Symantec sells its problem SSL unit to DigiCert for US$1B

DigiCert hopes it can convince browser developers to continue trusting Symantec-issued SSL certificates

Symantec has found a way to make a dispute with Google over the validity of its TLS and SSL  certificates go away -- and get paid almost US$1 billion in the process.

Browser developers including Google had raised questions about way Symantec issued SSL certificates, and have threatened to stop recognizing them, a move that could hurt Symantec's customers and worry visitors to the websites using the affected certificates.

Now Symantec has sold its certificate authority (CA) business to DigiCert for US$950 million and a 30-percent stake in the smaller company, leaving DigiCert to pick up the pieces and implement plans to fix Symantec's issuance procedures.

DigiCert addressed the issue of browser trust of Symantec certificates head-on in a short news release announcing the acquisition.

"We feel confident that this agreement will satisfy the needs of the browser community," it said, adding that the company was communicating its intentions to browser developers and would continue to work with them as it closed the transaction.

The most vocal of Symantec's critics has been Google. Over the last two years or so it has repeatedly criticized Symantec's procedures for issuing the certificates, which are intended to secure and authenticate communications between websites and browsers, among other applications.

In March, Google accused Symantec of mis-issuing at least 30,000 such certificates, potentially allowing attackers to masquerade as legitimate websites.

Of particular concern are so-called Extended Validation (EV) certificates, for which issuers are supposed to take additional actions to authenticate the identity of the entity requesting them. Their purpose is to give website visitors additional confidence that the site is legitimate. Browsers display authenticated identity -- a company name, for example -- in the address bar alongside the URL of the certified site, in place of the padlock icon that would indicate the site had a regular certificate.

Faced with the prospect of recontacting millions of its customers to renew their certificates ahead of schedule, and revalidating the identity of EV certificate holders, Symantec chose to hand the problem to DigiCert.

Compared to Symantec DigiCert is a tiny player, with a share of the SSL certificate issuance market of 2.2 percent compared to Symantec's 14 percent, according to W3Techs. Netcraft puts Symantec's share of the stricter organization validation certificates at 30 percent and of EV certificates at 40 percent.  

DigiCert is set to become much larger, though: Before the acquisition, DigiCert had around 225 staff in the U.S.; after, according to Symantec, DigiCert's workforce will balloon to over 1,000.

Web browsers automatically trust certificates issued by Symantec and companies like it, but Google has begun steadily scaling back the level of trust in its Chrome browser for older certificates issued by Symantec, a process which will result in security warnings when Chrome users visit some websites.

Over the next year Google plans to issue warnings for more and more of the certificates issued under what it considers insecure processes.

SSL certificates issued are valid for a fixed period, unless revoked, and Google's initial plan, announced in March, was to begin by distrusting certificates with a validity of over 33 months in Chrome 59, the current version, ratcheting that down to just 9 months in Chrome 64, due early next year. This would have had the effect of requiring all certificates to be reissued after April 2017 in order to continue working with Chrome.

Last week Google's Chrome team accepted a proposal from Symantec to reissue all certificates by Dec. 1, 2017, linking them to a new root certificate held by an independent Managed Partner Infrastructure. That proposal, however, makes no reference to a pending sale of Symantec's certificate business.

Pressure on certificate authorities to clean up their act is coming from other directions too. Last year the Certificate Authority Security Council issued new requirements for certificate issuers to get their processes up to scratch. 

Although the most visible role of the certificates is in securing access to websites, they can also used to identity servers to embedded devices in the internet of things, to secure connections to cloud computing services, and to encrypt traffic from smartphone apps. 

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Peter Sayer

Peter Sayer

IDG News Service
Show Comments

Brand Post

Shining a light on creativity

MSI has long pushed the boundaries of invention with its ever-evolving range of laptops but it has now pulled off a world first with the new MSI Creative 17.

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?