wbeemComodo, the world’s biggest issuer of browser-trusted digital certificates for websites, has come under fire for registering trademarks containing the words “let’s encrypt,” a phrase that just happens to be the name of a nonprofit project that provides certificates for free.
In a blog post, a Let’s Encrypt senior official said Comodo has filed applications with the US Patent and Trademark Office for at least three such trademarks, including “Let’s Encrypt,” “Let’s Encrypt with Comodo,” and “Comodo Let’s Encrypt.” Over the past few months, the nonprofit has repeatedly asked Comodo to abandon the applications, and Comodo has declined. Let’s Encrypt, which is the public face of the Internet Security Research Group, said it has been using the name since November 2014.
“We’ve forged relationships with millions of websites and users under the name Let’s Encrypt, furthering our mission to make encryption free, easy, and accessible to everyone,” Josh Aas, ISRG executive director, wrote. “We’ve also worked hard to build our unique identity within the community and to make that identity a reliable indicator of quality. We take it very seriously when we see the potential for our users to be confused, or worse, the potential for a third party to damage the trust our users have placed in us by intentionally creating such confusion.”
In a post of his own, Comodo founder and CEO Melih Abdulhayoglu made no apologies for the applications.
“If they have right to it then more than happy to comply,” he wrote. “But these kind of Intellectual copyrights can’t be decided over a forum post or Twitter account or trying to get your loyal but ‘blind’ followers to bully another enterprise via their tweets. It won’t work! This is not wild west and there are legal framework and courts for these kind of disputes. So let’s all stop being the judge and jury and follow the law!”
Abdulhayoglu went on to suggest that Let’s Encrypt appropriated a business model Comodo adopted in 2007 that provides a free 90-day digital trial certificate. Let’s Encrypt also offers 90-day certificates, but there’s a key difference. Whereas the 90-day certificate Comodo provides isn’t renewable, those provided by Let’s Encrypt can be renewed an unlimited number of times. Let’s Encrypt has said it sets the lifetime of all certificates it issues to three months to limit the damage that results from key compromises or mis-issuances. Let’s Encrypt certificates can be automatically renewed.
Abdulhayoglu didn’t address the distinction and wrote, “Comodo has provided and built a Free SSL model that give[s] SSL for free for 90 days since 2007! Trying to piggyback on our business model and copying our model of giving certificates for 90 days for free is not ethical.”
Comodo and Abdulhayoglu have made headlines in the past. In February 2015, some versions of “PrivDog,” a privacy application created and promoted by Abdulhayoglu, were found to cause most browsers to trust any self-signed certificate. It was a breathtaking discovery because it left users wide open to easily executed man-in-the-middle attacks that completely bypass HTTPS protections. Nine months later, Comodo revealed that it and several other certificate authorities mistakenly issued credentials for “mailarchive,” “help,” and at least five other forbidden names. Earlier this year, researchers uncovered weaknesses in the Comodo Internet Security.