Symantec Explores Selling Web Certificates Business

Cybersecurity firm Symantec is considering selling its website certification business, in a deal that could fetch more than $1 billion and extricate it from a feud with Alphabet's Google, people familiar with the matter told Reuters. From a report: Google said in March that it was investigating Symantec's failure to properly validate its certificates, which confirm that websites can be trusted. Symantec has called Google's claims "exaggerated and misleading." Symantec is in talks with a small number of companies and private equity firms about the potential sale, three sources said, asking not to be identified because the matter is confidential. There is no certainty that a deal will occur, the sources added.

Kaspersky Lab

[Anonymous Coward]

I think Symantec should sell to Kaspersky.

Re:

[DickBreath]

I would have more trust in Honest Achmed's Certificate Authority of Tehran Iran.

If I run across a website with a *.google.com domain, with a certificate issued by Honest Achmed's, at least I'll know it is safe.

Re: Kaspersky Lab

[zaphirplane]

Because you are a racist? You could have made your point without the racism, if you do have a point other than racism

Re:

[DickBreath]

You might take it as racist. It is not intended to be. The point is that there are global CA's and not all of them can be trusted. An innocent seeming CA like Honest Achmed's, could be controlled by a government that the US might consider unfriendly. I could have called the CA Joe's Bakery, Shoe Shine and Certificate Authority. But that wouldn't quite fit with a foreign nation that I wanted to use to make the point about being considered less than friendly or trustworthy to the US. Or a government tha

What's left?

[omnichad]

What's left after selling that off? Mediocre antivirus?

Fixing it before selling it would get them a little better deal. At this rate, they're heading for a Yahoo-style fire sale with that unit despite their supposed valuation in the article.

Re:What's left?

[Zocalo]

Symantec also own Blue Coat, a security appliance/software vendor with a fairly well regarded product that sometimes gets "misused" in order to facilitate censorship [wikipedia.org] in authoritarian regimes, and the MessageLabs email SaaS platform. I wouldn't expect a Yahoo! style fire sale just yet, especially given that the market for Blue Coat's products (which are definitely not cheap) just seems to keep growing and growing.

Re:

[ElizabethGreene]

>What's left?

OTTOMH, Disk Encryption, Data loss protection, Solidcore, and a bunch of Enterprise security tools.

Re:

[sexconker]

>What's left?

OTTOMH, Disk Encryption, Data loss protection, Solidcore, and a bunch of expensive fluff.

Fixed that for you.

Re:

[thegarbz]

What's left after selling that off? Mediocre antivirus?

Symantec is huge in enterprise services offering everything from security, redundancy, to exchange mail clients for Android with some major multinationals as primary customers.

They have a long way to go before they reach the Yahoo level.

Cisco

[Thelasko]

I think they should sell to Cisco. That way you can't tell if you've been MITM [wikipedia.org] or not. [wikipedia.org]

It's about trust

[ilsaloving]

SSL Certificates is all about trust. If, as a cert authority, you violate that trust in *any* way, then you shouldn't be allowed to sell certificates anymore.

It's destressing the companies like Symantec (and Comodo for that matter) are still in the certificate authority business despite their multiple massive screwups.

Re:

[Archangel Michael]

TBH a Cert Authority cannot validate 100% of Certs 100% of the time. The issue is, what is the resolution/procedure when the inevitable happens. The way to maintain trust when failure happens is, work to solve the issue in a way that designed to restore trust as quickly as possible.

If a company fudges on their responsibility to save money and hide their culpability, then yeah, I would agree with you. But if they go out of their way to solve the problem, and work on making things right, then that exudes trus

Re:

[Anonymous Coward]

So you are saying symantec should be thrown to the wolves for ignoring, denying, downplaying and generally doing as little as possible about the situation. In fact, after google's first complaint they *expanded* the scope of fraudulently supplying certificates.

I just want to be clear, because the way you skirted the point it almost sounded like you thought symantec was worthy or deserving of trust.

Re:

[thegarbz]

TBH a Cert Authority cannot validate 100% of Certs 100% of the time.

No they can't, but in general they don't fail anywhere near as often or as significantly as Symantec did. In general there aren't major problems identified in their processes that other companies are demanding they get fixed. In general they don't cross sign certificates for extended validation from other authorities that haven't been cleared to do so because they lack the processes. In general they don't let several hundred test certificates get out in the wild and if they did they in general they wouldn't

Dispute Not Merely with Google

[DERoss]

So far this calendar year, Symantec has had at least two failures in its operations, failures that had the possibility of creating significant security vulnerabilities for end-users. Mozilla has demanded that Symantec remedy the situation, with Mozilla requiring a clear schedule for implementing the remedies.

"Symantec fails to properly validate certificates"

[hcs_$reboot]

Symantec certificate validation was also developed by the famous symantec anti-virus team. One certificate validation required one day CPU of a whole data center. So they decided to lighten the process.

A web certified CEO...

[__aaclcg7560]

Marissa Mayer should run this business. She might have better luck than Yahoo.

Isn't the whole point of a CA "trust"?

[ErichTheRed]

Maybe Symantec is just trying to get out of the market ahead of the LetsEncrypt announcement that wildcard domain certificates would be available for free shortly. Once your trustworthiness is questioned, that might be the best thing to do.

I admit that I'm pretty much a newbie on public certificates, having spent most of my career in non-web parts of IT. But, isn't the point of buying a certificate from a "real" CA the fact that you can show your customers that the CA took steps to prove your company is your company? And by extension, since your company's cert is issued by a CA that my browser trusts, then there has to be some validation done by the CA. I just went through the process of getting an EV certificate for a project we're working on, and the CA we used certainly spent some effort verifying my company's publically-available information, my employment information and authority to represent the organization before they'd give me the certificate. If a CA gets a reputation for shortcutting this process, or plays fast and loose with how they store their private keys to their issuing certs, then that's the real-world equivalent of a country issuing passports without checking if someone shows up in the country's birth records.

Anyone can stand up a certificate authority and hand out certificates. We (and most other companies with big IT infrastructure) are doing it internally, but the difference is that some browser coming in from the Internet doesn't recognize our internal CA as a trusted root CA. I guess if LetsEncrypt is handing out certificates for free, CAs that can't guarantee they're offering something more trustworthy than that aren't going to be able to charge for issuing little 30K files anymore. LE is certainly going to disrupt the Domain Validation end of the certificate market because there will be a ubiquitous, free and easy way to get certificates -- it's essentially enabling basic SSL/TLS for everyone by getting rid of the cost factor. Whether this eats up the EV side of the market too remains to be seen - users don't typically care whether there's a lock icon in the browser bar or what color it is.

Re:

[maestroX]

users don't typically care whether there's a lock icon in the browser bar or what color it is.

You are new to the web parts of IT :-)
LetsEncrypt has its issues because fishers like to use it, because ...

Re:

[thegarbz]

Whether this eats up the EV side of the market too remains to be seen - users don't typically care whether there's a lock icon in the browser bar or what color it is.

This is something being fought by the browser vendors. I don't get just a lock when visiting my bank's site. I get half the browser bar talk about the identify of the site I am visiting. Combine that with hiding URLs (the next logical step) and the user issue will be greatly improved.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Free Certificates

[NaCh0]

I'm sure this has nothing to do with Let's Encrypt and Domain Validated Certificates being passed out for free. The market is changing and Symantec is looking for a sucker with a billion dollars.

Re:

[DarkOx]

I assume you are being sarcastic.

I personally have big problems with LE and what they are doing, but that is for another discussion.

LE isn't the first CA to handout free DV certs, they are the first to have the right backers to make the effort happen and showed up at the right time in the wake of the Snowden revelations. They are enjoying some success (for now).

The thing is most people have no idea what EV vs DV means, if they don't get an error they are perfectly happy, some are still looking for the "lit

Re:

[sexconker]

Its shame because DV certs don't really prove much at all IMHO.

Neither do EV certs.

Unless you're physically interacting with a CA and they're physically inspecting you or your systems, why would you trust the "verification" process?
All they ever verify is that your name, domain, business name, are not obviously fake and that your payment goes through. You have stronger verification in place when trying to buy antihistamines.

Re:

[thegarbz]

Its shame because DV certs don't really prove much at all IMHO.

Sure they do. They prove there's an encrypted connection between the client and the server, and that the person presenting themselves on the other hand actually owns the server you're talking to.

Just because they don't give you their full business name doesn't mean it's not miles better than plain texting your way through the ether.

Re:

[DarkOx]

I don't need a third party CA to have an encrypted connection. If my interest is only in ensuring preventing eavesdropping by parties not associated with me or the remote, we can do any number of things; self signed certs being the most obvious.

That situation is rare. Usually anything conversation that requires privacy also requires authenticity. If I am telling secrets I need to know and trust the recipient or at least know the recipient has some interest in keeping my secrets. An eCommerce site as rul

Re:

[thegarbz]

I don't need a third party CA to have an encrypted connection. If my interest is only in ensuring preventing eavesdropping by parties not associated with me or the remote, we can do any number of things; self signed certs being the most obvious.

You'd think so, but some other third party has decided that this is not good enough and made self-signing certs pretty much a non-option unless you intend to only access the other end using a computer where you control the certificate store. Personally I like being able to say access my own cloud or services I host on my computer from *other* people's machine. It's not just a browser warning either. Some programs outright fail if the certificate chain isn't perfect.

That situation is rare. Usually anything conversation that requires privacy also requires authenticity.

Knowing who is in control of the server is

Re:

[DarkOx]

nderstand the difference between security and authenticity.

Congratulations you have proven beyond any doubt you have no idea what security means! I can now ignore you stupid prattling on Slashdot going forward.

C-I-A Confidentiality, Integrity, Authenticity. You need all three!

LE provides exactly no better authentication than self signed certs. Its worthless from a security standpoint, unless you are swapping thumbprints or something out of band to verify the certs, oh wait you could do that with self sig

Re:

[thegarbz]

C-I-A Confidentiality, Integrity, Authenticity. You need all three!

Security is not a "thing" it is a sliding scale. Maybe actually read my comment and learn something. DV certificates provide elements of all three, especially the middle one which was missing from every other cert provider who mostly took it on the good word of your American Dollar that you own a domain.

LE provides exactly no better authentication than self signed certs.

I never said it did. And self-signed certs would be just fine on lots of the internet too if the browser vendors didn't think that encryption should warrant a big fat warning but plain text did not. In many

Re:

[thegarbz]

Probably a mix. With DVs being given out for free these days your only market remains EVs. Would you trust an EV issued by a company who major browsers have issues with, and a company that has fucked up repeatedly in the past few years?

Maybe if people trusted them the whole LetsEncrypt giving out DVs wouldn't be so bad.

Null value

[manu0601]

Who would want so spend money on this before Google has ruled it clean? If Chrome cease to trust Symantec CA, its value drops to zero.