Comodo calls out Symantec certificate issues, applauds Google

There's a new leadership team helming Comodo's certificate authority division, and it wasted little time before slamming Symantec's certificate issues.

Comodo CA Ltd., the certificate authority arm of Comodo Group Inc., was acquired last fall by private equity firm Francisco Partners. Bill Conner, president and CEO of SonicWall, joined as chairman of Comodo CA, while Bill Holtz, former COO of certificate authority EnTrust and former CIO of Expedia, was named chief executive, replacing former CEO and founder Melih Abdulhayoglu.

Comodo CA's new leadership sees a major opportunity in the certificate authority market after months of controversy regarding Symantec certificate issues. The antivirus vendor was hit with harsh sanctions last year by Google and Mozilla over a "series of failures" regarding misissued certificates and a lack of controls and oversight. Symantec's troubled certificate business was later sold to fellow certificate authority DigiCert.

But the actions taken by Google and Mozilla, which included the incremental removal of trust for Symantec certificates, aren't scaring away Comodo's new leadership team. SearchSecurity spoke with Conner and Holtz recently about why they joined Comodo, what they think of the web browser community's response to Symantec and how the Symantec controversy will affect the certificate market.

Here is part one of the discussion with Conner and Holtz.

How did your involvement with Comodo come together?

Bill Conner: [Abdulhayoglu] and Francisco Partners [FP] and I connected, and I brought in Bill Holtz to help with some of the due diligence. He and I looked at it together. At the end of the day, Thoma Bravo [DigiCert's parent company] got Symantec's certificate business, which is good for them, and FP decided to make an investment in the space with Comodo, which led us to this point.

From that standpoint, it's a net-new security space for FP. They liked [Abdulhayoglu] and what he had built. And [Abdulhayoglu] will still be a minority owner and a board observer, and that's very much key to the future of the company. He's extremely well-connected with all of the pieces of this market, and he and I are both very comfortable in the certificate and PKI [public key infrastructure] business.

Bill Holtz was my COO at EnTrust. And, clearly, I'm running SonicWall, so I'm not going to run two companies, so Bill was a natural fit. He and [Abdulhayoglu] hit it off, and [Holtz] and FP hit it off. My previous working relationship with [Holtz] in this space set up a pretty nice outcome.

Why did you decide to be part of the certificate authority space again, and what kind of factor was the Symantec certificate business in that equation?

Bill Holtz: [Conner] and I had a successful run at EnTrust. There are a number of opportunities we have with Comodo. I was the CIO of Expedia, and as a result, I have a number of friends who are still CIOs.

There's an amazing amount of anger, frustration and denial from customers in terms of what happened with Symantec's certificate business.

There's an amazing amount of anger, frustration and denial from customers in terms of what happened with Symantec's certificate business. They're wondering how on earth they put their trust in the biggest player in the space, and today they have to divert time and effort to address the issues with Symantec's business.

Customers invested in that brand, which is now switching to DigiCert, and I think they're still hoping at the 11th hour, things are going to be OK. The march is coming this year. Google starts to pull trust from these older Symantec certificates, and then, in October, when Chrome 70 comes out, they'll pull the rest of the trust [for Symantec's old PKI]. It's really causing a lot of churn in this industry.

I see a lot of anger, I see frustration, I see confusion and I see customers in denial. We have to restore trust in this industry. I think Symantec and DigiCert have their hands full right now. You saw Mozilla's concern about the deal. Who's buying who? They have a tremendous amount of work ahead of them.

On Comodo's side, we're No. 1 in this space in terms of the number of certificates issued; Symantec is No. 1 in terms of revenue because of their enterprise customer base. I want to take what is a very, very good foundation here and turbocharge it.

There's going to be a significant focus on the internet-of-thing space with IoT certificates, and we're going to make sure we properly serve our customers. We want to provide that level of service and stability that I think both customers and partners are looking for.

When you saw the issues within Symantec's certificate business that were publicized last year by Google and Mozilla, were you concerned about what you might find within Comodo? Did you take a hard look at the business before joining?

Conner: Absolutely. I can assure you, there was vetting. When EnTrust went private [in 2009], FP looked at us. But at that time, FP couldn't get their head around the PKI certificate business. It just scared them. They didn't know it. And that's how we ended up with Thoma Bravo, and it was a great run for us.

But that's where Thoma Bravo got some experience in this space, and that's why after they sold EnTrust -- which was six-and-half times their initial investment and their largest return ever -- they decided they liked the space and went after DigiCert. But the difference this time around was that FP had [Holtz] and myself and a bunch of the talent in the space to help perform real due diligence on, frankly, both assets [Symantec and Comodo]. So, we knew what needed to be done on one and what didn't need to be done on the other.

What was your reaction when you saw Google had announced such severe measures for Symantec's certificates?

Conner: Symantec's problems were happening back in 2013. It's been going on for a while. This wasn't new behavior. You've read it, you've seen and you wrote about it. This wasn't new.

Holtz: It actually makes me more bullish about this industry. You have to be accountable. We are in the trust business. Now, if Google has woken up one morning and did what they did over one incident, I'd be hugely concerned. But Symantec's problems went on for three years. Three years of Google saying Symantec needed to clean up their act. And instead of cleaning up their act, they poked Google in the eyeball, denied what was going on and didn't fix it.

I think the accountability that Google tried to bring actually reinforces our position, because we do want that kind of vetting, and we do want to be accountable. I think corporate DNA matters. And Symantec's corporate DNA was not in SSL certificates. Its DNA is in security, but a different kind of security. It wasn't in SSL. But they bought those cash cows, put them on the sideline, didn't pay a lot of attention to them and, now, you see the fallout from that.

At Comodo, we're going to stick to our DNA; it's certificates all day, every day. Yes, we're doing IoT certificates. And we'll do full lifecycle management, and we'll offer innovative solutions to our customers in terms, but you'll see us stick to our knitting, and that is certificates.