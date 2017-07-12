Symantec Explores Selling Web Certificates Business (reuters.com) 15
Cybersecurity firm Symantec is considering selling its website certification business, in a deal that could fetch more than $1 billion and extricate it from a feud with Alphabet's Google, people familiar with the matter told Reuters. From a report: Google said in March that it was investigating Symantec's failure to properly validate its certificates, which confirm that websites can be trusted. Symantec has called Google's claims "exaggerated and misleading." Symantec is in talks with a small number of companies and private equity firms about the potential sale, three sources said, asking not to be identified because the matter is confidential. There is no certainty that a deal will occur, the sources added.
I think Symantec should sell to Kaspersky.
If I run across a website with a *.google.com domain, with a certificate issued by Honest Achmed's, at least I'll know it is safe.
What's left after selling that off? Mediocre antivirus?
Fixing it before selling it would get them a little better deal. At this rate, they're heading for a Yahoo-style fire sale with that unit despite their supposed valuation in the article.
>What's left?
OTTOMH, Disk Encryption, Data loss protection, Solidcore, and a bunch of Enterprise security tools.
SSL Certificates is all about trust. If, as a cert authority, you violate that trust in *any* way, then you shouldn't be allowed to sell certificates anymore.
It's destressing the companies like Symantec (and Comodo for that matter) are still in the certificate authority business despite their multiple massive screwups.
TBH a Cert Authority cannot validate 100% of Certs 100% of the time. The issue is, what is the resolution/procedure when the inevitable happens. The way to maintain trust when failure happens is, work to solve the issue in a way that designed to restore trust as quickly as possible.
If a company fudges on their responsibility to save money and hide their culpability, then yeah, I would agree with you. But if they go out of their way to solve the problem, and work on making things right, then that exudes trus
So far this calendar year, Symantec has had at least two failures in its operations, failures that had the possibility of creating significant security vulnerabilities for end-users. Mozilla has demanded that Symantec remedy the situation, with Mozilla requiring a clear schedule for implementing the remedies.
Maybe Symantec is just trying to get out of the market ahead of the LetsEncrypt announcement that wildcard domain certificates would be available for free shortly. Once your trustworthiness is questioned, that might be the best thing to do.
I admit that I'm pretty much a newbie on public certificates, having spent most of my career in non-web parts of IT. But, isn't the point of buying a certificate from a "real" CA the fact that you can show your customers that the CA took steps to prove your company is your company? And by extension, since your company's cert is issued by a CA that my browser trusts, then there has to be some validation done by the CA. I just went through the process of getting an EV certificate for a project we're working on, and the CA we used certainly spent some effort verifying my company's publically-available information, my employment information and authority to represent the organization before they'd give me the certificate. If a CA gets a reputation for shortcutting this process, or plays fast and loose with how they store their private keys to their issuing certs, then that's the real-world equivalent of a country issuing passports without checking if someone shows up in the country's birth records.
Anyone can stand up a certificate authority and hand out certificates. We (and most other companies with big IT infrastructure) are doing it internally, but the difference is that some browser coming in from the Internet doesn't recognize our internal CA as a trusted root CA. I guess if LetsEncrypt is handing out certificates for free, CAs that can't guarantee they're offering something more trustworthy than that aren't going to be able to charge for issuing little 30K files anymore. LE is certainly going to disrupt the Domain Validation end of the certificate market because there will be a ubiquitous, free and easy way to get certificates -- it's essentially enabling basic SSL/TLS for everyone by getting rid of the cost factor. Whether this eats up the EV side of the market too remains to be seen - users don't typically care whether there's a lock icon in the browser bar or what color it is.
having a publically trusted CA that could -- out of the box -- be used to intercept traffic by a popular piece of hardware thats been sold to iran and syria is likely that