Blogs

    Publish
     
      • A New Chapter: DigiCert to Acquire Symantec’s Website Security and Related PKI Solutions

        Mar 29 2018, 8:53 PM

        by Roxane Divol 0

        Today, Symantec announced in a press release an agreement under which DigiCert will acquire Symantec’s Website Security and related PKI solutions. At a time when it’s absolutely critical that businesses are safeguarded from the advanced cyber security threats infiltrating the web, through this acquisition customers will benefit from a company that is solely focused on delivering the leading identity and encryption solutions they require.

        DigiCert is a leading provider of scalable identity and encryption solutions for the enterprise. The fast-growing company currently has a number of high-profile enterprise and IoT customers. DigiCert enjoys a strong reputation and high customer loyalty with a focus on industry-leading customer support, innovative market solutions, and a meaningful contribution to improving industry best practices. DigiCert has earned several awards for its innovation and growth strategies, and this summer was named one of Computerworld’s Top 100 places to work in IT.

        The addition of Symantec’s website security and related PKI solutions to DigiCert’s offerings will provide customers with an enhanced technology platform, unparalleled support and market-leading innovations. DigiCert will have incredible talent and experience to lead the next generation of global website security and will gain capabilities to take advantage of opportunities in IoT and bring new approaches to the SSL market.

        Symantec Website Security and DigiCert share a strong commitment to customer service, and ensuring continuity for our customers and their businesses is a top priority. Once the transaction is complete, we will work to transition our customers to a new platform that meets all industry standards and browser requirements and provides the foundation for future innovation in the CA space.

        Importantly, we feel confident that this agreement will satisfy the needs of the browser community. DigiCert is communicating this deal and its intentions to the browser community and will continue to work closely with them during the period leading up to our closing the transaction. DigiCert appreciates and shares the browsers’ commitment to engendering trust in digital certificates and protecting all users.

        Last but not least, I’d be remiss to not personally thank each and every one of the hard-working and dedicated employees of the Website Security team. We are tremendously excited about the opportunities ahead and deeply committed to the success of this transition for the Website Security business, its employees, and our customers.

        Best Regards,

        Roxane Divol

        Executive Vice President & GM, Symantec Website Security 

        • Products
        • DigiCert Code Signing
        • DigiCert Complete Website Security
        • DigiCert SSL TLS Certificates
        • Products and Solutions
      • Symantec CA’s Initial Response to Google’s Revised Proposal

        Mar 29 2018, 8:38 PM

        by Roxane Divol 0

        Today, Google put forward a revised proposal regarding our CA business, which we are currently reviewing. Google’s proposal follows collaborative and constructive community discussions. Our goal has been to reach a solution that minimizes disruption for our customers and is in the best interests of the entire Internet community.

        While there remain details to be considered, we believe Google has put forth a new proposal that limits business disruption for customers as compared to prior proposals. Notably, Google’s revised proposal would not require Symantec to move to shorter-term validity certificates beyond what was approved by the CA/B forum in Ballot 193 for all CAs and Symantec’s Extended Validation certificates would remain intact. Given the potential impact of any changes that might be implemented, we are carefully reviewing this proposal and will respond shortly with feedback for the community’s consideration.

        We thank our customers and the community for their patience and participation in this important discussion.

        Best Regards,

        Roxane Divol

        Executive Vice President & GM, Symantec Website Security

        • DigiCert SSL TLS Certificates
        • Products
        • Products and Solutions
      • An Update for our Symantec CA Customers

        Oct 20 2017, 9:14 PM

        by Roxane Divol 0

        In connection with the statement posted to Symantec’s Blog on March 24, 2017, Symantec has been reaching out to its customers.  The text of our most recent customer communication is below: 

        ****************************************** 

        It's important that we keep the lines of communication open with you as we continue to deliberate possible changes to how we support your website security needs in response to Google's proposal. There is no doubt that these proposed changes would create a ripple effect across the entire industry. Following up on my previous Message To Our CA Customers, I wanted to provide you with an update on the progress we have made in response to Google's proposals.  

        In the weeks since Google shared its initial proposal, we have met with Google several times and have also embarked on an industry-wide listening tour to understand the impact that any changes may cause to our customers, partners, and the PKI ecosystem. Our goal is to find a combined path forward that will ensure business continuity for our customers and peace of mind for all browsers and other industry stakeholders.  

        These conversations have been both encouraging and instructive. And the input we've received from our industry stakeholders, partners, and most importantly, our customers, gives us confidence that we can come to the table with an alternative proposal that will serve the shared interests of the entire industry.  

        We have also heard consistently from customers like you that the transition to fully adopt Google's proposal within its suggested timeframe would cause significant business disruption and additional expense - especially within complex IT infrastructures. Mitigating these concerns is a top priority for us as we develop our counter proposal and provide responses to the salient questions the community has posted online. While we believe Google understands the burden their proposal creates, if they decide to move ahead with their original plan, I want to reassure you that Symantec will keep your websites, web servers or web applications operational across all browsers. Specifically, this may require Symantec to reissue your certificates, which we would do as needed, at no charge to you, to meet the fully expected validity period.  

        While we've made solid progress, we have plenty of work left ahead of us and I hope you will continue to consider us a trusted security partner as we address the challenges before us. I firmly believe that the only way to improve is by listening. If you have thoughts on shorter validity certificates, automation, or the value of extended validation (EV), please don't hesitate to reach out to me or voice your concerns anonymously by participating in a brief online survey.  

        Your input is invaluable and I thank you for your continued support.  

        Best regards, 

        Roxane Divol

        Executive Vice President & GM, Symantec Website Security

        • Products
        • DigiCert Complete Website Security
        • Products and Solutions
        • Symantec Website Security
      • A Message To Our CA Customers

        Oct 20 2017, 8:22 PM

        by Roxane Divol 3

        In connection with the statement posted to Symantec’s Blog on March 24, 2017, Symantec has been reaching out to its customers.  The text of our most recent customer communication is below:

        ******************************************

        On March 23, Google posted a blog on a public forum outlining a set of proposals targeted at Symantec SSL/TLS certificates. This was unexpected, and I wanted to reach out to explain what this proposal means for Symantec customers and how we will respond to Google’s proposal, if implemented, in order to ensure business continuity for you. I also want to address Google’s claims about Symantec’s certificate issuance processes and reaffirm our continued commitment to transparency of our practices as a public certificate authority.

        First and foremost, I want to reassure you that you can continue to trust Symantec SSL/TLS certificates. Google has outlined proposals, not actions. We object to its proposals and intend to engage with Google to work through its concerns.

        To be specific, the key terms of Google’s proposal are as follows:

        1. Over time, Symantec would need to revalidate and reissue previously issued certificates

        2. Maximum validity of newly issued Symantec Certificates would be reduced to 9 months

        3. Extended Validation (EV) treatment of Symantec certificates would be removed for at least one year

        In the event Google implements its proposal, Symantec will ensure your websites, webservers or web applications continue to work across browsers. Specifically, this may require Symantec to reissue your certificates, which we would do as needed, at no charge to you, to meet the fully expected validity period. In addition, Google’s proposal requires shorter validity certificates, which we would support. We anticipate Google may attempt to impose this shorter validity period on the entire industry, as they have previously tried to do so through an initiative at the CA/Browser forum that was voted down. Shorter certificate validity periods increase customer expense, which we are working to reduce by making considerable investments in automation. We would work with our customers to provide tools to manage any validity period changes that Google might unilaterally impose.

        Finally, while Google and Chrome have long been working to remove special treatment for EV certificates in general, other browsers continue to recognize it. We will continue to work with Google and other members of the CA/Browser forum on security best practices for the industry. Our customers get value from the extensive validation on our EV certificates, and derive meaningful results from them. Our brand is powerful: our certificates secure more than 80% of ecommerce revenue and our Norton Shopping Guarantee on average increases ecommerce revenue by more than 5%.

        We are proud to be one of the world’s leading certificate authorities. We operate our CA in accordance with industry standards. We maintain extensive controls over our SSL/TLS certificate issuance processes and we work to continually strengthen our CA practices. We have substantially invested in, and remain committed to, the security of the Internet.  Symantec has publicly and strongly committed to Certificate Transparency (CT) logging for Symantec certificates and is one of the few CAs that hosts its own CT servers.  Symantec has also been a champion of Certification Authority Authorization (CAA), and asked the CA/Browser Forum for a rule change to require that all certificate authorities explicitly support CAA.  Our most recent contribution to the CA ecosystem includes the creation of Encryption Everywhere, our freemium program, to create widespread adoption of encrypted websites.

        Google’s blog statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event referred to by Google, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed. 

        We do not believe Google’s proposal is in the best interest of the Internet community. We are working to resolve the situation with Google in the shared interests of our joint customers and partners.

        In closing, we take certificate issuance very seriously. The events that prompted Google to propose these changes have been addressed with the utmost transparency. We are working hard to ensure that this proposal does not create disruption for you. Please let me know if you would like to schedule a call.

        Best Regards,
        Roxane Divol

        Executive Vice President & GM, Symantec Website Security

        • Products
        • DigiCert Complete Website Security
        • Products and Solutions
        • Symantec Website Security
      • Results of Our Investigation

        Mar 29 2018, 8:23 PM

        by Roxane Divol 0

        Investigating and remediating the test certificate mis-issuance incident has been a top priority for Symantec, and my team specifically. We have completed our investigation and have confirmed that the certificate mis-issuance was limited to certificates issued for internal Symantec testing purposes. Our investigation uncovered no evidence of malicious intent, nor harm to anyone. No customer or partner action is needed.

        As we previously disclosed, Symantec learned in September 2015 that it had generated a number of internal test certificates in a manner not fully consistent with its policies. These included certificates to unregistered domains and domains for which Symantec did not have authorization from the domain owner. We immediately commenced an investigation to identify and revoke mis-issued certificates. We also sought to determine and remediate the root causes of the mis-issuances and to confirm that no harm had resulted from the incident.

        Our now completed investigation has confirmed that each of the mis-issued certificates we have identified was issued solely for internal Symantec testing purposes.  Each of these test certificates has been revoked or expired and we have contacted the relevant domain owners.  Further, we have and will continue to work with the browser community to blacklist these test certificates where they deem appropriate.

        Since this issue first arose, Symantec has implemented changes to our test certificate policies, processes, and controls designed to prevent this from happening again, and we will continue to further evaluate and strengthen those policies, procedures, and controls. We remain fully committed to the continued trust of our roots across browsers and enhancing the security of the global certificate infrastructure. In support of this commitment, as we announced on February 12, 2016, we have already implemented extensive support for Certificate Transparency.

        We have sought to proactively implement the important lessons learned from this experience as we now return our attention to an innovative and exciting year for Website Security.

        Additional information, including the list of mis-issued test certificates that we have identified, is available here.

        • Products
        • DigiCert SSL TLS Certificates
        • Products and Solutions
        • Symantec Website Security