Let's Encrypt Clashes with Comodo Over TrademarkComodo Accuses Let's Encrypt of Copying Business Model
The kerfuffle has drawn widespread criticism of Comodo, one of the largest sellers of digital certificates. Let's Encrypt, a nonprofit project, gives away its certificates.
Let's Encrypt has asked Comodo several times since March to withdraw its applications with the U.S. Patent and Trademark Office, but the company has refused, says Josh Aas, executive director of the Internet Security Research Group, which oversees the project.
"When we found out about this, we were pretty confused why [Comodo] would do that," Aas said in a phone interview. "We reached out but didn't get much of an explanation."
Viewed as a Competitor?
Let's Encrypt has not applied for a trademark with the USPTO, but plans to do so. Aas contends, however, that the organization has established a common law trademark through use of the term.
Aas wrote in a blog post on June 23 that Let's Encrypt will vigorously defend its brand, but that the organization has limited resources to fight Comodo.
Comodo filed on Oct. 16, 2015, for trademarks for three phrases: Let's Encrypt, Let's Encrypt with Comodo and Comodo Let's Encrypt, according to the USPTO.
Comodo's move could signify that it views Let's Encrypt as a competitor because Comodo has a large business selling Secure Sockets Layer/Transport Layer Security certificates.
SSL certificates create an encrypted connection between an application such as a web browser and a server, scrambling information that is exchanged. That's important because unencrypted data could be collected and read by someone with access to the same network. Encryption is active when a padlock is shown in a browser's URL window or "https" appears before a domain name.
The movement to encourage all websites to use SSL certificates gained steam after documents leaked by NSA contractor Edward Snowden in 2013 revealed wide-scale surveillance of the web by the U.S. and U.K. governments.
Let's Encrypt began its engineering work in October 2014 and issued its first certificates around July 2015. The project is supported by the Electronic Frontier Foundation, the Linux Foundation and vendors including Akamai, Cisco, Facebook, HP and Gemalto. ISRG is classified as a public benefit corporation in California, which relies on sponsors, and Let's Encrypt is a non-profit project.
Some observers have expressed dismay at Comodo. "This Comodo/Let's Encrypt craziness is a perfect case study on how to destroy your company in an afternoon," writes Benjamin Bradley, who runs the WordPress plugins site iThemes.com, on Twitter.
Ian Winter, head of technical operations for the media company Venntro, writes on Twitter that after reading of the conflict, he "will actively not choose Comodo moving forward."
Let's Encrypt's domain-validated SSL certificates are free. Comodo offers 90-day trials of SSL certificates, but most of its offerings are for sale.
Comodo officials did not respond to a request for comment. But in Comodo's forums, CEO Melih Abdulhayoglu alleges that Let's Encrypt copied the company's business model of offering a 90-day free trial.
"Trying to piggy back on our business model and copying our model of giving certificates for 90 days for free is not ethical," Abdulhayoglu writes. "They clearly wanted to leverage the market of free SSL users we had helped create."
Aas disagrees, saying that Abdulhayoglu is conflating his company's 90-day trial - which is a commercial offering - with a security decision made by Let's Encrypt to have its certificates expire after 90 days.
"I'm a bit confounded," Aas says. "I don't think under any interpretation you could say that Let's Encrypt and Comodo have the same business model."
Encrypting the Web
Certificates from Let's Encrypt expire after 90 days and must be renewed, but that renewal is still at no charge. Certificates with shorter lives offer better security because some browsers do not necessarily reject ones that have been revoked before they've expired, Aas says.
If a certificate expires, a web browser won't trust it and will display a warning. If an attacker has obtained a private key and certificate, it means there's a smaller window in which the certificate could be fraudulently used even if it has been revoked, Aas says.
Let's Encrypt has issued 5 million SSL certificates of which some 3.8 million certificates are still active. The organization's certificates can be used for more than one domain, and Aas says the active certificates protect more than 7 million domains.
In December, more than 39 percent of web pages were encrypted. Seven months later, that figure is about 45 percent, Aas says.
"That is a really rapid pace of change for the web," Aas says. "The real goal is to get the web to 100 percent encryption, regardless of where people's certs come from."