Discussion in 'Business & Enterprise Computing' started by NSanity, Mar 24, 2017.
what will good guy google do now?
DigiCert to acquire Symantec's Website Security business
That is one way around the problem, change business name.
I suspect they will let the symantec CA, die a quiet death and migrate all customers to the digicert CA, to me this is more of a middle finger to google then anything else.
I don't see it this way.
Symantec were incompetent, they deserved everything Google did to them and I'm glad Google were willing to stand up for end users and their security and give Symantec a good kicking. Google will be glad they're gone and happy to have those users of Symantec certs now on a much more competent cert provider.
Agreed. Looks to me like it's been taken over by someone who has a clue. Win win.
Let's Encrypt won this war. its done. Symantec is just shedding dead weight.
speaking of which, does anybody use the new dns CAA security for matching CA's to your cert?
I must admit i did have to look it up to see wtf it was.
Yes, we exclusively use one CA, so we only had to add 2 records to our zone.
This site makes it easy:
I don't understand why Digicert would do this.
Spend tree fiddy on some marketing and run a few specials, and you'd pick up the majority of the customer base looking to jump ship.
Why spend 1 Beelliiion dollarydoos to do it?
Because if your org is like ours, marketing manage the SSL certs and have NFI what any of it means.
They can be convinced by some shiny lights.
The only thing Symantec as a CA has that is a worth anything, is their customers, and once they were de-listed, that would be up for grabs anyway.
How much did it cost them?
All true. But buying a company gets you (at least initially) all of the customers. Marketing to them may only get you a very small fraction.
As NSanity said above, there's likely to be a lot of people who just jump to letsencrypt instead.
Human laziness is a wonderful thing. There's a lot of businesses that will just keep paying the "renew" bill every year because it's easy. Hell, I'm guilty of this. Our SSL provider is a pain in the arse, but I've had to renew it twice since I've started here, and CBF changing for the pain it'll cause me directly.
more likely they let the IT people go and that's what was there when they left. IT slowly rots when most of these MSP's take over and anything that's on a renewal rarely gets looked at/given a shit about.
For linux-based stuff, certbot is literally the easiest thing in the world to script.
For Windows - its a bit of a fuck around depending on what you're using the certs for, but ultimately you can powershell the lot.
Apart from what everyone else has said, there are also (apparently) large customers of Symantec's who can't move CA because they've pinned a Symantec root certificate in the firmware of devices they've sold. If the web service those devices are trying to contact doesn't have a cert issued by a particular (Symantec) root, the devices don't work.
Basically, they've purchased a lot of customers who will pay lots of money to have things continue to work, because updating the firmware of hundreds of thousands, or millions of devices in the control of customers isn't an option.
cue elvis' violin in
I'm not defending those practices. I'm just saying that clearly Symantec has been profiting from (what we would consider) mistakes made years ago by their customers, and now DigiCert will be able to.
We've got a wildcard cert going to a HAProxy box that in turn sits in front of everything. I'd have to change that into a dozen or more certbot entries.
I'd rather put that same effort into getting every single one of those services out of my network, and cerbotting them out on Amazon or whatever.
That's on top of my 92 open tasks today.
Whinge, moan, etc.
Wildcards will be here in Jan