agsandrew - Fotolia

Symantec Website Security, certificate authority business sold to DigiCert

DigiCert agrees to buy majority stake in Symantec Website Security just days after Google releases an April 2018 distrust date for Symantec certificates.

Just days after concluding months of contentious negotiations between Symantec and Google over the schedule for...

removing trust from Symantec certificates, the antivirus vendor inked a deal to sell a majority stake in its Symantec Website Security business to rival DigiCert Inc.

The sale of Symantec's Website Security business will bring the company approximately $950 million in cash and an approximate 30% minority stake in the common stock equity of DigiCert, which is owned by the private equity firm Thoma Bravo LLC. The sale will not affect Google's schedule for dropping trust in Symantec certificates, which calls for new certificates to be issued by a new Symantec PKI starting Dec. 1, and removes trust in Symantec certificates issued before June 1, 2016, starting April 17, 2018.

"Today, DigiCert and Symantec announced that DigiCert is acquiring the Symantec CA assets, including the infrastructure, personnel, roots, and platforms. At the same time, DigiCert signed a Sub CA [subordinate certificate authority] agreement wherein we will validate and issue all Symantec certs as of Dec 1, 2017," wrote Jeremy Rowley, executive vice president of emerging markets at DigiCert, on Mozilla's developer security policy forum.

"We are committed to meeting the Mozilla and Google plans in transitioning away from the Symantec infrastructure. The deal is expected to close near the end of the year, after which we will be solely responsible for operation of the CA. From there, we will migrate customers and systems as necessary to consolidate platforms and operations while continuing to run all issuance and validation through DigiCert," Rowley wrote. DigiCert will be the only subordinate certificate authority to work on the new Symantec PKI.

After close of the Symantec Website Security sale, DigiCert plans to segregate certificates by type on each root, Rowley said. "Going forward, we will issue all SSL certs from a root while client and email come from different roots. We also plan on limiting the number of organizations on each issuing CA. We hope this will help address the 'too big to fail' issue seen with Symantec," though Rowley added that the "plan is very much in flux," and DigiCert would "love to hear additional recommendations."

DigiCert also plans to add a validation object identifier (OID) to its certificates that will identify which of the CA/Browser Forum's Baseline Requirements methods were used to issue that certificate. "This way the entire community can readily identify which method was used when issuing a cert and take action if a method is deemed weak or insufficient. We think this is a huge improvement over the existing landscape, and I'm very excited to see that OID rolled out," Rowley wrote.

Symantec certificate distrust timeline
PKI and security researcher Carl Mehner posted thisdetailed timeline for Chrome's distrust schedule for Symantec certificates to the Google Chrome blink-dev forum.

Fallout in the CA industry?

While news of the sale brings a certain amount of relief to the uncertainty of Symantec's future as a certificate authority, many questions remain for the industry.

Michael Fowler, president of Comodo CA, the web certificate arm of Comodo Group Inc., told SearchSecurity the sale is likely to be stressful for many. "This represents a huge disruption for businesses of all sizes that rely on Symantec, and associated brands of Thawte, GeoTrust, and RapidSSL, as their primary Certificate Authority," Fowler wrote via email. "Symantec customers and partners are now faced with even more uncertainty with the types of products, capabilities, brand recognition and support they will receive as the Symantec SSL brands transition to another, lesser-known CA."

This represents a huge disruption for businesses of all sizes that rely on Symantec, and associated brands of Thawte, GeoTrust, and RapidSSL, as their primary Certificate Authority.
Michael Fowlerpresident, Comodo CA

It's not clear whether the sale of Symantec Website Security portends greater stability in the certificate authority industry, which has been roiled over the last decade by companies buying and selling CAs. Symantec first got into the business in 2010 when it bought Verisign for $1.28 billion; Thoma Bravo purchased another certificate authority, Entrust Inc., in 2009 for $124 million, only to sell it to Datacard Corp. in 2014 for an undisclosed amount.

Ray Wizbowski, chief marketing officer at Entrust Datacard, told SearchSecurity that since his company's acquisition of Entrust, "The demand for SSL technology has remained strong and the business requirements for strong authentication and encryption continue to expand and explode."

However, while the acquisition shows Thoma Bravo recognizes the importance of SSL certificates, Wizbowski said challenges remain. "This investment will require significant operational improvements necessary to regain trust and these improvements will come with sizable execution efforts to bring Symantec's much larger operations into Digicert," he said.

Distrust schedule for Symantec certificates

Google's announced schedule for distrusting Symantec certificates was pegged to the release of Chrome 66 set for stable release on April 17, 2018; under Google's plan, the Symantec PKI for certificate issuance must be turned over to a third party by Dec. 1, 2017.

Symantec's certificate troubles began in 2015 when it improperly issued certificates for web domains not controlled by Symantec -- including some owned by Google. Since then, over a dozen additional issues related to Symantec's certificate authority business have been uncovered, including allegations that Symantec improperly issued over 30,000 certificates.

Darin Fisher, software engineer at Google, posted a statement summarizing the distrust schedule, which, he wrote, "is intended to be our final plan of action on this matter." While changes in ownership of Symantec Website Security would not be cause for extending the schedule, Fisher noted "if there is new information highlighting additional security risks with this set of certificates, the dates could change to more rapidly distrust the existing certificates." The statement read:

Chrome 66 will distrust Symantec-issued TLS certificates issued before June 1, 2016, which is tentatively scheduled to hit Canary on January 19, 2018; Beta on March 15, 2018; and Stable (the vast majority of Chrome users) on April 17, 2018. Affected site are strongly encouraged to replace their TLS certificates before March 15, 2018 to prevent breakage. Although this is significantly later than our initial proposal of August 2017 and Mozilla's proposal for late 2017, we think it hits an appropriate balance between the security risk to Chrome users and minimizing disruption to the ecosystem. This time will allow clear messaging and scheduling for site operators to update certificates.

In what seems to be acknowledgement that Symantec had been dragging out the process over the past several months, Mozilla developer Gervase Markham wrote on the Mozilla security developer policy forum, prior to the DigiCert acquisition announcement, that "We expect these dates to be hit; we would look dimly on any last-minute requests to move them."

Markham warned the schedule will not be negotiable in the event of "any change of control" in Symantec root certificate operations, including a sale of the Symantec Website Security business, and that Mozilla expected no further delays or disruptions.

"We hope that we can now move swiftly to the implementation phase, and that as it progresses we will see improved levels of security for web users and improved confidence in the WebPKI," he wrote. "We will be expecting and looking for exemplary standards of CA best practice from Symantec in general, and their new PKI in particular, going forward."

Lessons learned on Symantec PKI?

Contacted prior to the announcement of the Symantec Website Security sale, some certificate authority veterans were dubious about the effect of Google's distrust timetable, as well as whether Symantec would be able to comply with it.

"I think this was a negative event from everyone's point of view," Melih Abdulhayoğlu, CEO and chief security architect of Comodo Group Inc., told SearchSecurity. "There are many companies out there who bought into the 'Symantec Brand.' With the new CA, this may no longer be the case," Abdulhayoğlu wrote via email. "If a smaller CA is to provide the certificates going forward, it will be difficult to see how large enterprises could take the 'ongoing risk' of being supported by these smaller CAs."

Doug Beattie, vice president of product management at certificate authority GlobalSign, based in Portsmouth, N.H., offered a different view. "I wouldn't say they are getting away relatively unscathed," he said. "They need to build out entirely new PKI Infrastructure and contract with other CAs for approximately two years to support their certificate issuance, both of which are expensive propositions."

Wizbowski told SearchSecurity that Symantec needs to walk a fine line between protecting browser users on the web while also not causing problems for Symantec customers. "The line that must be navigated is: how to protect browser users, while not harming the site operators, who purchased certificates in good faith to add security for their clients," he said. "Website operators will need sufficient time to respond to this change, in a timely manner, and without an onerous burden of time-sensitive work."

Wizbowski added that "keeping the internet secure and operating, while minimizing confusion and disruption, is in our opinion, the primary objective."

Next Steps

Should enterprises consider moving their PKI in-house?

Find out about the importance of PKI to the internet of things

Follow the timeline for Symantec's certificate authority problems

Dig Deeper on Application and platform security