alphaspirit - Fotolia

Certificate authority business undergoes major changes

News roundup: Comodo and Symantec sales signal important changes in the certificate authority business. Plus, an Oracle vulnerability gets a CVSS score of 10.0, and more.

Significant changes are underway in the certificate authority industry with two recent acquisitions leading the...


Comodo Group Inc. announced earlier this week it had agreed to sell its certificate authority business Comodo CA Ltd. to equity firm Francisco Partners. Comodo is the leading certificate authority business in the market today, having issued 91 million SSL certificates to more than 200,000 customers.

Bill Holtz, the former COO of security company Entrust Datacard Corp., has been named the new CEO for Comodo's certificate authority business, and Bill Conner will chair the board of directors. Conner is currently the president and CEO of SonicWall, a vendor of security appliances including SSL proxy boxes that is also owned by Francisco Partners. Comodo founder Melih Abdulhayoglu will remain a minority owner and board observer.

"The alignment of the Comodo CA acquisition with the current market demand for trusted certificates and certificate lifecycle management signals a monumental opportunity for all parties," Holtz said in a press statement. "The need to responsibly provide the required verification, oversight and operational management to encrypt network traffic and identify websites will only grow."

Francisco Partners also owns NSO Group, which makes government spyware and surveillance technologies and is believed to be behind Pegasus malware. Therefore, Comodo's sale to Francisco Partners has raised some concerns within the security community.

Further changes to the certificate authority industry

Another company ushering in changes for the certificate authority industry is Symantec. After a series of missteps with its TLS certificates, Symantec has sold its certificate authority business to DigiCert Inc. for $950 million and a 30% stake in DigiCert's stock. The sale, which was announced in August, was finalized earlier this week.

"Today starts an exciting era for the current customers and partners of both Symantec and DigiCert," said DigiCert CEO John Merrill in a press release. "For Symantec customers, they can feel assured that they will have continuity in their website security, and that we will provide a smooth transition. Our customers and partners will benefit from our accelerated investment in products and solutions for SSL, PKI [public key infrastructure] and [the internet of things]."

Symantec's struggles with certificates may require more than a smooth transition of the business to a new owner. Web browser giants Mozilla and Google have previously said that certificates issued by Symantec would no longer be trusted and that all certificates would need to be replaced and issued from a different CA. Now, Mozilla is expressing additional concerns about the DigiCert purchase.

"It would not be appropriate for a CA to escape root program sanction by restructuring, or by purchasing another CA through M&A [mergers and acquisitions] and continuing operations under that CA's name, essentially unchanged," said Gervase Markham, an engineer at Mozilla, in a statement. "And examination of historical corporate merger and acquisition activity, including deals involving Symantec, show that it's possible for an M&A billed as the 'purchase of B by A' to end up with name A and yet be mostly managed by the executives of B."

Markham went on to urge DigiCert not to allow Symantec to have any power in the certificate authority business going forward. "We would be concerned if the management of the combined company, particularly that part of it providing technical and policy direction and oversight of the PKI, were to appear as if Symantec were the controlling CA organization in the merger."

In other news

  • New research found that malware creators are abusing digital code-signing certificates. Researchers from the University of Maryland, Doowon Kim, Bum Jun Kwon and Tudor Dumitras, looked at digitally signed malware that can bypass security measures to install or launch programs with valid signatures. The attack method is similar to that of Stuxnet, but goes even further. The threats behind this, the researchers noted in their paper "Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI," include, "stealing the private keys associated with benign certificates and using them to sign malware or by impersonating legitimate companies that do not develop software and, hence, do not own code-signing certificates." The flaw affects 34 antivirus products, and malware samples that use this method are also common in the wild.
  • Oracle is recommending that users apply updates immediately following a vulnerability in Oracle Identity Manager that received a Common Vulnerability Scoring System score of 10.0, which is the highest possible score for severity. The vulnerability, being tracked at CVE-2017-10151, enables attackers to completely compromise Oracle Identity Manager "via an unauthenticated network attack," according to Oracle's advisory. The advisory also notes that the flaw is "easily exploitable" and "may be exploited over a network without requiring user credentials." The advisory, however, doesn't include further details about the issue, and strongly suggests users apply a workaround, though a patch seems to be on the way.
  • The hacker behind Operation #LeakTheAnalyst, which targeted FireEye employees, was arrested at the end of October. "For the past 90 days, we have worked closely with law enforcement, both domestically and internationally, to assist in the investigation and identification of the anonymous person who is responsible for the attack on one of our employees and who falsely claimed to have breached our corporate networks," said FireEye CEO Kevin Mandia. Operation #LeakTheAnalyst took place earlier this year, and a hacker who identified as 31337 Hackers released batches of files on security companies and researchers, most of which were from the personal computer of a FireEye employee. While the hacker claimed to have breached the systems of FireEye and Mandiant, FireEye said there is no evidence of that being true.

Next Steps

Discover the risks of running a private certificate authority

Check out the timeline of Symantec's certificate authority missteps

Learn whether a subscription can ease SSL certificate management

Dig Deeper on Security operations and management