
Symantec explores selling web certificates business - bracewel
http://www.reuters.com/article/us-symantec-divestiture-idUSKBN19W2WI
======
tialaramex
Hmm. Whilst sale of this business is certainly a possibility, one thing to
keep in mind is that the anonymous sources could have been confused by
activity that isn't actually a sale at all.

Symantec's current deal with Mozilla/ Google implies that they need a third
party to actually do most of the technical work while they build new
capabilities not tainted by previous problems. So that means Symantec
executives having discussions with other CAs that could easily _look_ like
they're thinking of selling the business even if they aren't, they'd be
talking about sales volumes, sharing financial data, which operational people
could be transferred and who needs to stay where they are... all stuff that
_looks_ like a sale but would be necessary for Symantec to obey the plan
they've shown Google.

Also sale of the CA business with the current shadow over it would be
problematic, the major trust stores have reacted to the StartCom/ WoSign
fiasco by instituting more rules about transfer, which came up for Google
recently because they bought a CA. If an existing CA buys the Symantec
(Verisign/ Thawte/ GlobalSign branding) business, they also buy Symantec's
problems with the trust stores. If a _new_ CA buys the business there will be
arguments from a lot of quarters that they're unqualified and forget
Symantec's problems the whole thing needs to go away immediately. It's like
buying a burning tyre fire, where's the upside ?

~~~
FungalRaincloud
I'm inclined to agree just from my own reading of this. I just don't see how
sale could do anything but harm trust in the brands further, which makes sale
only appealing to those who either don't care about trust, or have enough
trust on their side to think they can rebuild it. Both of those groups are not
going to want to pay much. Why sell a division of your company for peanuts?

------
mrmondo
Being one of the least trusted, yet large CAs currently in existence this may
not be a bad move for the company. However I do wonder what that leaves the
company as far as popular assets go, their ‘enterprise’ antivirus offering was
once the best-in-class but since the demise of AV and the companies general
reputation declining year on year (citation definitely needed and obviously my
opinion through observation) it still makes me wonder how long the company
will last. Oh and of course I should remind people that Symantec owns Blue
Coat...

~~~
eru
Of course, even with nothing useful left in the rump company, the sale might
still be good from a shareholders point of view. Similar logic as for Yahoo's
holding of Alibaba a while ago, when rump-Yahoo added negative value by most
calculations.

~~~
phonon
The certificate business is only about 10% of Symantec's revenue. (But
probably more of its profits)

They have consumer and corporate anti-virus, Endpoint Protection, and they now
own Blue Coat and Lifelock.

~~~
eru
Thanks for adding facts!

------
venning
I'm assuming that Symantec makes money off of selling SSL certs which, again
I'm assuming, they will make less of as Let's Encrypt begins to gain
"conquest" domains over "greenfield" domains (those that did not and would not
have held a cert without ACME and without being free). Of course, that assumes
that a substantial number of paid-for SSL users switch to Let's Encrypt.
Unless I'm misunderstanding, this may solve two problems for Symantec.

EDIT: I have no idea if LE's impact is of a "rising tide raises all boats"
kind or a purely disruptive kind.

~~~
gcp
The DV business is dead but there will be a marketing push towards EV certs
for business.

Symantec's problems are that they fucked up too much and have slipped past the
"too big to fail" boundary.

~~~
mrweasel
There's also a niche market for more complex certificate solutions, like the
one we saw stackoverflow required:
[https://nickcraver.com/blog/2013/04/23/stackoverflow-com-
the...](https://nickcraver.com/blog/2013/04/23/stackoverflow-com-the-road-to-
ssl/)

It's just that those solutions require actual work and capable customer
support, and I don't think that's a business Symantec wants to be in.

Still I would hope that their certificate business is taken over by someone
serious about SSL/TLS/certificates. I would have for Let's Encrypt to become a
monopoly.

~~~
wfunction
Their biggest problems seemed to just stem from their arbitrary choice to use
subdomains instead of subdirectories. If they just put everything on the same
domain (/sites/stackoverflow, /sites/superuser, etc.) then they would
literally just need 1 certificate for everything, no third-level-wildcard
nonsense. Not sure what this decision to have a gazillion different domains
has gained them honestly. Reddit clearly manages to work that way.

------
finchisko
Of course they do. I've feeling they get corrupted and stepped on a path of
quick making money with assigning covert certificates for various
agencies/companies whose main initiative was to spy on users. In their case
recovering trust is almost impossible.

------
aburan28
Fun Fact: Symantec sold certificates to Blue Coat all the way back in May 2016
and have been using them in their SSL inspection tool ever since

~~~
phonon
Symantec owns Blue Coat though?

------
honestoHeminway
If there ever was a fire-sale. Thrustworthiness, get it while its red-hot.

