It’s been a bad couple of years for Symantec and its certificate business. After several breaches and a very public spat with Google, Symantec sold its certificate business in August 2017 to DigiCert. While the business is no longer owned or operated by Symantec it does retain the company’s branding. The hope was that the sale would draw a line under Symantec’s problems. It seems that it is not to be.
Last week, Trustico announced that it will: “..cease to offer Symantec branded SSL Certificates : Symantec, GeoTrust, Thawte and RapidSSL in the lead up to launching their new website trust seals and Trustico branded SSL Certificates.”
Why has Trustico done this?
The answer is simple – to protect its own business. On 31st January Google updated its Security Blog where it first announced its intention to stop trusting Symantec branded certificates. It stated: “Starting with Chrome 66, Chrome will remove trust in Symantec-issued certificates issued prior to June 1, 2016. Chrome 66 is currently scheduled to be released to Chrome Beta users on March 15, 2018 and to Chrome Stable users around April 17, 2018.”
For Trustico this was a red flag that it could not ignore. According to Zane Lucas, Director, Trustico: “The products and services that Trustico provide are those that the internet community trust and rely upon. It’s important for Trustico to ensure that those products and services maintain high security levels, are free from defect and instil consumer confidence at all times. Unfortunately, due to the recent security events involving Symantec, the brand is one that Trustico believes can no longer offer those high security levels.”
In abandoning Symantec, Trustico will focus on its business relationship with Comodo. This should come as no surprise. On the same day that DigiCert acquired the Symantec CA business, Comodo announced it had sold a majority holding in its CA business to Francisco Partners. That sale saw Francisco Partners invest heavily in Comodo’s CA business including appointing a new CEO.
Trustico is not abandoning its Symantec customers. Instead it will offer them an alternative certificate when they order an update. It is also offering a new product, the Trustico Website Trust Seal and its own branded SSL Certificates. The latter are likely to be rebranded Comodo certificates. This will further strengthen Comodo’s position in the CA market.
Why does this matter?
Where Google goes, others follow. The damage to the former Symantec business refuses to go away and if DigiCert thought they could change Google’s mind, it seems they’ve failed. Although Google has said this is about older certificates, few customers will actually care.
Google has made it clear that those websites with an SSL Certificate get better rankings. Website designers and operators are now likely to be in scramble mode to prevent customers with Symantec branded certificates taking a hit on their Google rankings.
Trustico is just the first major provider of Symantec branded certificates to accelerate its customers move to alternative certificates. The next few weeks will show what DigiCert plans to do to restore confidence in the brand.
Trustico have made the right move and have been very vocal. I work at DigiCert and what’s happening here is that after the acquisition Symantec then bought 30% of DigiCert – then the Symantec management team were employed by DigiCert to run the business. This is a total sham which Symantec performed to get around the Google issue. This company is no longer reputable in my eyes and operates with its legacy management team (the ones that caused the issue to begin with).