Symantec 2017
Too Big to Fail?
One-third of the internet's certificates. Years of compliance failures. A $950M fire sale.
Quick Facts
| CA | Symantec (+ VeriSign, Thawte, GeoTrust, RapidSSL) |
| Year | 2015-2017 |
| Problem Type | Partner oversight failures, mis-issuance at scale |
| Market Share | ~30% of all HTTPS certificates |
| Problematic Certificates | 30,000+ mis-issued certificates |
| Time to Full Distrust | ~3 years (gradual process) |
| Outcome | Sold to DigiCert for ~$950M |
| The Lesson | No CA is "too big to fail." Size doesn't equal competence. |
The 30-Second Version
The Scale
This wasn't a small CA. Symantec's certificate business included:
| Brand | Market Position |
|---|---|
| Symantec | The parent brand |
| VeriSign | The original internet CA |
| Thawte | Major commercial CA |
| GeoTrust | Enterprise-focused |
| RapidSSL | Budget option |
| Equifax | Legacy brand |
~30%
of all HTTPS certificates on the internet
"Norton Secured"
If you saw this seal, that was Symantec
The 2015 Incident: Test Certificates Gone Wrong
September 2015
Google's Certificate Transparency logs caught something alarming.
Symantec's Thawte brand had issued Extended Validation (EV) certificates for domains Symantec didn't own - including google.com and www.google.com.
Symantec's Response
- •"They were just test certificates"
- •"They were never used in the wild"
- •"It was only a few"
The Reality
187
test certificates for domains Symantec didn't own
2,458
certificates for unregistered domains
EV
highest trust level, no validation
Google's Response
Required Symantec to submit ALL certificates to Certificate Transparency logs starting June 2016.
This should have been the end of the story. It wasn't.
The 2017 Discovery: 30,000 More Problems
January 2017
Security researcher Andrew Ayer found more suspicious Symantec certificates in CT logs.
What Google's Investigation Revealed
Symantec had outsourced certificate validation to "Registration Authority" (RA) partners:
CrossCert
Korea
Certisign
Brazil
Certsuperior
Mexico
Certisur
Argentina
These partners could issue certificates under Symantec's root - and Symantec wasn't properly auditing them.
The Numbers
- •At least 30,000 certificates with validation problems
- •Partners issuing EV certificates without EV audits
- •Years of improper oversight
- •No technical controls preventing partner abuse
Symantec's Defense
"Google's claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued."
Google counted certificates that violated requirements. Symantec only counted the most egregious cases.
The Pattern of Problems
Mozilla compiled 17 distinct issues with Symantec's CA operations:
| Issue | Description |
|---|---|
| Test certificates | EV certs for google.com, etc. |
| RA oversight failures | Partners issuing without proper audits |
| SHA-1 violations | Issued after deprecation date |
| Failed validation | Certs without domain control proof |
| Audit gaps | Missing or invalid audits for sub-CAs |
| Physical security | Records not maintained properly |
| Access control | Unauthorized issuance capability |
| GeoRoot issues | Sub-CAs with compliance problems |
The Core Problem
Symantec was operating a massive certificate business without adequate controls. They'd grown through acquisition (VeriSign, Thawte, GeoTrust) and never properly integrated the security practices.
The Browser Response: Gradual Distrust
Google had a problem: immediately distrusting Symantec would break one-third of the internet.
The Solution: Phased Distrust
| Chrome Version | Date | Action |
|---|---|---|
| Chrome 66 | April 2018 | Distrust certs issued before June 1, 2016 |
| Chrome 70 | October 2018 | Distrust ALL Symantec infrastructure certs |
Additional Requirements
- Maximum certificate validity reduced to 9 months
- All certificates must be re-validated
- Symantec must rebuild infrastructure under "Managed CA" partnership
The Fire Sale
July 2017
Facing the destruction of their certificate business, Symantec made a deal.
DigiCert acquired Symantec's CA business for
~$950 Million
The Arrangement
- •DigiCert would operate the Symantec, VeriSign, Thawte, GeoTrust, and RapidSSL brands
- •New certificates would be issued from DigiCert infrastructure
- •Symantec customers could continue using the brand names
- •Old certificates would still need replacement before Chrome 70
Why DigiCert?
DigiCert had a clean reputation and the technical infrastructure to absorb Symantec's massive customer base. They became the world's largest CA overnight.
The Timeline
| Date | Event |
|---|---|
| Sep 2015 | Google discovers test certs for google.com |
| Oct 2015 | Symantec admits to 187 unauthorized test certs |
| Jun 2016 | Symantec required to use Certificate Transparency |
| Jan 2017 | Andrew Ayer finds more suspicious certificates |
| Mar 2017 | Google proposes gradual distrust |
| Mar 2017 | Symantec calls proposal "irresponsible" |
| Apr 2017 | Mozilla identifies 17 issues |
| Jul 2017 | DigiCert acquires Symantec CA for ~$950M |
| Sep 2017 | Google finalizes distrust plan |
| Dec 1, 2017 | DigiCert begins issuing for Symantec brands |
| Apr 17, 2018 | Chrome 66: Distrust pre-June 2016 certs |
| Oct 16, 2018 | Chrome 70: Full distrust of old infrastructure |
Total timeline from first incident to full distrust: ~3 years
The Migration
Replacing one-third of the internet's certificates was a massive undertaking.
Who Had to Act
Every website using a certificate from:
The Options
Option 1
Get new certificate from DigiCert (using Symantec brand) - issued from trusted infrastructure
Option 2
Switch to another CA entirely - Let's Encrypt, Sectigo, GlobalSign, etc.
The Chaos
Despite over a year of warning:
- •Many sites missed the deadline
- •Some enterprise systems couldn't be updated quickly
- •Legacy hardware (point-of-sale terminals, IoT devices) had problems
- •Third-party tools and services broke when their certs weren't replaced
The Lessons
1.Size Doesn't Equal Trust
Symantec was the biggest CA on the internet. They had VeriSign's legacy, Norton's brand recognition, and millions of customers.
None of that protected them when they couldn't follow the rules. Market share doesn't equal competence.
2.Technical Controls Beat Trust
Symantec trusted their RA partners to do the right thing. They didn't have technical controls preventing abuse.
In security, "trust but verify" isn't enough. You need technical enforcement.
3.Acquisition Without Integration Is Dangerous
Symantec grew by buying VeriSign, Thawte, and GeoTrust. But they never properly unified the security practices.
When acquiring CA operations, you inherit their problems. Integration isn't optional.
4.Gradual Distrust Is Possible
Unlike DigiNotar's instant death, Symantec got 18+ months to wind down. This gave customers time to migrate.
For large CAs, browsers may choose gradual distrust - but this isn't guaranteed.
5.The Industry Consolidates
After Symantec's fall: DigiCert became the dominant commercial CA, Let's Encrypt became the dominant free CA, the "middle tier" mostly disappeared.
CA failures accelerate market consolidation.
Symantec vs. Other CA Failures
| Symantec (2017) | DigiNotar (2011) | WoSign (2016) | Entrust (2024) | |
|---|---|---|---|---|
| Root cause | Partner oversight | External breach | Deliberate deception | Compliance refusal |
| Scale | ~30% of internet | Dutch government | Free cert users | Enterprise customers |
| Warning period | 18 months | 3 days | 14 months | 5 months |
| Outcome | Sold to DigiCert | Bankrupt | Shut down | Still operating |
| Human impact | Business disruption | Possible deaths | Business disruption | Business disruption |
What Makes Symantec Different
- Unlike DigiNotar: Not a security breach - internal compliance failures
- Unlike WoSign: Not deliberate deception - just negligence at scale
- Unlike Entrust: Not arguing with the rules - just not following them
Symantec's failure was about scale without oversight. They grew too big and didn't maintain the controls their size demanded.
FAQ
Were Symantec certificates ever used for attacks?
No evidence of malicious use. The certificates were improperly validated, but weren't used for man-in-the-middle attacks or fraud (unlike DigiNotar).
Why did Google give Symantec so much time?
Breaking one-third of the internet overnight would have caused massive collateral damage. The gradual approach balanced security with stability.
Are Symantec-branded certificates safe to use now?
Yes. Since December 2017, "Symantec" certificates are actually issued by DigiCert infrastructure. The brand names continue, but the problematic infrastructure is gone.
What happened to Symantec's other security products?
Symantec (now NortonLifeLock/Gen Digital) continues to sell antivirus and security software. Only the CA business was affected.
Could this happen to DigiCert now?
Any CA could face distrust if they fail to maintain compliance. DigiCert has a strong reputation, but the rules apply to everyone equally.