After more than a year of problems in its digital certificate business, Symantec has finally found a buyer. The company has announced that DigiCert will acquire its Website Security and related PKI solutions. The sale will net Symantec $950 million plus a 30% equity in DigiCert’s common stock. As DigiCert is a privately held company the final figure for the deal is unclear. This deal should also help Symantec draw a line under its troubles in this area.
Symantec CEO Greg Clark said: “We carefully examined our options to ensure our customers would have a world-class experience with a company that offers a modern website PKI platform and is poised to lead the next generation of website security innovation. I’m thrilled that our customers will benefit from a seamless transition to DigiCert, a company that is solely focused on delivering leading identity and encryption solutions. Symantec is deeply committed to the success of this transition for our customers.“
Why is Symantec doing this?
Symantec has had a number of serious issues at this business unit. In March it was taken to task in public by Google for mis-issuing more than 30,000 HTTPS certificates. A resolution between the two companies meant that Symantec would no longer issue certificates directly. Instead they would have to be issued by Managed Certificate Authorities (MCAs). This move added significant process and administrative costs to the business. It also meant that Symantec would have to give up a lot of the profit to the MCAs.
Two weeks ago digital certificate giant Comodo raised the stakes. It offered free certificates to organisations that had purchased from Symantec business units, Thawte, GeoTrust and RapidSSL. Since then, Comodo has reported it has seen a large number of customers defect from Symantec to itself.
This raises the question of what value there is in this business for DigiCert. There is no sign yet that Google will change its approach over the issuing of certificates. It may choose to see DigiCert as a MCA and therefore trust it. However, as the staff and processes at Thawte, GeoTrust and RapidSSL are being transferred to DigiCert the problems that caused the March issue have not gone away. Google will want to be convinced that things have improved before it changes its position.
According to Michael Fowler, president, Comodo CA: “This represents a huge disruption for businesses of all sizes that rely on Symantec, and associated brands of Thawte, GeoTrust, and RapidSSL, as their primary Certificate Authority (CA). Symantec customers and partners are now faced with even more uncertainty with the types of products, capabilities, brand recognition and support they will receive as the Symantec SSL brands transition to another, lesser-known CA.”
What does this mean?
Digital certificates are supposed to make the Internet safer especially for consumers. Over the last few years there have been a number of high profile breaches of digital certificate authorities. Fake certificates are in circulation and are prized by hackers. They use them to create websites that look trustworthy but do little more than distribute malware and steal credit card data.
This is one of the reasons why Google came down so hard on Symantec. It wants to reassure users that the green padlock it uses to indicate a safe site can be trusted. What isn’t clear is how it will respond to this announcement.
Will they reassure those customers who have yet to move away from Thawte, GeoTrust and RapidSSL? It’s too soon to say. If DigiCert can manage a smooth transition and get Google to lift its sanctions against the CAs that will help. This deal won’t be complete for a few months yet. During that time DigiCert will be keen to resolve the Google sanctions. If it cannot do that and if customers continue to go elsewhere, we may see a different number when the deal is completed.