New Requirements, Market Disruption and Acquisitions
What a year for Certificate Authorities (CA)! The year kicked off with the January 1st deadline deprecating SHA-1 certificates and the need to migrate to SHA-2. We then saw the CA/Browser Forum pass ballot 193 reducing the maximum validity period of SSL/TLS Certificates to two years. And, throughout the entire year, we saw massive disruptions in the marketplace. In this blog, I’ll recap on this wild and crazy year.
SHA-1 Deprecation and CA/B Forum Changes
While we’ve known about SHA-1 deprecation for years, the deadline finally hit on January 1, 2017. GlobalSign started notifying its customers as far back as 2014 enabling customers to smoothly transition to SHA-2 certificates. If you didn’t migrate to SHA-2 certificates prior to 2017, you probably started to see errors as SHA-1 became untrusted.
In April, the CA/B Forum passed ballot 193 changing Baseline Requirements to effectively reduce maximum SSL/TLS validity down to two years. While the change doesn’t go into effect until March 1, 2018, it does affect all CAs and all types of SSL/TLS Certificates.
Why did the CA/B Forum make this change? Decreasing the maximum lifetime of certificates from three years to two years helps reduce the presence of older, outdated and possibly vulnerable certificates that were issued before new guidelines were put in place.
GlobalSign did take proactive measures and stopped issuing three-year certificates on April 20, 2017.
Google and Mozilla Sanction Symantec
Perhaps the biggest news of the year came in March when Google and Mozilla lowered the boom on Symantec for repeated violations, including mis-issuing 30,000 HTTPS certificates.
At the time the news hit about the mis-issued certificates, Google laid out some extreme measures, including Chrome’s non-acceptance and removing trust of Symantec certificates for a 9 month period. Symantec was an SSL Certificate market leader and these sanctions were going to render hundreds of thousands of websites and servers insecure and not trusted. Not a good thing when many of Symantec’s customers are large financial and health care organizations.
While Symantec continued to negotiate with both Google and Mozilla over these sanctions, the leading browsers were not backing down. Symantec had only a few options – accept the sanctions, seek out other CAs (Managed CAs) to help reissue certificates to its customers before a December 1, 2017 deadline or ultimately sell its certificate business. Ultimately, selling the business was the end decision – more on that next.
We saw two major acquisitions in the CA market this year that included both market leaders, Symantec and Comodo, getting acquired. And, just recently, Entrust Datacard acquired Trustis Limited, a specialized managed service provider of public key infrastructure (PKI) and crypto management solutions based in the United Kingdom.
DigiCert Acquires Symantec’s Certificate Business
In August, Symantec chose to sell its certificate business. DigiCert with the help of Thoma Bravo, a private equity firm, acquired the Symantec business unit for approximately $950 million. We raised a lot of questions in a blog post, Understanding the Semantics of the Symantec Sale, on the acquisition, including how does a company the size of DigiCert integrate a much larger business into its operation. Additionally, the acquisition also still included the planned timeline of distrust established by Google and Mozilla. As a refresher, here’s that timeline with the first milestone happening just last week:
- DECEMBER 1, 2017: Symantec will need to move the issuance of all new certificates to the DigiCert infrastructure. Any certificates issued based on the old infrastructure after 12/1/17 will not be trusted.
- March 15, 2018: Google Chrome 66 beta will distrust certificates issued by Symantec before June 1, 2016. The public release of Chrome 66 is expected on April 17, 2018.
- SEPTEMBER 13, 2018: Google Chrome 70 beta will distrust all certificates previously issued by Symantec. The public release of Chrome 70 is expected on October 23, 2018.
Comodo Sells Certificate Business
Long rumored to be for sale, Comodo sold its certificate business to private equity firm, Francisco Partners on October 31, 2017. Terms of this deal were not disclosed. Comodo built leading market share for SSL Certificates over the last few years. Francisco Partners saw an opportunity based upon the Symantec situation which was a driving factor to make this acquisition. As of now, the new independent business unit will operate under the Comodo brand with changes to come in 2018. More to come here…
WoSign/StartCom No More
Over a year ago, Google and Mozilla launched an investigation into the certificate issuance practices of WoSign. What it uncovered was a history of bad practices by WoSign and its subsidiary, StartCom. Because both of these CAs were not maintaining expected standards, Google announced this July that it moved to begin distrusting their certificates.
Then, just a few weeks ago on November 17, 2017, it was announced that StartCom was going out of business. Startcom and Wosign certificates have been put on untrusted lists by the big browser firms including Mozilla, Apple, Google and Microsoft.
Comodo and Let’s Encrypt Go Phishing
The concept of Let’s Encrypt’s free SSL Certificate service and the movement to encrypt everything increased the market awareness for every CA. It also made every CA a little nervous and some, like Comodo, began offering free Domain Validated (DV) certificates as well. The only problem with this was that offering free certificates made it that much easier for malicious sites to get DV certificates to make their sites look secure. As a result, both Comodo and Let’s Encrypt issued thousands of certificates to phishing sites as evident in the report from Netcraft and the graphic below.
Certificates issued by publicly-trusted CAs that have been used on phishing sites. An interactive, updating version of this graph can be found on Netcraft's Phishiest Certificate Authorities page.
What a Year!
So, what will 2018 bring? More fireworks? I guess we’ll have to wait and see it. I’m sure it will be interesting as there are still a lot of questions to be answered with the two major acquisitions. What I do know for sure though is that GlobalSign will be entering its 22nd year in business as a global CA. In fact, we are the industry’s longest standing CA and we continue to innovate to address enterprise and IoT security needs. If you have any prediction on what will happen next year, I’d love to see your comments. Have a great rest of 2017!