Symantec has found a way to make a dispute with Google over the validity of its TLS and SSL certificates go away — and get paid almost US$1 billion in the process.
Browser developers including Google had raised questions about way Symantec issued SSL certificates, and have threatened to stop recognizing them, a move that could hurt Symantec’s customers and worry visitors to the websites using the affected certificates.
Now Symantec has sold its certificate authority (CA) business to DigiCert for US$950 million and a 30-percent stake in the smaller company, leaving DigiCert to pick up the pieces and implement plans to fix Symantec’s issuance procedures.
DigiCert addressed the issue of browser trust of Symantec certificates head-on in a short news release announcing the acquisition.
“We feel confident that this agreement will satisfy the needs of the browser community,” it said, adding that the company was communicating its intentions to browser developers and would continue to work with them as it closed the transaction.
The most vocal of Symantec’s critics has been Google. Over the last two years or so it has repeatedly criticized Symantec’s procedures for issuing the certificates, which are intended to secure and authenticate communications between websites and browsers, among other applications.
In March, Google accused Symantec of mis-issuing at least 30,000 such certificates, potentially allowing attackers to masquerade as legitimate websites.
Of particular concern are so-called Extended Validation (EV) certificates, for which issuers are supposed to take additional actions to authenticate the identity of the entity requesting them. Their purpose is to give website visitors additional confidence that the site is legitimate. Browsers display authenticated identity — a company name, for example — in the address bar alongside the URL of the certified site, in place of the padlock icon that would indicate the site had a regular certificate.
Faced with the prospect of recontacting millions of its customers to renew their certificates ahead of schedule, and revalidating the identity of EV certificate holders, Symantec chose to hand the problem to DigiCert.
Compared to Symantec DigiCert is a tiny player, with a share of the SSL certificate issuance market of 2.2 percent compared to Symantec’s 14 percent, according to W3Techs. Netcraft puts Symantec’s share of the stricter organization validation certificates at 30 percent and of EV certificates at 40 percent.
DigiCert is set to become much larger, though: Before the acquisition, DigiCert had around 225 staff in the U.S.; after, according to Symantec, DigiCert’s workforce will balloon to over 1,000.
Web browsers automatically trust certificates issued by Symantec and companies like it, but Google has begun steadily scaling back the level of trust in its Chrome browser for older certificates issued by Symantec, a process which will result in security warnings when Chrome users visit some websites.
Over the next year Google plans to issue warnings for more and more of the certificates issued under what it considers insecure processes.
SSL certificates issued are valid for a fixed period, unless revoked, and Google’s initial plan, announced in March, was to begin by distrusting certificates with a validity of over 33 months in Chrome 59, the current version, ratcheting that down to just 9 months in Chrome 64, due early next year. This would have had the effect of requiring all certificates to be reissued after April 2017 in order to continue working with Chrome.
Last week Google’s Chrome team accepted a proposal from Symantec to reissue all certificates by Dec. 1, 2017, linking them to a new root certificate held by an independent Managed Partner Infrastructure. That proposal, however, makes no reference to a pending sale of Symantec’s certificate business.
Pressure on certificate authorities to clean up their act is coming from other directions too. Last year the Certificate Authority Security Council issued new requirements for certificate issuers to get their processes up to scratch.
Although the most visible role of the certificates is in securing access to websites, they can also used to identity servers to embedded devices in the internet of things, to secure connections to cloud computing services, and to encrypt traffic from smartphone apps.