The world’s largest certificate authority, Comodo CA, has changed its name to Sectigo and announced new products. The name change comes less than a year after it was acquired by Francisco Partners. Since then, it has continued to grow its share of the certificate authority market. In doing so it has benefitted from the move by browser vendors to demand websites have a security certificate. It has also continued to benefit from the fallout from Symantec’s disposal of its CA businesses.
In parallel to the growth of its certificate business, Comodo CA has been expanding its product portfolio. It added support for IoT devices in June and made its first acquisition, of CodeGuard.
Enterprise Times (ET) spoke with Bill Holtz, CEO. He told us: “We are growing our certificate business and staying in that market. We added support for IoT security this year. We also acquired CodeGuard to add website backup to our portfolio.”
One of the reasons for the company changing its name is that the recent product direction is bringing it into competition with the remainder of Comodo that Francisco Partners did not acquire. Holtz comments: “We may be on the same path as them in some areas although we have different business approaches.”
Sectigo calls out Google for security certificate approach
One of the drivers behind the significant growth in the security certificate market has been Google. It announced last year that future versions of Chrome would warn and even block sites not using HTTPS. It also warned that after the problems at Symantec over certificate management, it would begin distrusting Symantec issued certificates.
Google Chrome 66 in April began the process of distrusting Symantec certificates. With Google Chrome 70, last month, that process is now complete. Many former Symantec clients moved to other certificate authorities to solve this. However, Holtz said that Google has created another problem and one that may be harder to fix.
There are three types of SSL certificates, Domain Validation (DV), Organisation Validation (OV) and Extended Validation (EV). Think of them as different levels of verification with DV being the lowest and EV being the gold standard.
According to Holtz: “DV is the lowest level and is the certificate of choice by hackers. The problem is a site that has a DV certificate shows “Secure”. Consumers see “secure” and assume it means safe and often times end up losing their private information or money in cases where they transact cash. The browsers contend that “secure” is intended to say that the link is secure or encrypted to the destination. The problem is the link often times is encrypted or “secure” to a bad site.
“The highest level of certificates EV or Extended Validation is the gold standard. It is used by banks, governments, businesses of all types who take credit cards or personal information on the web.
“That gold standard until recently was represented by a Green address bar. It was therefore easy for a consumer to see that they were communicating with a real business. A DV site simply says that the owner of the site was able to demonstrate that they own the domain. There is no indication that a real business exists behind a DV enabled website. A business that does not exist, and that cannot be validated to exist in government databases, cannot get an EV certificate.”
The importance of making security simple
While Google has decided that the green bar is no longer relevant it is not a universal view. Holtz continued: “We believe that there is value in the green bar. Google recently removed the green bar from sites that have an EV certificate. The rationale is a lot of people do not understand the nuances in the address bar so therefore why not just make all certificates appear the same.”
One of the challenges for many users is understanding the nuances between the types of certificates. Sectigo understands the difference and so do many of its customers. Many of them, according to Holtz get: “value from the green bar.”
There is also a misunderstanding in the security community about the strength of the different certificates. Some researchers have invested a lot of time and money to prove that EV can be defeated. However, Holtz says that despite this, there are very few examples showing how it can be broken. He also said: “The people that are for making all certificates appear the same argue that EV does not stop phishing. The fact is phishing sites use DV certificates and not EV. If all consumers understood the significance of the green bar there would be less harm caused on the web.”
What does this mean
Sectigo changed its name to avoid confusion with the remaining Comodo group. It is now setting itself up to compete in some areas with that organisation. However, it is also looking at a bigger goal. It is already the largest certificate authority around. Now it wants to set the bar higher on how people get a certificate and what it really means.
It may have some help in that. Francisco Partners owns a number of security companies in addition to Sectigo. One of those is SonicWALL who it purchased from Dell. It has already put Bill Conner, CEO, SonicWALL on the Sectigo board. This was not a universally welcomed appointment at the time. What it does offer, is the possibility that Sectigo and other companies owned by Francisco Partner could begin to fix what Holtz believes Google has broken.
The next few months will be interesting.