn’t like this very much. Comodo, which has provided certificates for quite some time (and, in fact, is where Techdirt’s certificate comes from) has apparently, somewhat ridiculously, been trying to trademark versions of “Let’s Encrypt.” The most troubling one is the one on purely “Let’s Encrypt,” but the other two (Comodo Let’s Encrypt and Let’s Encrypt with Comodo) are equally problematic — especially since (as Comodo admits directly) it’s never used that phrase in offering its existing certificates.
This seems like a clear situation where Comodo is seeking to confuse the market — and thus the clear case where trademark law actually makes some sense. As we’ve said basically forever, trademark is quite different than copyrights and patents, in that it was really designed as a consumer protection law, to keep consumers from being tricked into buying something that they believe is from a different entity. Trademarks are widely and frequently abused, but there are times where the original intent of consumer protection makes sense, and this seems like one of them. What’s incredible is that when Let’s Encrypt reached out to Comodo about this, the company refused to abandon the attempt to trademark these names.
Since March of 2016 we have repeatedly asked Comodo to abandon their ?Let?s Encrypt? applications, directly and through our attorneys, but they have refused to do so. We are clearly the first and senior user of ?Let?s Encrypt? in relation to Internet security, including SSL/TLS certificates ? both in terms of length of use and in terms of the widespread public association of that brand with our organization.
If necessary, we will vigorously defend the Let?s Encrypt brand we?ve worked so hard to build. That said, our organization has limited resources and a protracted dispute with Comodo regarding its improper registration of our trademarks would significantly and unnecessarily distract both organizations from the core mission they should share: creating a more secure and privacy-respecting Web. We urge Comodo to do the right thing and abandon its ?Let?s Encrypt? trademark applications so we can focus all of our energy on improving the Web.
At the very least, this kind of stupid stunt has me reconsidering if we should ever use Comodo’s certificates on our site going forward. We’ve been a happy Comodo customer for many years, but I hate supporting bullies. Update: And… of course, after this goes public, Comodo suddenly backs down. Of course that doesn’t explain why it refused to do so when asked months ago.
Filed Under: certificate authority, certificates, competition, https, let's encrypt, trademark
Companies: comodo, let's encrypt
Comments on “Super Slimey: Comodo Tries To Trademark 'Let's Encrypt' [Updated]”
I am a happy customer of Let’s Encrypt. This is slimy, indeed. If I were you, Mike, I’d ditch Comodo and make sure they knew exactly why.
However, I disagree that they’re trying to confuse the market so much as put the hurt on Let’s Encrypt. Long term plan: get the marks, then sue LE, hopefully out of existence. Here’s an entity giving away what Comodo sells.
Comodo is also the one who appears to have done some janky shit with their “secure” software. You probably shouldn’t be using them at all.
The one where Comodo replaces Chrome with their own, less-secure (and for Chrome that’s saying something) browser:
http://www.theregister.co.uk/2016/02/02/google_disses_chromodo/
“As explained in this advisory today, users who install Comodo Internet Security may not realize that their Chrome installation is replaced with Comodo’s own browser, Chromodo.
That little bit of crapware isn’t secure at all: it’s set as the default browser, and “all shortcuts are replaced with Chromodo links and all settings, cookies, etc are imported from Chrome. They also hijack DNS settings, among other shady practices,” Google’s Tavis Ormandy notes.
Chromodo is promoted as a “private browser” on Comodo’s website, but it’s not only not private, it’s not remotely safe to use, because it also disables Chrome’s same-origin policy.
The same-origin policy enforces a rule that one script can only access data in another script if they’re both from the same site. Without it, users are exposed to malicious sites sniffing private data.
Google went public with the feature bug because Comodo was unresponsive, we’re told.”
The one where Comodo’s security kit installed an unprotected VNC server on host PCs:
http://www.theregister.co.uk/2016/02/18/comodo_flaw/
“When installing Comodo Anti-Virus, Comodo Firewall, or Comodo Internet Security on a Windows PC, you’ll get a program called GeekBuddy, which Comodo staff can use to carry out remote technical support on people’s PCs (in exchange for money).
GeekBuddy allows this by installing a VNC server that has admin-level privileges, is enabled by default, and is open to the local network. At one point the server had no password protection at all – so anyone could connect and commandeer a system. That was fixed by enabling password protection, although Ormandy discovered the passwords were predictable.
If you’re running Comodo’s software, malware on your PC, miscreants on your network, or perhaps anyone on the internet, could have potentially gained control over your computer.”
I wouldn’t trust them with my money and security. Especially not if they are doing this shady-looking shit with Let’s Encrypt.
Re: Re:
There’s also this piece of slimy behavior from Comodo’s CEO:
Software Privdog worse than Superfish
It appears that Comodo is run by dishonest sleazeballs who don’t care about security, privacy or encryption: only their own profits. Time to make sure that everyone knows this. I’ll be spreading the word on Monday morning throughout the corporation that all their products are to be decommissioned and that they are to be placed on the same purchasing blacklist as Sony.
Re: Re: Re:
Oh, I’d forgotten about that. It’s even worse than the other two examples. They definitely seem interested in profits over providing a quality service and experience, to the detriment of their users.
Re: Re:
Yes, this.
The best thing I can possibly say about Comodo is that they are not trustworthy.
Dump Comodo now
Mike, if TechDirt dumps Comodo now, and others do too, perhaps that will send them an appropriate message.
Personally I wanted to use Let’s Encrypt for a new site I configured recently, but after spending the better part of a day trying to get it to work, I gave up and went with the option that my host (NameCheap) provided for $2.
Fuck you, Comodo.
Let’s Encrypt can oppose if/when the Comodo applications are published.
Let’s Encrypt should have filed for registration previously, and they wouldn’t be in this situation. Even if Comodo get the registration, however, they can’t stop Let’s Encrypt from using the mark in places where Let’s Encrypt has priority (and when you’re talking about the internet, that’s potentially anywhere, though I guess it would be limited to places where they can show “sales”).
Re: Re:
Just because they may not have legal right to it as a trademark doesn’t mean that a) the trademark office won’t issue it anyway and b) they can’t sue. They can very easily sue and try to drive Let’s Encrypt out of business. From the looks of it they filed one of their three trademark attempts on October 2015:
http://tsdr.uspto.gov/#caseNumber=86790719&caseType=SERIAL_NO&searchType=statusSearch
This one specifically is just for “Let’s Encrypt”. They haven’t been granted that one yet, but it hasn’t been denied, either.
Re: Re: Re:
The trademark examiner might well let it go through to publication, though he shouldn’t. But that’s what the opposition proceeding is for – to make sure that marks the USPTO has let go through wrongfully to publication can still be opposed by a third party before they actually get registered.
The problem is, maintaining an opposition proceeding isn’t exactly cheap.
Re: Re: Re:
Zarvus – with respect to the mark you linked, it looks like the USPTO is about to let that one go through to publication. The Examiner has send there are no confusingly similar registered or pending marks. Just some formalities, and they’re going to let it through I predict.
Re: Re: Re: Re:
That’s the thing I don’t understand – a simple Google search would show no instances of Comodo using that and plenty of instances of EFF etc. using Let’s Encrypt prior to the application, in the same security space. Does the USPTO not have a computer and internet connection? I must not be familiar enough with trademark law and/or confusing it with patent law. It’d be like me finding any business that has a name without an official trademark, filing a trademark application, getting the trademark, and then suing them and making them change their name even though they were clearly using it first. It makes no sense.
Re: Re: Re:2 Re:
They do have the ability to search that. I have received rejections based on non-registered uses that the examiner found on the internet. But often it seems like the trademark examiners just rely on their application/registration database (like patent examiners rely on the pending/issued patent database) and don’t look beyond that.
You can still get a registration even if a non-registered entity is already using the name, but you can’t go in and stop them. Traditionally this is limited by geographic location. For example, if I own a chain of restaurants in Los Angeles, and you’re in New York and we have the same name…if I was there first but didn’t register it and you did, you have presumptive nationwide rights to the name EXCEPT in Los Angeles, where I priority over you. You can’t come into L.A. and stop me using the name.
This was relatively easy to figure out in the pre-internet days, but of course now everyone is online so the boundaries become a bit more fuzzy.
Re: Re:
That assumes Let’s Encrypt can afford to pay the lawyers to protect their priority rights. In case you haven’t notice, in the US in particular, Money beats the letter of the law whenever one entity has vastly more money that another one.
Re: Re:
Let’s Encrypt should have filed for registration previously, and they wouldn’t be in this situation.
Blech. I understand this advice, and I understand why lots of lawyers say this, but I think it’s lame and only encourages over registration. Let’s Encrypt has a perfectly viable common law mark on the name without registering it.
Re: Re: Re:
They do have viable common law rights, and it’s too bad you have to do things defensively to protect against abuse of the system. But these days particularly, with every business on the internet, it makes sense to spend the $1000 or so to get the registration. If Comodo hadn’t dropped this, Let’s Encrypt would spend a lot more than that having to oppose these marks or deal with a Comodo registration.
The problem here, apart from Comodo’s bad behavior, is that the trademark examiner didn’t conduct a proper search. If he had, the Let’s Encrypt common law mark would have turned up.
Comodo's backdown
And… of course, after this goes public, Comodo suddenly backs down. Of course that doesn’t explain why it refused to do so when asked months ago.
All this means is that they’re cowards who are unwilling to take ownership of their own actions. They’ll do it again — or something similar — as soon as they think nobody’s watching. So not only they sleazeballs, they’re wimps: afraid to take public criticism for their actions, skulking in the shadows, waiting for their next opportunity to rip off the public when they think they can evade scrutiny.
Disgusting.
Updated
with the news that Comodo has now backed down…
Did you see their response to Ars’ request for an interview?
Re: Re:
Yes, let’s follow the law! The law says that I can be as judgmental as I like, and express my opinion publicly as well!
Re: Re:
Translation: We deserve to do whatever the courts and the PTO will let us get away with, without any criticism from anyone else! Only once we’ve been definitively held to have been violating the law, and all appeals exhausted, can anyone say we were doing the wrong thing!
It’s never a good idea to prioritize legal above reputation when your entire business is based upon your reputation. I suspect there’s a schism at Comodo right now, as on the one hand they seem to be making some poor financially-motivated decisions right now, but on the other, they actually do take down certificates (and even blacklist individuals) when complaints are raised.
Revisionist History Being Made Here
“Following collaboration between Let’s Encrypt and Comodo, the trademark issue is now resolved and behind us and we’d like to thank the Let’s Encrypt team for helping to bring it to a resolution.”
Double Plus Good!
Comodo used to be the only "free" antivirus
Given what they’ve done, what would be the $0 cost antivirus to chose rather then Comodo?
Re: Comodo used to be the only "free" antivirus
Linux.
Re: Re: Comodo used to be the only "free" antivirus
Linux.
If I wanted something better and with less problems I’d run a real OS – FreeBSD not some wierd-assed GNU/Linux crap.
Re: Re: Comodo used to be the only "free" antivirus
Linux
Already done and dusted, currently converting neighbours as fast as they bring in their Win10 computers.
Re: Comodo used to be the only "free" antivirus
I use AVG on my windows machines, and Sophos on my Mac. Both free.
Re: Re: Comodo used to be the only "free" antivirus
I use AVG on my windows machines, and Sophos on my Mac. Both free.
Thank you for actually answering the question VS the “just move to linux” crap answer.
I used to use AVG ’till they did the “we’ve mailed you this bill – please pay it” move. Then moved to Comodo as their license was not “$0 for home” – at the time of the licence reading ANYONE could use it. Guess its time to move back to AVG because the bill thing was a crap move, Comodo is worse at this point.
(Sophos and AVG seem to be $0 for “home”. For commercial use….pay up sucka)
Re: Comodo used to be the only
BitDefender, mcafee both have free versions.
What is planned next Comodo?
What sort of devious plans do you still have up your sleeves Comodo? Now that your reputation has been made everyone will be watching you. Try and keep your nose clean.
EFF/Chrome/Firefox death penalty for Comodo
Remove Comodo certs.
Done.
Boycott Comodo. Donate to EFF.
On the positive side, now a lot more people know about Let’s Encrypt.