Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Symantec sells its problem SSL unit to DigiCert for US$1 billion

Peter Sayer | Aug. 7, 2017
DigiCert hopes it can convince browser developers to continue trusting Symantec-issued SSL certificates.

co newsroom outside1 300dpi
Credit: Symantec 

Symantec has found a way to make a dispute with Google over the validity of its TLS and SSL  certificates go away -- and get paid almost US$1 billion in the process.

Browser developers including Google had raised questions about way Symantec issued SSL certificates, and have threatened to stop recognizing them, a move that could hurt Symantec's customers and worry visitors to the websites using the affected certificates.

Now Symantec has sold its certificate authority (CA) business to DigiCert for US$950 million and a 30-percent stake in the smaller company, leaving DigiCert to pick up the pieces and implement plans to fix Symantec's issuance procedures.

DigiCert addressed the issue of browser trust of Symantec certificates head-on in a short news release announcing the acquisition.

"We feel confident that this agreement will satisfy the needs of the browser community," it said, adding that the company was communicating its intentions to browser developers and would continue to work with them as it closed the transaction.

The most vocal of Symantec's critics has been Google. Over the last two years or so it has repeatedly criticized Symantec's procedures for issuing the certificates, which are intended to secure and authenticate communications between websites and browsers, among other applications.

In March, Google accused Symantec of mis-issuing at least 30,000 such certificates, potentially allowing attackers to masquerade as legitimate websites.

Of particular concern are so-called Extended Validation (EV) certificates, for which issuers are supposed to take additional actions to authenticate the identity of the entity requesting them. Their purpose is to give website visitors additional confidence that the site is legitimate. Browsers display authenticated identity -- a company name, for example -- in the address bar alongside the URL of the certified site, in place of the padlock icon that would indicate the site had a regular certificate.

Faced with the prospect of recontacting millions of its customers to renew their certificates ahead of schedule, and revalidating the identity of EV certificate holders, Symantec chose to hand the problem to DigiCert.

Compared to Symantec DigiCert is a tiny player, with a share of the SSL certificate issuance market of 2.2 percent compared to Symantec's 14 percent, according to W3Techs. Netcraft puts Symantec's share of the stricter organization validation certificates at 30 percent and of EV certificates at 40 percent.  

DigiCert is set to become much larger, though: Before the acquisition, DigiCert had around 225 staff in the U.S.; after, according to Symantec, DigiCert's workforce will balloon to over 1,000.

Web browsers automatically trust certificates issued by Symantec and companies like it, but Google has begun steadily scaling back the level of trust in its Chrome browser for older certificates issued by Symantec, a process which will result in security warnings when Chrome users visit some websites.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.