Symantec sells its problem SSL unit to DigiCert for US$1B

DigiCert hopes it can convince browser developers to continue trusting Symantec-issued SSL certificates

Symantec has found a way to make a dispute with Google over the validity of its TLS and SSL  certificates go away -- and get paid almost US$1 billion in the process.

Browser developers including Google had raised questions about way Symantec issued SSL certificates, and have threatened to stop recognizing them, a move that could hurt Symantec's customers and worry visitors to the websites using the affected certificates.

Now Symantec has sold its certificate authority (CA) business to DigiCert for US$950 million and a 30-percent stake in the smaller company, leaving DigiCert to pick up the pieces and implement plans to fix Symantec's issuance procedures.

DigiCert addressed the issue of browser trust of Symantec certificates head-on in a short news release announcing the acquisition.

"We feel confident that this agreement will satisfy the needs of the browser community," it said, adding that the company was communicating its intentions to browser developers and would continue to work with them as it closed the transaction.

The most vocal of Symantec's critics has been Google. Over the last two years or so it has repeatedly criticized Symantec's procedures for issuing the certificates, which are intended to secure and authenticate communications between websites and browsers, among other applications.

In March, Google accused Symantec of mis-issuing at least 30,000 such certificates, potentially allowing attackers to masquerade as legitimate websites.

Of particular concern are so-called Extended Validation (EV) certificates, for which issuers are supposed to take additional actions to authenticate the identity of the entity requesting them. Their purpose is to give website visitors additional confidence that the site is legitimate. Browsers display authenticated identity -- a company name, for example -- in the address bar alongside the URL of the certified site, in place of the padlock icon that would indicate the site had a regular certificate.

Faced with the prospect of recontacting millions of its customers to renew their certificates ahead of schedule, and revalidating the identity of EV certificate holders, Symantec chose to hand the problem to DigiCert.

Compared to Symantec DigiCert is a tiny player, with a share of the SSL certificate issuance market of 2.2 percent compared to Symantec's 14 percent, according to W3Techs. Netcraft puts Symantec's share of the stricter organization validation certificates at 30 percent and of EV certificates at 40 percent.  

DigiCert is set to become much larger, though: Before the acquisition, DigiCert had around 225 staff in the U.S.; after, according to Symantec, DigiCert's workforce will balloon to over 1,000.

Web browsers automatically trust certificates issued by Symantec and companies like it, but Google has begun steadily scaling back the level of trust in its Chrome browser for older certificates issued by Symantec, a process which will result in security warnings when Chrome users visit some websites.

Over the next year Google plans to issue warnings for more and more of the certificates issued under what it considers insecure processes.

SSL certificates issued are valid for a fixed period, unless revoked, and Google's initial plan, announced in March, was to begin by distrusting certificates with a validity of over 33 months in Chrome 59, the current version, ratcheting that down to just 9 months in Chrome 64, due early next year. This would have had the effect of requiring all certificates to be reissued after April 2017 in order to continue working with Chrome.

Last week Google's Chrome team accepted a proposal from Symantec to reissue all certificates by Dec. 1, 2017, linking them to a new root certificate held by an independent Managed Partner Infrastructure. That proposal, however, makes no reference to a pending sale of Symantec's certificate business.

Pressure on certificate authorities to clean up their act is coming from other directions too. Last year the Certificate Authority Security Council issued new requirements for certificate issuers to get their processes up to scratch. 

Although the most visible role of the certificates is in securing access to websites, they can also used to identity servers to embedded devices in the internet of things, to secure connections to cloud computing services, and to encrypt traffic from smartphone apps. 

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?