Symantec has found a way to make a dispute with Google over the validity of its TLS and SSL certificates and getting paid almost $1 Billion while in the process.
Browser developers including Google had previously raised questions about ways Symantec issued SSL certificates, and have threatened to stop recognising them, this is a move that could seriously hurt Symantec’s customers and worries the visitors to the site who are using the affected certificates.
Symantec has now sold its certificate authority business to Digicert for close to $1 billion, not only that but with a 30 percent stake in the companyTweet this now
Symantec has now sold its certificate authority business to Digicert for close to $1 billion, not only that but with a 30 percent stake in the company, leaving Digicert to pick up the pieces and implement plans to fix Symantec’s issuance procedures.
The people at DigiCert has addressed the issue of browser trust of Symantec certificates head-on in a press release stating that they feel confident that the agreement will satisfy the needs of the browser community. The company was communicating its intentions to the browser developers and will continue to work alongside them while the transaction closes.
Symantec has had its critics in the past, the most vocal being Google. Over the last couple of years, they have criticized Symantec’s procedures for issuing the certificates which are intended to secure and authenticate communications between both websites and browsers among other applications.
Back in March (2017) Google has previously accused Symantec is mis-using at least 30,000 certificates potentially allowing attackers to masquerade as legitimate websites. – Worrying right!
Of particular concern, are so-called Extended Validation Certificates in which issuers are supposed to take additional actions to authenticate the identity of the entity requesting them. Their overall purpose is to give website visitors extra confidence that the site they are using is real. Browsers display authenticated identities which will include a company name in the address bar alongside the URL of the certified site, in place of the padlock icon which will indicate the site had a regular certificate.
Faced with the prospect of recontacting millions of its existing customers to renew they’ve certificated ahead of schedule and revalidating the identity of EV certificate holders, Symantec chose to hand over the problem to DigiCert.
Web browsers automatically trust certificates which are issued by Symantec and companies alike, however, Google has begun steadily scaling back the trust level in its Chrome browser for older certificated which are issued by Symantec, a process which will results in security warning when chrome users visit some websites.
Over this year (2017) Google had plans to issue warnings for more and more certificates issued under what it considers insecure processes.
SSL certificates that are issued are valid for a fixed period unless revoked, and Google’s initial plan which was announced in March (2017) was to begin distrusting certificated with a validity of over 33 months in Chrome 59, ratcheting that down to just 9 months in Chrome 64, due early next year. This would have had the effect of requiring all certificated to be reissued after April (2017) in order to continue working with Chrome.
Back in August (2017) Google’s Chrome team accepted a proposal from Symantec to reissue all certificated by December 1, 2017, linking them to a new root certificate held by an independent managed partners infrastructure. That proposal, however, makes no reference to the pending sale of Symantec’s certificate business.
There is pressure on certificate authorities to clean up their act from other direction too. For example last year the Certificate Authority Security Council has issued new requirements for certificate issuers to their processes up to scratch.
Although the most visible role of the certificates is in securing access to websites, they can also be used to identify servers to embedded devices in the internet of things, to secure connections to cloud computing services and to encrypt traffic from smartphone apps.