
Comodo Incident Report – OCR - xnyhps
https://mail-archive.com/dev-security-policy@lists.mozilla.org/msg04654.html
======
lorenzhs
The gist is this: they query whois information for contact email addresses,
which are used for domain ownership verification. For some domains, this
information is only provided in image form via a web service to prevent
scraping. So Comodo ran those images through OCR. However, the OCR system
reproducibly mistook a lowercase L for a 1 if the next symbol as a number, or
1 for a lowercase L if it was followed by a letter. The same applies to 0/O.

The whole concept of OCRing whois ownership info and issuing certificates
based on that seems like a terrible idea...

