Connect with us

Hi, what are you looking for?



Mozilla Raises Concerns Over DigiCert Acquiring Symantec CA

Mozilla has raised some concerns regarding DigiCert acquiring Symantec’s website security and related public key infrastructure (PKI) solutions after major web browser vendors announced that certificates issued by the security firm would no longer be trusted.

Mozilla has raised some concerns regarding DigiCert acquiring Symantec’s website security and related public key infrastructure (PKI) solutions after major web browser vendors announced that certificates issued by the security firm would no longer be trusted.

Due to a series of incidents involving mississued TLS certificates, Mozilla and Google want Symantec and its partners to replace all existing certificates within a year. Furthermore, new certificates will need to be issued through the infrastructure of a subordinate certificate authority (CA).

Microsoft and Apple have yet to make any public comments on the matter, but they will likely follow in the footsteps of Mozilla and Google.

Instead of finding a subordinate CA to help it issue new certificates, Symantec has decided to sell its certificate business to DigiCert for $950 million in cash and a stake of roughly 30 percent in common stock equity of the DigiCert business. The companies announced on Tuesday that the acquisition has been completed.

DigiCert has reached out to Mozilla to see if the organization has any concerns over the acquisition. Mozilla is primarily concerned that while the new certificates will be issued under DigiCert’s name, Symantec will be involved in the process and it will introduce the problematic practices that led to the current situation.

“It would not be appropriate for a CA to escape root program sanctions by restructuring, or by purchasing another CA through M&A and continuing operations under that CA’s name, essentially unchanged,” explained Gervase Markham, a software engineer at the Mozilla Foundation. “And examination of historical corporate merger and acquisition activity, including deals involving Symantec, show that it’s possible for an M&A billed as the ‘purchase of B by A’ to end up with name A and yet be mostly managed by the executives of B.”

Mozilla informed DigiCert that it has four primary concerns. The organization does not want the day-to-day issuance of certificates to rely too much on Symantec’s old infrastructure.

Mozilla also cautioned about Symantec’s validation and operations personnel continuing their work without first receiving training from DigiCert. Furthermore, the web browser vendor is concerned that Symantec’s processes may actually displace DigiCert’s existing processes.

Advertisement. Scroll to continue reading.

Finally, Mozilla has advised DigiCert not to allow Symantec to control the CA organization, particularly when it comes to providing technical and policy direction and oversight of the PKI.

“We hope that this provides useful guidance about our concerns, and note that our final opinion of the trustworthiness of the resulting entity will depend on the facts and behavior of the resulting organization. Mozilla reserves the right to include or exclude organizations or root certificates from our root store at our sole discretion,” Markham said.

Symantec and DigiCert promised customers an easy transition, but competitors have taken the opportunity to point out that the process could pose problems.

Comodo CA, which tech-focused private equity firm Francisco Partners acquired this week for an undisclosed amount, warned that “DigiCert does not have the same infrastructure as Symantec, as a much smaller Certificate authority it never had the need to. Therefore, the eventual platform migration poses a huge execution and technology risk for all Symantec Enterprise customers and channel partners.”

Related: Google to Completely Ban WoSign, StartCom Certificates in Chrome 61

Related: Google Launches Its Own Root Certificate Authority

Related: Mandatory Certificate Authority Authorization Checks Will Boost Domain Security

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybersecurity Funding

SecurityWeek investigates how political/economic conditions will affect venture capital funding for cybersecurity firms during 2023.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...