Earlier this week in a press release, VeriSign said that they are selling their SSL certificate business to Symantec. VeriSign is the dominant player in this market, having absorbed competitor Thawte in 1999, and Geotrust in 2006. Three years ago, when VeriSign decided to divest its non-core businesses, they kept the certificate business. So what's changed?
I don't have any secret insights into VeriSign's plans, but there are two separate reasons that the SSL business will never again be the cash cow that it used to be. One is that it's now clear that there is no hope for stopping the race to the bottom in SSL certificates and prices. When I got my first SSL certificate from Thawte in about 1999, it cost several hundred dollars, I sent them lots of documentation, had lengthy phone calls, and the process took a week or two. The most recent cert I bought, from a Geotrust reseller, cost $12.95, took about 10 minutes, and all they verified was that I could click on a link in an e-mail sent to the postmaster@ the domain of the certificate. The older certificate might have had a better warranty or higher promise of reimbursement for loss, but all I care about is that it makes browsers show a little lock rather than a warning screen, and I expect that's what 99.9% of the other customers want, too.
A couple of years ago the industry invented Extended Validation certificates, the ones that turn the browser address bar green, basically to roll back the process and prices to what they were in the 1990s. VeriSign's EV certificate is $995, but the race to the bottom has been even faster there, with GoDaddy now offering them for $99.99. EV certificates still require some amount of manual document inspection, so nobody's going to make much money at that price.
This sort of price competitive commodity business is exactly the kind that VeriSign does not want to be in. They've always sought out businesses where there are few or preferably no competitors, no price competition, and the structure of the business makes it hard for new entrants. This describes their main remaining business, the domain registry for .COM and .NET.
The final nail in the SSL coffin is DNSSEC, cryptographically signed entries in the DNS itself. DNSSEC has been around the corner for about the past decade, but this year is turning that corner, with DNSSEC signing data now available in .ORG and some smaller domains, and scheduled to be added to the DNS root in July. DNSSEC provides a chain of signatures chaining back to a known trustworthy signer (VeriSign, in fact, at the DNS root), not unlike the way that SSL works. But DNSSEC doesn't have a business model, since it will be included with existing domain registrations as registries and registrars upgrade their systems to handle it. There will be a market for DNSSEC provisioning and management tools, but that's not what VeriSign does except at the very highest end, perhaps selling crypto vaults to other top level domains. The security threats that DNSSEC addresses aren't exactly the same as the ones that SSL certificates do, but they're pretty close. So that's it for VeriSign's SSL business.
The flip side of the coin is why would Symantec want the SSL cert business it if VeriSign doesn't, but that's pretty clear from the press release. It can be an upsell for the retail security products that Symantec already sells, a place where a $15 cert (with a cost of goods probably about 2 cents) could be a nice incremental line of business.
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Neustar DDoS Protection
Neustar DNS Services
Minds + Machines