Update:  Looks like Comodo fixed its classification of the site in an updated report [2]. The site still shows one suspicious scan, but the overall status is "safe". McAfee classifies the site as "minimal risk" but the history still shows a red high risk for web reputation as of today/yesterday.  [3]

--- 

A couple of readers have noticed that "ocsp.comodoca.com" has been labeled as "suspicious" and distributing malware for the last couple of days. In particular Comodo's own site inspector service has been identifying the URL as suspect [1]

OCSP is a newer web service that allows clients to verify if an SSL certificate has been revoked. The older standard, CRL (Certificate Revocation List) required that browsers download the entire list. With OCSP, it is possible to query the status of an individual certificate. The certificate has to have the URL for the respective CRL or OCSP service embedded. 

Many browsers will accept a certificate, even if the OCSP service does not respond. They will only mark it as invalid, if the OCSP service responds with a result marking the certificate as revoked. However, for Extended Validation (EV) certificates, browsers tend to be more specific and require a positive OCSP response.

ocsp.comodoca.com appears to be the valid OCSP URL for Comodo. For example, the certificate used for https://www.comodo.com uses this particular OCSP URL. https://isc.sans.edu uses a Comodo based certificate ("Usertrust") as well, and the OCSP URL used for our certificate, ocsp.usertrust.com appears to be affected. 

[1] http://siteinspector.comodo.com/public/reports/4753361
[2] http://siteinspector.comodo.com/public/reports/4779683
[3] http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=178.255.83.1

Also a good article about this in Dutch can be found here: http://www.security.nl/artikel/42063/1/McAfee_blocks_ocsp.usertrust.com_%28178.255.83.1%29.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter