Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/3/2017
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Symantec Sells Digital Certificate Business to DigiCert

$950 million deal comes in the wake of Google sanctions on Symantec certs earlier this year.

Symantec will sell its SSL business to DigiCert for $950 million in a move that lets the security vendor avoid the need to entirely rebuild its digital certificate issuance infrastructure following a series of punitive actions by Google earlier this year.

Under terms of the sale announced this week, in addition to the upfront cash, Symantec will also receive a 30% stake in the common stock of DigiCert.

In a prepared statement, Symantec CEO Greg Clark said the proposed sale would sharpen the company's focus on cloud security. Symantec customers meanwhile will benefit from having a company that offers a modern website PKI platform to handle their digital certificate requirements going forward, he said.

Symantec's board has approved the transaction, which is expected to formally close in the third quarter of fiscal 2018.

The proposed sale makes sense for Symantec and is consistent with the general direction in which the company has been heading recently, says Garrett Bekker, principal security analyst at 451 Research.

"Symantec has spent about $7.5 billion on acquisitions since they got rid of Veritas," and began to focus purely on the cybersecurity market, he says. "They are certainly trying to rationalize their portfolio and get rid of non-core assets."

The plan especially makes sense for Symantec considering the pressure it has been under from Google in recent months, Bekker says.

He was referring to a Google decision from earlier this year to gradually deprecate all Symantec issued digital certificates over the next several months. Google described the decision as being driven by multiple failures on Symantec's part to properly validate its digital certificates before issuance.

Google said that an investigation it conducted showed that Symantec had allowed at least four parties to access its infrastructure and issue certificates with none of the required checks and balances. Google claimed that an inquiry that began with a set of 127 Symantec issued certificates expanded to over 30,000 suspect certificates over multiple years.

Symantec's failure to properly oversee the issuance of these certificates represented a failure by the company to adhere to the standards expected of a Certificate Authority and posed a threat to Google Chrome users, Google claimed. As a result, Chrome would, in a phased manner stop trusting all existing Symantec-issued certificates Google said. Going forward, Symantec would need to replace the certificates with new fully validated ones, Google had said.

Symantec itself characterized Google's claims and misleading and grossly exaggerated. The company claimed that only 127 certificates were identified as mis-issued and not 30,000. Symantec said that Google was singling it out for blame though the mis-issuance involved multiple CAs.

Selling off the certificate business means that Symantec no longer will need to contend with the issue. But "questions about how the certificate infrastructure will evolve if the merger goes through should be uppermost in the minds of customers and partners," says Michael Fowler, president of DigiCert rival Comodo CA. What still remains to be determined for Symantec customers is how the sale will impact Google's decision to deprecate all existing Symantec SSL certificates starting October 2018, he says.

Given the problems that Google has identified with Symantec's infrastructure it is unlikely that DigiCert will use it going forward, Fowler speculates. But DigiCert, as a smaller vendor in this space, does not have the same infrastructure as Symantec, which could be problematic for Symantec's enterprise customers and channel partners, he claims.

Bekker though sees little to no complication for Symantec's customers. "I don't think [the proposed sale] will have much of an impact at all," he says.

Symantec's certificate business will immediately increase DigiCert's market share and make the company one of the biggest players in the PKI and SSL markets, Bekker says. "This will make DigiCert pretty much one of the leaders in terms of revenues," in the digital certificate business.

Related content

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10287
PUBLISHED: 2020-07-15
The IRC5 family with UAS service enabled comes by default with credentials that can be found on publicly available manuals. ABB considers this a well documented functionality that helps customer set up however, out of our research, we found multiple production systems running these exact default cre...
CVE-2020-10288
PUBLISHED: 2020-07-15
IRC5 exposes an ftp server (port 21). Upon attempting to gain access you are challenged with a request of username and password, however you can input whatever you like. As long as the field isn't empty it will be accepted.
CVE-2020-15780
PUBLISHED: 2020-07-15
An issue was discovered in drivers/acpi/acpi_configfs.c in the Linux kernel before 5.7.7. Injection of malicious ACPI tables via configfs could be used by attackers to bypass lockdown and secure boot restrictions, aka CID-75b0cea7bf30.
CVE-2019-17639
PUBLISHED: 2020-07-15
In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling the System.arraycopy method with a length longer than the length of the source or destination array can, in certain specially crafted code patterns, cause the current method to return prematurely with an undefined return value. This...
CVE-2019-20908
PUBLISHED: 2020-07-15
An issue was discovered in drivers/firmware/efi/efi.c in the Linux kernel before 5.4. Incorrect access permissions for the efivar_ssdt ACPI variable could be used by attackers to bypass lockdown or secure boot restrictions, aka CID-1957a85b0032.