Updated: May 9, 2009
There's been a bit of a buzz in the world of Windows security in the last few weeks, following the decision by Softpedia.com to remove Comodo software from their listing due to licensing problems. Currently, Softpedia flags Comodo software as adware, because of the inclusion of the Ask toolbar with their software security suite.
Since I have listed Comodo as a recommended firewall software on my Sweet list of Windows programs, I decided to check the allegations and see whether the changes align with my own expectations and demands.
I am not going to debate the Softpedia decision or their interpretation of what constitutes as hassle-free installation or their definition of adware. It's their servers, so they have every right to decide what gets hosted and what doesn't. Similarly, I'm not going to go into the details of the cease-and-detest letter sent; I leave the legal issues and publicity stunts to people who expect to make money out of this case.
I will mainly focus on the technical details of Comodo installation and usage. Only at the very end of this article, will I tickle the issue of business practices and morality, as my personal view of how things ought to be. But first, let's get technical.
Before we install Comodo, let's try to understand what toolbars are and how they relate to our computer usage.
Bundled software - what it be?
Bundled software is nothing new. Quite a few programs offer third-party programs with their products, which are usually offered for free. However, to make some money after all, the developers make advertisement deals with other companies and bundle their software with additional stuff, quite often browser add-ons and toolbars.
The reception of toolbars and similar products is not very welcome in the Windows world, following half a decade of notorious abuse of Internet Explorer through ActiveX, Browser Helper Object (BHO) and toolbar installations, often via exploits in the browser engine and lax security settings. Since most of the attempts to take control over Internet Explorer have not been benign to start with and even malicious, the word toolbar causes a sort of a Pavlovian kneejerk effect among many Windows users.
Truth to be told, most toolbars are annoying. They slow down the browsing, they pester with unnecessary functionalities, completely redundant when used with superior browsers like Firefox or Opera, and even introduce privacy issues with E.T. phone home behavior by tracking the Internet usage and reporting it to advertisement centers where consumer experience is wrapped into a proverbial e-turd.
Many advertisement companies understand this - so they make the usage of toolbars optional, in order to avoid lawsuits and general public hatred, as opposed to what used to be mainstream Internet Explorer gangbang several years ago.
Therefore, our first requirement for a toolbar installation is that it MUST be optional. Otherwise, it is a hijacking of user's machine without explicit opt-in agreement.
To put things into perspective, quite a few popular programs use toolbars: CCleaner, IrfanView, Foxit Reader, to name a few. Personally, I use some of these programs and love them very much. However, when I install them I make sure that the toolbars and additional bits I do not need are deselected.
The one additional problem of toolbar inclusion with software is the type of software it comes with and the installation process itself. First of all, the examples mentioned above are not security software. In fact, many security programs flag toolbars as adware, so the bundling of one creates quite a bit of controversy.
Secondly, the installation of software on Windows is done by following a wizard-like process. You go through stages and click on buttons. I would say that it's the users' responsibility to carefully read the different options offered and make sure they select only what they need. There's also the license agreement, which most people never read, but which is there specifically to protect software vendors from users. In other words, if you agree to use someone's software, you agree to be bound by the terms.
These license agreements, often called EULA, are tricky, because they are usually long and written in the slick, lawyer-style language that few people can follow. Software vendors would like you to be bound by them, no matter what they say. Theoretically, an EULA may ask you to give your children in return for the installation. Overall, it might not be a bad idea, but it is not valid in the court. License agreements must address only the aspects specifically related to the product (software) they cover.
So we have a few items to cover: 1) the nature of toolbars - do they bother you physically and emotionally? 2) the installation process - is it tricky or obfuscated to make selection or deselection of additional components ambiguous and difficult? 3) could the license agreement harm your privacy and whatnot if you agree to it?
Now that we know what we're up against, let's install Comodo.
I downloaded the program from the official site and started the typical Windows installation:
Eventually, I reached the bit where you have to read the EULA and accept it. I decided to do more than just click . I installed the program called EULAlyzer, specifically created to analyze license agreements and dissect their content in human-understandable terms. If you think you're dealing with a "fishy" product, rinse it through the EULAlyzer.
I copied Comodo EULA and let EULAlyzer do its work. The results were ... interesting.
Overall, EULAlyzer finds the license agreement to be very long and rich in interesting items, mainly the advertisement, promotional messages, third party software, and privacy issues.
At this stage, you need to ask yourselves whether you're comfortable with such a product, especially considering it's a security program aimed at helping you keep adware or spyware from your machines. In the context of this article, it is important to note that Comodo does inform you about what it intends to do, the gist of the message notwithstanding.
All right, let's continue with the installation.
Now comes the interesting part - the actual configuration of the product. This is where you click Next, Next, Next and pay attention to what you're doing.
On the first screen, you can decide whether you want to install both the firewall and anti-virus components. Both are selected by default. For the sake of this exercise, I am only going to install the firewall.
I left the second screen as it was. In general, I would use the Firewall Only option, as there is no need for the extras.
Now comes the interesting part - Threatcast community. This option gives you the choice to base your answers, later, when the firewall is installed and starts asking you questions, on the average community vote. Kind of democracy, except you place your fate in the hands of the Internet mob.
And this the critical bit - the toolbar step. The three checkboxes are selected by default. This means you will have the toolbar installed, with another EULA you have to agree to, your default search provider will be changed to Ask and your homepage altered to Comodo.
I deselected all three.
And then, the installation continues with several more settings to configure.
Once you're done, reboot.
After the installation
I rebooted and then opened my browsers and the Add/Remove panel to see whether something unwanted has sneaked onto the machine.
Internet Explorer, no toolbar, the homepage is unchanged:
Firefox addons, no Ask thingie:
Add/Remove panel, no third-party surprises:
So, the conclusion is, Comodo software can be installed without any unneeded extras. The extras are selected by default, so you need to pay attention and uncheck them. On a side note, every single software that comes with bundled additions pre-selects them for installation, so this is no different from what Comodo does.
The important thing is, you control the installation and you won't be getting anything you did not choose.
Morality of the whole issue
Now comes the interesting bit. For the sake of the exercise, let's call Comodo bad.
Now, Comodo is not the only security software that comes with additional, unneeded software. One such example is Norton anti-virus. You can read a very interesting thread on the official Norton forums. To make things worse, Norton costs money. And I won't go into the quality of the program.
Then, there's also AVG anti-virus and its Security Toolbar. The last time I tested this product, the toolbar could only be kept away by running the software installation from the command line, using a complicated set of commands. This could have changed since, so I can't say if the difficulty of removal still remains, so take my last paragraph with some reservation.
Antivir, on the other hand, does not install anything extra, but the free version pulls down a promotional poster every single day, bombarding you with useless slogans and corny illustrations:
Adeline has nice features, which is probably why she got onto the poster, but come on, do you really need that sort of stuff on your machine every day? Furthermore, does it not insult your intelligence to read that? Tory, hello, stop downloading cracks, please. And switch to a normal browse, there goes a good lad. Simon, a product manager no less! Gods of the Internet help us. What about plain-text emails ...
This is just a small subset of programs I could think of right now, but I'm sure there are others. Personally, I find the notion of security software using similar methods to those leased by their adversaries to gain userbase and earn more money a little bit disturbing.
Now, to make things even more interesting, Softpedia, in their Comodo report, also provided screenshots of Comodo software identifying the Ask toolbar as adware, when it does not come installed as a part of the bundle, whereas their version is undetected. On the other hand, Softpedia does list AVG and Norton anti-virus in their Windows category.
Furthermore, Comodo also deal in SSL Certificates. They are a trusted Certificate Authority (CA) no less. Y'know, one of those organizations/companies that sign your secure websites, so you can use them without fear of sending your bank account details to an icecream maker in Ghana?
Finally, as a topping, let's not forget Microsoft .NET Assistant that gets buried into Firefox without user's permission whatsoever.
Who to trust, who to trust ...
This brings the whole Windows security thingie into spotlight. Can you really trust the big guys out there, the champions of your security and maidenhood? An even more interesting question is, should I keep Comodo listed on my site?
Well, I did recommend both AVG and Antivir, so in the same context, I see no reason why Comodo should not be there.
As a firewall product, all the extra crud removed, it does its job as expected. It's a reasonable product for the common Windows user who desires an inbound-outbound firewall software. Just like Foxit Reader is phenomenal PDF software and IrfanView is an exceptional image viewer.
So, I'm going to do two things:
One: Keep Comodo as it was. Moral issues aside, it's a decent program. Toolbar-wise, you can install the program without any extras, so you can have a fully functional, free firewall without the anti-virus, HIPS or toolbar components to slow you down. You just have to make sure the uncheck the right boxes when installing. The default selection surely does not make Comodo people Ghandis of the Month, but it's their decision how they wish to make themselves seen in the eyes of the public.
Two: Create a new list of Windows recommended software, with more stringent guidelines as to what constitutes fair game. After all, my sweet list was created two years ago, and while most programs are still relevant, an update is in order.
I will also keep the other software (AVG, Antivir, Foxit, IrfanView, etc) listed as well, as they are good products overall. Security wise, for the average Windows, the basic firewall and anti-virus can do a lot. While security companies definitely sin by exploiting this state of affairs to their advantage, they also give something back to the user. The net balance is that most Windows users benefit from using security programs, even though security is such a simple affair, when you stop to think about it.
Comodo will have to make their own moral balance sheet. I am sure that many security conscious users, especially in the more experienced circles, will stop using or recommending their firewall. The toolbar inclusion is a definite PR fiasco. In the long run, I believe the extra buck won't be worth the reputation. There's no easy money.
Now comes the punchline. What should disappointed, betrayed or disgusted users do. Clearly, Windows security is not as pristine as it seems. What should people who do not wish to have to worry about third-party surprises do?
The answer is very, very corny, and I'm sure you'll hate me for it. It is: Linux, hassle-free, toolbar-free experience all the way. No malware, no adware, no nonsense. Free, in the best sense of the word.