Symantec’s Website Security Business Would Now Be DigiCert

‘Symantec sells its problem SSL unit to DigiCert for $1B’- PC World uses this headline for its report on DigiCert’s agreement with Symantec to acquire the latter’s website security business.

The report that follows begins with an observation by the author as to what Symantec perhaps gains out of this deal- “Symantec has found a way to make a dispute with Google over the validity of its TLS and SSL certificates go away — and get paid almost US$1 billion in the process.”

Point to ponder indeed! Symantec was facing issues for quite some time following Google Chrome’s decision to gradually start distrusting its EV SSL certs; and now, this development. Is it a wise move…to get out of the present mess?

The PC World report says- “Browser developers including Google had raised questions about way Symantec issued SSL certificates, and have threatened to stop recognizing them, a move that could hurt Symantec’s customers and worry visitors to the websites using the affected certificates…Now Symantec has sold its certificate authority (CA) business to DigiCert for US$950 million and a 30-percent stake in the smaller company, leaving DigiCert to pick up the pieces and implement plans to fix Symantec’s issuance procedures.”

Well, the news is that Symantec and DigiCert have announced an agreement as per which DigiCert would “…acquire Symantec’s website security business, which includes both the SSL/TLS and IoT business units.” The deal, according to DigiCert, “…is expected to close before the end of the year, pending formal reviews.” The DigiCert blog update also includes a note on the issue surrounding browser trust of Symantec certificates, which says- “Earlier this year, the browsers proposed a plan to limit trust in Symantec certificates after discovering issues with how they were validating and issuing digital certificates.”. It adds, “…we feel confident that this agreement will satisfy the needs of the browser community. DigiCert is communicating this deal and its intentions to the browser community and will continue to work closely with them during the period leading up to our closing the transaction. DigiCert appreciates and shares the browsers’ commitment to engendering trust in digital certificates and protecting all users.”

DigiCert, in its news release on the acquisition agreement, quotes Symantec CEO Greg Clark, who says- “Transitioning our Website Security and related PKI solutions to DigiCert allows us to sharpen our enterprise focus on delivering unparalleled protection for the cloud generation through Symantec’s Integrated Cyber Defense Platform. As our recently announced deals with Fireglass and Skycure demonstrate, we are accelerating the pace of innovation we bring to market through a combination of acquisitions as well as development from the ground up,”

Reuters had reported a few weeks ago that Symantec was contemplating selling its SSL business for more than $1 billion-“Cybersecurity firm Symantec Corp is considering selling its website certification business, in a deal that could fetch more than $1 billion and extricate it from a feud with Alphabet Inc’s Google, people familiar with the matter said…”. So now, the deal has been decided, at “…approximately $950 million in upfront cash proceeds and approximately a 30 percent stake in the common stock equity of the DigiCert business at the closing of the transaction.”

Bleepingcomputer.com observes- “By late 2018, Google was planning to remove trust in all SSL certificates Symantec ever issued. Google was penalizing Symantec because they and Mozilla engineers discovered that the company had mis-issued over 30,000 SSL certificates to the wrong persons/entities. Google gave Symantec a chance to remain on the SSL issuance market, but the company had to issue Symantec-branded certificates through a third-party SSL provider starting December 1, 2017.”. The report adds- “Symantec also had the option to rebuild its SSL issuance business from scratch. The decision to sell was Symantec’s way of avoiding rebuilding its entire business and ride into the sunset with a giant bag of money.”

Well, that’s it, a “giant bag of money”. Symantec seems to have made a gain out of a losing proposition!!!

Well, trade analysts may, of course, say that the reputation damage that Symantec has suffered is immense, and maybe, even irreversible…!!!

Melih Abdulhayoğlu, CEO of Comodo was perhaps right when he stated, rather prophetically, a couple of months ago, “I do see a “change” for Symantec customers, its unavoidable. There will be a new CA providing their certificates and it will not be Symantec!” He evidently didn’t mean DigiCert when he said “new CA”, he knows very well that his own company, which leads the global SSL market, would be a key player in the changed scenario.

The Bleepingcomputer.com post too echoes this view- “Comodo, Symantec’s main rival, is ecstatic about Symantec’s decision to offload its SSL issuance business.”