
Tell HN: Digicert is turning into Symantec - huhtenberg
It was an open secret, linked from Microsoft MSDN page on code signing [1] - if you are to enter Digicert site through https:&#x2F;&#x2F;www.digicert.com&#x2F;friends&#x2F;sysdev link, you&#x27;d get a 50% discounted offer on all certificates <i>including EV code signing</i> certs. Coupled with Digicert&#x27;s US-based no-nonsense support it made buying an EV cert from them an absolute no-brainer. Recommended them more times than I can remember.<p>Then they &quot;absorbed&quot; Symantec.<p>First, the quality of the support took a nose dive. Live chat that used to be almost instantaneously available started showing queues of 10-15 minutes. Earlier this year the support started deflecting all sales-related questions to &quot;your sales representative, who will get in touch with you shortly.&quot; What useв to be a 30 second chat to get the renewal price matched against the last year now turned into some painful bullshit that ended up with sales rep claiming no discounts were available, but he&#x27;d be willing to make a massive one-time exception of 5% off.<p>But the &#x2F;sysdev link still worked, the hope that these Symantec influences will blow over was still there.<p>No more. The link now redirects to $600&#x2F;yr pricing. Support is slow and useless, there are now industry-standard obnoxious sales reps, where none is needed, and so Digicert is all but Symantec now. What a shame I say.<p>Just FYI.<p>[1] https:&#x2F;&#x2F;docs.microsoft.com&#x2F;en-us&#x2F;windows-hardware&#x2F;drivers&#x2F;dashboard&#x2F;get-a-code-signing-certificate
======
toast0
Around 2013-2017, I got a lot of certs issued through DigiCert, and their
support team was awesome. The wildcard certs were _expensive_ , but their
support team issued a bunch of 'custom duplicate' certs that I would have
thought was pushing the boundaries of what we paid for and never batted an
eye. They were also willing to do take the time to issue certs through non-
default intermediaries, even when it wasn't immediately available. Other CAs I
worked with had very little flexibility at all, anything off the script was
not ever going to happen.

If their service has changed, that's a real shame :(

------
graphememes
Code signing is a strong arm tactic and the ones who run the industry are a
huge mafia game. Hate every aspect of it.

~~~
huhtenberg
Code signing as a tech and as an idea is perfectly fine.

It is a solution to a _massive_ problem with average, technically
unsophisticated users downloading and running all sort of junk without
thinking twice, including things that impersonate legit software and generally
do shady stuff like dropping random kernel modules.

The business scaffolding around it is just wrong, I agree with that. It should
be handled by non-profits or state-run organizations. You register a company,
you get a signing key. Validation and authentication should be done at source,
not across an ocean by a 3rd party outsourced support calling a phone number
published in 4th party business directory. This is as ass-backwards as it
gets.

~~~
crankylinuxuser
> Code signing as a tech and as an idea is perfectly fine.

It's a scam. Full stop.

A standard cert is now free. $0. Nada. Zilch.

So what are the power-players doing? They're deprecating the validity of
'those free certs', and pushing EV.

What does EV do? Oh yeah "You paid $X hundred so you MUST be legit". Sure,
they might look at the state's business registry and match the business name
in the EV. That's automatable work.

But there you have it, piles of money because 'a real business can afford it'.
And some assumption that scammers wont.

Cert chains from the root authorities have been a continual scam, until
LetsEncrypt showed up. This EV bullshit is no different.

~~~
gruez
>So what are the power-players doing? They're deprecating the validity of
'those free certs', and pushing EV.

> [...]

>Cert chains from the root authorities have been a continual scam, until
LetsEncrypt showed up. This EV bullshit is no different.

You seem to be conflating web certificates (for lack of a better term) with
code signing certificates. When it comes web certificates, 3 of the 4 major
browser vendors are removing EV indications from their UI[1], so I'm not sure
where this "push" is from. On the other hand, for code signing certificates,
there is a push from MSFT to get EV certificates, since it automatically gains
"smartscreen reputation".

[1] [https://www.troyhunt.com/extended-validation-certificates-
ar...](https://www.troyhunt.com/extended-validation-certificates-are-really-
really-dead/)

>But there you have it, piles of money because 'a real business can afford
it'. And some assumption that scammers wont.

Like it or not, when it comes to everyday windows users, code signing has the
best ux compared to other forms of validation. Right-click -> properties and
it shows who signed it and whether it was tampered with. This is much better
than posting a file hash (how do you calculate a hash? what happens if the
landing page is compromised?), or GPG (how do you install GPG? how do you
build up web of trust? are you going just use whatever key that the download
page says to use?)

~~~
tialaramex
> You seem to be conflating web certificates (for lack of a better term)

Two suggested better terms for future reference:

Certificates in the Web PKI - in one sense "Web PKI" is a misnomer because
this PKI is for all TLS on the public Internet which is a lot more than the
web, but in another sense it's accurate because in practice all standards
development, public oversight, trust store policy setting, and so on takes
place because of the Web and not other TLS applications.

PKIX Certificates - by using PKIX, the IETF's dialect of the X.509 standard,
certificates actually work and have a clearly defined meaning on IP-based
networks. This is a broader idea than the Web PKI, encompassing private IP
networks, private CAs issuing for constrained uses, and non-TLS traffic for IP
networks.

But your thrust was correct, code signing is a quite different application for
X.509 certificates than PKIX, and especially than the Web PKI.

------
mingabunga
It's because you're logged in as an existing user. Just use a different email
address to get a new certificate and sign up with that to get the discount.
Then after you get the cheaper certificate, ask support to merge the accounts.

~~~
huhtenberg
Nope, I'm not logged in. If I am logged in, the link simply redirects to the
dashboard page and that's it.

But that's off the point. Regardless of the workarounds, whatever the goodwill
DigiCert has accumulated with the developer community over the years, they are
actively squandering it now and they don't seem to care.

------
nailer
I've had the chat queue take over an hour. And yes it used to be instant.

Email went from within 24 hours to multiple days.

Basic tasks like moving a cert between accounts are now 'it doesn't work
because of a bug in our software and we have no timeline for it to be fixed'.

------
therealduhne
Until DNSSEC DANE TLSA is implemented in OSes, an interim solution that is
easy and costs nothing is to publish binary hashes into a GitHub repository.
It's not checked by UAC, but it is free and humans can check the hashes with
standard tools if they want formal validation. A code signature is actually
little more than third-party validation of a hash of a binary file that can't
be easily altered. GitHub is your third-party and a repo contains your binary
file hash that can't be easily altered. Other than the "scary" yellow UAC
dialog and SmartScreen being temporarily annoying after each version release,
problem solved!

DNCSEC DANE TLSA is the real solution though to all public CA woes. TLSA lets
you run your own private CA publicly and be trusted without root certificate
stores.

~~~
tptacek
You can already run your own private CA. What you can't do is get a government
to vouch for you, which is effectively what DNSSEC does; it replaces the CA
with a tree rooted in country governments.

What discretion the de jure controllers of .COM and .IO have, we don't want
them exercising over our code. But, of course, the problem for code signing is
that they'll have little discretion at all, and, were operating systems to
consider switching to DNSSEC, they might as well just stop doing code signing
altogether, since creating a situation where anyone can generate an authority
that disables the UAC warning box defeats the whole purpose.

~~~
therealduhne
The current code signing paradigm was already tenuous but this change to
DigiCert is going to cause far fewer packages to get signed as fewer devs
acquire and renew the now very costly certs. We need working alternatives. You
didn't provide any solutions but decided to downvote anyway.

Code signing has always been about validating the source of a binary and that
it hasn't been modified from what the publisher intended. This is done by
relying on a third-party validation mechanism. DNSSEC DANE TLSA meets both of
those qualifications. So does GitHub. I'd be fine with either or both as
options. Microsoft owns GitHub too, so code signing could be done through that
medium. Public CAs in a trusted root store allow for offline validation but
let's be realistic - most devices and software are online these days and
public CAs aren't particularly worthy of anyone's trust. Domain-pinning a
private CA in a trust store via TLSA (or GitHub, whichever) would allow for
one-time online validation and then permanent offline validation for any given
binary thereby allowing device drivers to still load offline.

Microsoft unfortunately still claims that code signing stops malware. Time has
effectively proven that to be false as code signing has stopped approximately
zero malware infestations. Training personnel to be constantly vigilant
through ongoing training modules has proven to be far more effective.

------
dastx
You don't need EV.

~~~
foobarbazetc
You do if you want to get past SmartScreen instantly.

------
ozim
But Symantec was bought by Broadcom this year. This sales reps thing is some
Broadcom global strategy for Symantec products.

~~~
stephenr
DigiCert bought Symantec's TLS/PKI business, to quote wikipedia:

> including brands GeoTrust, RapidSSL, Thawte and VeriSign

~~~
tialaramex
In particular, and relevant to this rant, to permit the acquisition to take
effect DigiCert had to explain to stakeholders (Google, Mozilla and perhaps
others) in some detail that this was NOT a reverse takeover, the resulting
organisation would NOT be Symantec's CA but now named DigiCert, it still would
be DigiCert but now with Symantec's famous brands like Thawte and VeriSign --
thus it would not be infected by poor management processes and inadequate risk
controls.

The reason this was important is that Symantec's oversight had been judged
lacking -- business as usual was not an option, they were asking big CAs like
DigiCert about pricing for basically a white labelling service. The
trustworthy CA would run everything for a few years and Symantec would own the
brands while internally rebuilding to get trust back. In that discussion with
DigiCert apparently just selling Symantec's CA function outright was the more
attractive option than whatever eye-watering sum such white labelling would
have cost.

~~~
stephenr
Is there any evidence that the issue at hand is anything more than just
customer service though? I don’t see any mention of actual CA issues (ie
following proper issuance policies, etc)

And to be fair, when it comes to shit customer service Google would look at
Symantec, laugh and say “hold my beer”.

~~~
tialaramex
No, sorry it was unclear, my point was that unlike normal we actually have
independent evidence that this was NOT about DigiCert becoming Symantec,
because that was a requirement for these stakeholders. So at most this is just
"Popular product's customer services made worse due to expansion" a familiar
story which rarely signifies much.

And to be honest the parent article's main thrust comes across as "Wah, I had
to pay full price" which like, I'm not even getting out my record-breaking
world's tiniest violin for that, who cares?

~~~
stephenr
Right that makes more sense now! Agreed.

------
vkaku
Wait. What. Digicert is now BRCM?

------
garganzol
I do not think they do anything wrong.

You are trying to be cheap while casting unrealistic expectations and
executing cut-throat tactics on their chat and support.

Things do not work that way.

Either you pay a minimum, follow the rules and wait in a queue or you pay the
premium to be greeted with quick turnaround and other perks.

~~~
eps
For years Digicert used to be marginally cheaper than Comodo with a better
service.

They got to be _the_ code signing CA by being this exact combo - inexpensive
product with good support - and being granted the top link on the high-traffic
MSDN page because of that. That's what DigiCert was.

Now they are suddenly 3x more expensive with comparably troublesome support.

What unrealistic expectations and who's being cheap here exactly?

~~~
garganzol
Riding the coupon created exclusively for hardware suppliers while bombarding
support being a software guy is disrespectful behavior by any means.

Sure, some people do not see it that way, but only until the table is turned.

Edit: I am pretty sure that topic starter has Eastern European or Middle
Eastern origin where being as cheap as possible is a prevalent idea. Even when
it breaks people around you.

~~~
alphaomegacode
What makes you think he/she is Eastern European or Middle Eastern?

What makes you say he was "...bombarding support.."?

