Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Explores Selling Web Certificates Business (reuters.com)

Posted by msmash on from the interesting-development dept.

Cybersecurity firm Symantec is considering selling its website certification business, in a deal that could fetch more than $1 billion and extricate it from a feud with Alphabet's Google, people familiar with the matter told Reuters. From a report: Google said in March that it was investigating Symantec's failure to properly validate its certificates, which confirm that websites can be trusted. Symantec has called Google's claims "exaggerated and misleading." Symantec is in talks with a small number of companies and private equity firms about the potential sale, three sources said, asking not to be identified because the matter is confidential. There is no certainty that a deal will occur, the sources added.

41 comments

  1. Kaspersky Lab by Anonymous Coward · · Score: 1

    I think Symantec should sell to Kaspersky.

    1. Re:Kaspersky Lab by DickBreath · · Score: 2

      I would have more trust in Honest Achmed's Certificate Authority of Tehran Iran.

      If I run across a website with a *.google.com domain, with a certificate issued by Honest Achmed's, at least I'll know it is safe.

      --

      I'll see your senator, and I'll raise you two judges.
    2. Re: Kaspersky Lab by zaphirplane · · Score: 1

      Because you are a racist? You could have made your point without the racism, if you do have a point other than racism

    3. Re: Kaspersky Lab by DickBreath · · Score: 1

      You might take it as racist. It is not intended to be. The point is that there are global CA's and not all of them can be trusted. An innocent seeming CA like Honest Achmed's, could be controlled by a government that the US might consider unfriendly. I could have called the CA Joe's Bakery, Shoe Shine and Certificate Authority. But that wouldn't quite fit with a foreign nation that I wanted to use to make the point about being considered less than friendly or trustworthy to the US. Or a government that might have a reason to try to hack Google, or Apple, or Microsoft. I could have used a Chinese name and China. Or Russia. You would have called it racist nonetheless.

      --

      I'll see your senator, and I'll raise you two judges.
  2. What's left? by omnichad · · Score: 2

    What's left after selling that off? Mediocre antivirus?

    Fixing it before selling it would get them a little better deal. At this rate, they're heading for a Yahoo-style fire sale with that unit despite their supposed valuation in the article.

    1. Re:What's left? by Zocalo · · Score: 3, Informative

      Symantec also own Blue Coat, a security appliance/software vendor with a fairly well regarded product that sometimes gets "misused" in order to facilitate censorship in authoritarian regimes, and the MessageLabs email SaaS platform. I wouldn't expect a Yahoo! style fire sale just yet, especially given that the market for Blue Coat's products (which are definitely not cheap) just seems to keep growing and growing.

      --
      UNIX? They're not even circumcised! Savages!
    2. Re:What's left? by ElizabethGreene · · Score: 1

      >What's left?

      OTTOMH, Disk Encryption, Data loss protection, Solidcore, and a bunch of Enterprise security tools.

    3. Re:What's left? by Anonymous Coward · · Score: 0

      But Symantec's CA business is good for BlueCoat's ProxySG SSL/TLS MitM.

      In all seriousness though, that is probably the reason why they are looking to sell it, to gain more trust.

    4. Re:What's left? by sexconker · · Score: 1

      >What's left?

      OTTOMH, Disk Encryption, Data loss protection, Solidcore, and a bunch of expensive fluff.

      Fixed that for you.

    5. Re:What's left? by thegarbz · · Score: 2

      What's left after selling that off? Mediocre antivirus?

      Symantec is huge in enterprise services offering everything from security, redundancy, to exchange mail clients for Android with some major multinationals as primary customers.

      They have a long way to go before they reach the Yahoo level.

  3. Cisco by Thelasko · · Score: 1

    I think they should sell to Cisco. That way you can't tell if you've been MITM or not.

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
  4. It's about trust by ilsaloving · · Score: 5, Insightful

    SSL Certificates is all about trust. If, as a cert authority, you violate that trust in *any* way, then you shouldn't be allowed to sell certificates anymore.

    It's destressing the companies like Symantec (and Comodo for that matter) are still in the certificate authority business despite their multiple massive screwups.

    1. Re:It's about trust by Archangel+Michael · · Score: 1

      TBH a Cert Authority cannot validate 100% of Certs 100% of the time. The issue is, what is the resolution/procedure when the inevitable happens. The way to maintain trust when failure happens is, work to solve the issue in a way that designed to restore trust as quickly as possible.

      If a company fudges on their responsibility to save money and hide their culpability, then yeah, I would agree with you. But if they go out of their way to solve the problem, and work on making things right, then that exudes trust IMHO.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re:It's about trust by Anonymous Coward · · Score: 1

      So you are saying symantec should be thrown to the wolves for ignoring, denying, downplaying and generally doing as little as possible about the situation. In fact, after google's first complaint they *expanded* the scope of fraudulently supplying certificates.

      I just want to be clear, because the way you skirted the point it almost sounded like you thought symantec was worthy or deserving of trust.

    3. Re:It's about trust by thegarbz · · Score: 2

      TBH a Cert Authority cannot validate 100% of Certs 100% of the time.

      No they can't, but in general they don't fail anywhere near as often or as significantly as Symantec did. In general there aren't major problems identified in their processes that other companies are demanding they get fixed. In general they don't cross sign certificates for extended validation from other authorities that haven't been cleared to do so because they lack the processes. In general they don't let several hundred test certificates get out in the wild and if they did they in general they wouldn't use high profile domains to test like www.google.com

      This isn't a 100% of cases 100% of the time issue. This is an issue of gross incompetence for a certificate authority.

    4. Re:It's about trust by Archangel+Michael · · Score: 0

      I would class that as "If a company fudges on their responsibility ..." so you are correct "thrown to the wolves". The problem is, Symantec is trusted by people who don't know any better (CEO/PHB)

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  5. Dispute Not Merely with Google by DERoss · · Score: 4, Insightful

    So far this calendar year, Symantec has had at least two failures in its operations, failures that had the possibility of creating significant security vulnerabilities for end-users. Mozilla has demanded that Symantec remedy the situation, with Mozilla requiring a clear schedule for implementing the remedies.

  6. "Symantec fails to properly validate certificates" by hcs_$reboot · · Score: 2

    Symantec certificate validation was also developed by the famous symantec anti-virus team. One certificate validation required one day CPU of a whole data center. So they decided to lighten the process.

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  7. A web certified CEO... by __aaclcg7560 · · Score: 1

    Marissa Mayer should run this business. She might have better luck than Yahoo.

    1. Re:A web certified CEO... by Anonymous Coward · · Score: 0

      Marissa Mayer is web certified in the same way as a black widow spider is web certified.

  8. Isn't the whole point of a CA "trust"? by ErichTheRed · · Score: 4, Interesting

    Maybe Symantec is just trying to get out of the market ahead of the LetsEncrypt announcement that wildcard domain certificates would be available for free shortly. Once your trustworthiness is questioned, that might be the best thing to do.

    I admit that I'm pretty much a newbie on public certificates, having spent most of my career in non-web parts of IT. But, isn't the point of buying a certificate from a "real" CA the fact that you can show your customers that the CA took steps to prove your company is your company? And by extension, since your company's cert is issued by a CA that my browser trusts, then there has to be some validation done by the CA. I just went through the process of getting an EV certificate for a project we're working on, and the CA we used certainly spent some effort verifying my company's publically-available information, my employment information and authority to represent the organization before they'd give me the certificate. If a CA gets a reputation for shortcutting this process, or plays fast and loose with how they store their private keys to their issuing certs, then that's the real-world equivalent of a country issuing passports without checking if someone shows up in the country's birth records.

    Anyone can stand up a certificate authority and hand out certificates. We (and most other companies with big IT infrastructure) are doing it internally, but the difference is that some browser coming in from the Internet doesn't recognize our internal CA as a trusted root CA. I guess if LetsEncrypt is handing out certificates for free, CAs that can't guarantee they're offering something more trustworthy than that aren't going to be able to charge for issuing little 30K files anymore. LE is certainly going to disrupt the Domain Validation end of the certificate market because there will be a ubiquitous, free and easy way to get certificates -- it's essentially enabling basic SSL/TLS for everyone by getting rid of the cost factor. Whether this eats up the EV side of the market too remains to be seen - users don't typically care whether there's a lock icon in the browser bar or what color it is.

    1. Re:Isn't the whole point of a CA "trust"? by maestroX · · Score: 1

      users don't typically care whether there's a lock icon in the browser bar or what color it is.

      You are new to the web parts of IT :-)
      LetsEncrypt has its issues because fishers like to use it, because ...

    2. Re:Isn't the whole point of a CA "trust"? by Anonymous Coward · · Score: 0

      Yeah, and Symantec has issues because criminals like to use them. What was your point again?

    3. Re:Isn't the whole point of a CA "trust"? by thegarbz · · Score: 1

      Whether this eats up the EV side of the market too remains to be seen - users don't typically care whether there's a lock icon in the browser bar or what color it is.

      This is something being fought by the browser vendors. I don't get just a lock when visiting my bank's site. I get half the browser bar talk about the identify of the site I am visiting. Combine that with hiding URLs (the next logical step) and the user issue will be greatly improved.

  9. this roads left only half paved. by nimbius · · Score: 2

    Symantecs original idea behind the certificate authority business itself, was to create an out of the box condition for its bluecoat product to work in any environment. bluecoat does TLS termination/snooping and as such requres extensive work in corporate PKI to inject trusted certs into the browser trust and cert trust for machines.

    having a publically trusted CA that could -- out of the box -- be used to intercept traffic by a popular piece of hardware thats been sold to iran and syria is likely that made google furious. Its also worth considering that Symantec considered a PKI authority to be just another "business acquisition" that would fly under the radar, only to be confronted with a voraciously defensive internet that was working to ensure TLS could not be tampered with.

    ultimately, google started fishing for legitimate RFC and industry based reasons to blackball their CA. Symantec is likely getting exhausted by all the auditing and security required to maintain what was, after all, originally just intended to help customers who want to snoop on their employees and citizens

    --
    Good people go to bed earlier.
    1. Re:this roads left only half paved. by Anonymous Coward · · Score: 0

      Symantec purchased the SSL business a loooong time before the acquisition of BlueCoat so there is no way for you to argue this way.

  10. Free Certificates by NaCh0 · · Score: 1

    I'm sure this has nothing to do with Let's Encrypt and Domain Validated Certificates being passed out for free. The market is changing and Symantec is looking for a sucker with a billion dollars.

    1. Re:Free Certificates by DarkOx · · Score: 1

      I assume you are being sarcastic.

      I personally have big problems with LE and what they are doing, but that is for another discussion.

      LE isn't the first CA to handout free DV certs, they are the first to have the right backers to make the effort happen and showed up at the right time in the wake of the Snowden revelations. They are enjoying some success (for now).

      The thing is most people have no idea what EV vs DV means, if they don't get an error they are perfectly happy, some are still looking for the "little lock" in the corner. For most organizations there is no value proposition in something better than an LE cert. So you are probably right the bottom is about to fall out of the "certificate market".

      Its shame because DV certs don't really prove much at all IMHO.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    2. Re:Free Certificates by sexconker · · Score: 2

      Its shame because DV certs don't really prove much at all IMHO.

      Neither do EV certs.

      Unless you're physically interacting with a CA and they're physically inspecting you or your systems, why would you trust the "verification" process?
      All they ever verify is that your name, domain, business name, are not obviously fake and that your payment goes through. You have stronger verification in place when trying to buy antihistamines.

    3. Re:Free Certificates by thegarbz · · Score: 1

      Its shame because DV certs don't really prove much at all IMHO.

      Sure they do. They prove there's an encrypted connection between the client and the server, and that the person presenting themselves on the other hand actually owns the server you're talking to.

      Just because they don't give you their full business name doesn't mean it's not miles better than plain texting your way through the ether.

    4. Re:Free Certificates by thegarbz · · Score: 1

      Probably a mix. With DVs being given out for free these days your only market remains EVs. Would you trust an EV issued by a company who major browsers have issues with, and a company that has fucked up repeatedly in the past few years?

      Maybe if people trusted them the whole LetsEncrypt giving out DVs wouldn't be so bad.

    5. Re:Free Certificates by DarkOx · · Score: 1

      I don't need a third party CA to have an encrypted connection. If my interest is only in ensuring preventing eavesdropping by parties not associated with me or the remote, we can do any number of things; self signed certs being the most obvious.

      That situation is rare. Usually anything conversation that requires privacy also requires authenticity. If I am telling secrets I need to know and trust the recipient or at least know the recipient has some interest in keeping my secrets. An eCommerce site as rule wants to protect my CC number because they might loose the ability to process cards if they fail to do so, or lose business in general.

      If I don't know that site is real though because some horse shit CA like Let'sEncrpt is happy to issue a cert for ExamplAutoparts.com when ExampleAutoparts.com is a major e-tailer, and some asshole can clone the site and host it at ExamplAutoparts.com that sucks. With DV certs and especially with fully robotic signing like LE does that is possible. Actually they are know to have issued thousands of paypal typo squats. At least with EV certs some validation that you are a sort of legitimate operator with at least a real address and phone number means I have someone to sue.

      Than lets consider that LE does not even really do DV in most cases, they only check you control the server.... Which is more likely to be compromised, A third party DNS provider or any given wanna be admins VPS server somewhere.... An attacker could rather quietly do the needful to obtain an LE certificate from a compromised site and remove all the evidence before anyone notices. That is at least a little harder with the DV that more traditional CAs usually do.

      F***K LE and the horse they road in on.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    6. Re:Free Certificates by thegarbz · · Score: 1

      I don't need a third party CA to have an encrypted connection. If my interest is only in ensuring preventing eavesdropping by parties not associated with me or the remote, we can do any number of things; self signed certs being the most obvious.

      You'd think so, but some other third party has decided that this is not good enough and made self-signing certs pretty much a non-option unless you intend to only access the other end using a computer where you control the certificate store. Personally I like being able to say access my own cloud or services I host on my computer from *other* people's machine. It's not just a browser warning either. Some programs outright fail if the certificate chain isn't perfect.

      That situation is rare. Usually anything conversation that requires privacy also requires authenticity.

      Knowing who is in control of the server is one form of authenticity. When you go out to dinner and split a bill do you ask for the other person's phone so you can send him bank details, or do you ask for their name address phone number passport number, drivers license, etc. Not *all* authenticity is absolute which is precisely why there are various validation levels defined in the first place.

      If I don't know that site is real though because some horse shit CA like Let'sEncrpt is happy to issue a cert for ExamplAutoparts.com when ExampleAutoparts.com is a major e-tailer, and some asshole can clone the site and host it at ExamplAutoparts.com that sucks.

      And why shouldn't they? If the owner of the website proves they actually own examplautoparts.com then why would it be up to a private company to:
      a) police a trademark dispute
      b) provide a security certificate based on site content rather than ownership
      c) become the fraud police.
      There are legal processes in place for this, and issuing of SSL certificates by private companies is NOT the place to resolve them.

      But all of this is completely irrelevant since you're talking about two different processes that are handled differently by a browser. If someone typosquats my bank's website it becomes immediately obvious since on my browser it will display e.g. https://www.nap.com.au/ with a little lock rather than: "National Australia Bank Limited [AU]" If you're relying on the lock for authenticity then you should get out of the 90s and join us in the modern times.

      F***K LE and the horse they road in on.

      Nope, just learn to educate idiots who don't understand the difference between security and authenticity. I don't want to compromise security or pay a rent seeker just because someone like you thinks a URL and a padlock is some form of authenticity. It's not.

      You want to critisize LE? Start with the foundations of SSL and the many iterations of browser changes and security vendor changes that got us to the point where basic encryption wasn't possible to do without cost until LE tore apart the cartel.

    7. Re:Free Certificates by DarkOx · · Score: 1

      nderstand the difference between security and authenticity.

      Congratulations you have proven beyond any doubt you have no idea what security means! I can now ignore you stupid prattling on Slashdot going forward.

      C-I-A Confidentiality, Integrity, Authenticity. You need all three!

      LE provides exactly no better authentication than self signed certs. Its worthless from a security standpoint, unless you are swapping thumbprints or something out of band to verify the certs, oh wait you could do that with self signed certs too, and with far less attack surface than running one of the LE cert bots.

      I am not relying on the little lock for authenticity, I can verify the subject but I would suggest a responsible CA would do a little diligence and not actively support, which is what LE is doing, spammers and fraudsters. I can assure you 99% of internet users if they don't get some certificate error, don't carefully check the URL bar (which half the browsers don't even show anymore) character by character and they never ever ever actually look at the certificate content directly.

      Sorry LE is providing a huge disservice to everyone. I'd say it ought to be shuttered, but its a free country.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    8. Re:Free Certificates by thegarbz · · Score: 1

      C-I-A Confidentiality, Integrity, Authenticity. You need all three!

      Security is not a "thing" it is a sliding scale. Maybe actually read my comment and learn something. DV certificates provide elements of all three, especially the middle one which was missing from every other cert provider who mostly took it on the good word of your American Dollar that you own a domain.

      LE provides exactly no better authentication than self signed certs.

      I never said it did. And self-signed certs would be just fine on lots of the internet too if the browser vendors didn't think that encryption should warrant a big fat warning but plain text did not. In many cases I'm not interested in who the company is that I'm talking to. Take this link here for instance. I don't give a fuck who owns Slashdot. That doesn't mean I want every schmo at work or in the hotel i'm currently at knowing my login and password.

      I am not relying on the little lock for authenticity, I can verify the subject but I would suggest a responsible CA would do a little diligence and not actively support

      Ooooh I've heard of a great CA that does that. One that actively checks to ensure that the person who applies for certificates of a domain actually has write privileges to the server on that domain. They are called Lets Encrypt. Far better than the schmucks at Symantec who can't even do extended validation correctly, and will issue you a DV for a few dollars by sending you an email to your choice of a wide variety of fallible addresses that mean nothing at all in the grand scheme of ownership.

      Sorry LE is providing a huge disservice to everyone.

      Given you accuse me of not knowing about security I would say that opinion is born from your own ignorance on the topic.

      Talk about abolishing DV if you want, but claiming LE is somehow bad in the horrid cesspool of what DV "certification" (it's hard to say that without laughing) is just utterly stupid.

  11. Kaspersky Labs found the sony root kit by Anonymous Coward · · Score: 0

    others did not

    who do you trust again?

  12. DNSSEC DANE TLSA by Anonymous Coward · · Score: 0

    If only DANE TLSA were implemented, then we wouldn't be having this conversation. Everyone would run their own CA and the question of public CAs would be moot.

  13. I have a buyer in mind. by Anonymous Coward · · Score: 0

    They should just sell their crypto operation to WoSign. -PCP

  14. "Confirm that websites can be trusted?!" by Anonymous Coward · · Score: 0

    Google said in March that it was investigating Symantec's failure to properly validate its certificates, which confirm that websites can be trusted.

    WTF? Looks like the article's authors (Liana B. Baker and Greg Roumeliotis) don't even know what a certificate does. But they're writing about it.

    If only Reuters had a certificate, then we'd know they can be trusted to understand what they write about!

  15. Null value by manu0601 · · Score: 1

    Who would want so spend money on this before Google has ruled it clean? If Chrome cease to trust Symantec CA, its value drops to zero.

  16. Google Internet Death Penalty by Anonymous Coward · · Score: 0

    So Google, via Chrome, is dropping the axe on Verisgn (not quite as badly as WoSign), so Symantec is dropping it like a flaming bag of shit.

    Why not dump it on ICANN...