In a significant move to enhance internet security, Google has announced its plan to block websites using certificates from Entrust in its Chrome browser starting November 1, 2024. The decision follows Entrust’s repeated compliance failures and delays in addressing critical security issues, prompting Google to lose confidence in Entrust as a reliable certificate authority (CA).
Google’s Decision and Rationale
Google’s Chrome security team highlighted the ongoing concerns with Entrust’s performance in a detailed statement. “Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted [certificate authority] owner,” the team noted.
As part of this initiative, Google plans to cease trusting TLS server authentication certificates from Entrust starting with Chrome version 127 and subsequent versions. While this will be the default setting, both individual Chrome users and enterprise customers will have the option to override this setting if necessary.
The Role of Certificate Authorities
Certificate authorities like Entrust play a crucial role in securing encrypted connections between browsers and websites. They are responsible for issuing TLS certificates that verify the authenticity of websites, ensuring users’ data is transmitted securely. Google’s move underscores the importance of trust and reliability in these entities.
Google emphasized that Entrust’s repeated failures to address publicly disclosed incident reports and unmet improvement commitments have posed significant risks to the internet ecosystem. This lack of progress has forced Google to take action to protect users and maintain the integrity of secure internet communications.
Scope of the Blocking Action
The blocking action will be comprehensive, affecting Chrome versions on multiple platforms, including Windows, macOS, ChromeOS, Android, and Linux. However, Chrome for iOS and iPadOS will be exempt from this action due to Apple’s policies, which prevent the Chrome Root Store from being utilized on these devices.
Users attempting to visit websites using certificates issued by Entrust or its subsidiary, AffirmTrust, will encounter an interstitial message warning them that their connection is not secure and private. This warning aims to alert users to potential security risks and encourage them to proceed with caution.
Impact on Website Operators
Website operators using Entrust certificates are advised to transition to a different CA to avoid disruptions. Google has set a deadline of October 31, 2024, for these operators to switch to a publicly-trusted certificate authority. Failure to do so will result in their websites being blocked by Chrome, potentially affecting user trust and website traffic.
Entrust’s client base includes major corporations such as Microsoft, Mastercard, VISA, and VMware. These organizations, along with others using Entrust solutions, will need to ensure they obtain new TLS certificates from alternative, trusted CAs to maintain uninterrupted service.
Google’s Guidance for Transition
Google has provided clear guidance for website operators to manage this transition smoothly. “While website operators could delay the impact of the blocking action by choosing to collect and install a new TLS certificate issued from Entrust before Chrome’s blocking action begins on November 1, 2024, website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store,” Google stated.
This proactive approach aims to minimize disruption and ensure that website operators have ample time to secure new certificates from trusted sources. By doing so, they can maintain the security and trustworthiness of their websites for users worldwide.
Conclusion
Google’s decision to block Entrust certificates in Chrome is a decisive step towards enhancing internet security and trust. It highlights the critical role of certificate authorities and the need for them to adhere to stringent security standards. As the November 2024 deadline approaches, website operators must take prompt action to transition to alternative, trusted CAs to ensure continued secure and reliable service for their users.
This move by Google serves as a reminder of the ever-evolving landscape of cybersecurity and the ongoing efforts required to safeguard internet users. By prioritizing transparency, accountability, and rigorous security measures, Google aims to create a safer and more trustworthy online environment for everyone.
Follow us on (Twitter) for real time updates and exclusive content.
Interesting Article : Juniper Networks Releases Emergency Fix for Critical Authentication Bypass Vulnerability
Pingback: OpenSSH Vulnerability (CVE-2024-6387): Critical Risk of Remote Code Execution on Linux Systems