Symantec Sells Certificates Business for $950m

Written by

Symantec has finally decided to sell its embattled website security business in a $950 million deal which will see SSL certificate firm DigiCert take the reins.

Under the terms of the deal, which is expected to be completed by the third quarter of fiscal 2018, Symantec will also get 30% stake in DigiCert.

Symantec CEO, Greg Clark, claimed the deal would help the security giant sharpen its enterprise focus on offering protection through its Integrated Cyber Defense Platform.

“We carefully examined our options to ensure our customers would have a world-class experience with a company that offers a modern website PKI platform and is poised to lead the next generation of website security innovation,” he added, in a statement.

“I’m thrilled that our customers will benefit from a seamless transition to DigiCert, a company that is solely focused on delivering leading identity and encryption solutions. Symantec is deeply committed to the success of this transition for our customers.”

Utah-based DigiCert will continue to be led by CEO John Merrill and his executive team.

However, they’ll have their work cut out to restore confidence in a business which has taken some significant knocks over the past few years.

In an industry based on trust, it has managed to incur the wrath of Google through mis-issuance of certificates.

The first major incident happened in 2015, and led to the sacking of several Symantec employees.

Yet unfortunately it wasn’t the last, and in March this year, Google revealed that subsequent investigations uncovered problems with as many as 30,000 certificates issued over several years.

“Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them,” argued Google engineer, Ryan Sleevi, at the time.

“These issues, and the corresponding failure of appropriate oversight, spanned a period of several years, and were trivially identifiable from the information publicly available or that Symantec shared.”

The decision has been made to remove trust from certificates issued by Symantec before 1 June 2016, when Chrome 66 is released next spring, before extending the move to all certs a year later.

What’s hot on Infosecurity Magazine?