Symantec Explores Selling Web Certificates Business

Cybersecurity firm Symantec is considering selling its website certification business, in a deal that could fetch more than $1 billion and extricate it from a feud with Alphabet's Google, people familiar with the matter told Reuters. From a report: Google said in March that it was investigating Symantec's failure to properly validate its certificates, which confirm that websites can be trusted. Symantec has called Google's claims "exaggerated and misleading." Symantec is in talks with a small number of companies and private equity firms about the potential sale, three sources said, asking not to be identified because the matter is confidential. There is no certainty that a deal will occur, the sources added.

Isn't the whole point of a CA "trust"?

[ErichTheRed]

Maybe Symantec is just trying to get out of the market ahead of the LetsEncrypt announcement that wildcard domain certificates would be available for free shortly. Once your trustworthiness is questioned, that might be the best thing to do.

I admit that I'm pretty much a newbie on public certificates, having spent most of my career in non-web parts of IT. But, isn't the point of buying a certificate from a "real" CA the fact that you can show your customers that the CA took steps to prove your company is your company? And by extension, since your company's cert is issued by a CA that my browser trusts, then there has to be some validation done by the CA. I just went through the process of getting an EV certificate for a project we're working on, and the CA we used certainly spent some effort verifying my company's publically-available information, my employment information and authority to represent the organization before they'd give me the certificate. If a CA gets a reputation for shortcutting this process, or plays fast and loose with how they store their private keys to their issuing certs, then that's the real-world equivalent of a country issuing passports without checking if someone shows up in the country's birth records.

Anyone can stand up a certificate authority and hand out certificates. We (and most other companies with big IT infrastructure) are doing it internally, but the difference is that some browser coming in from the Internet doesn't recognize our internal CA as a trusted root CA. I guess if LetsEncrypt is handing out certificates for free, CAs that can't guarantee they're offering something more trustworthy than that aren't going to be able to charge for issuing little 30K files anymore. LE is certainly going to disrupt the Domain Validation end of the certificate market because there will be a ubiquitous, free and easy way to get certificates -- it's essentially enabling basic SSL/TLS for everyone by getting rid of the cost factor. Whether this eats up the EV side of the market too remains to be seen - users don't typically care whether there's a lock icon in the browser bar or what color it is.