Google has divulged plans to obstruct websites employing certificates from Entrust starting around November 1, 2024, in its Chrome browser. This decision stems from compliance failures and the certificate authority’s sluggishness in addressing security issues promptly.
“Over the past several years, publicly disclosed incident reports have highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted certificate authority owner,” stated Google’s Chrome security team.
Consequently, the tech colossus announced its intent to cease trusting TLS server authentication certificates from Entrust with Chrome browser versions 127 and higher by default. However, these settings can be overridden by Chrome users and enterprise customers if they wish.
Google emphasized that certificate authorities occupy a privileged and trusted role in ensuring encrypted connections between browsers and websites. Entrust’s inadequate response to publicly disclosed incident reports and unfulfilled improvement commitments endangers the internet ecosystem.
The obstruction is expected to encompass Windows, macOS, ChromeOS, Android, and Linux versions of the browser. The notable exception is Chrome for iOS and iPadOS, due to Apple’s policies that preclude the Chrome Root Store from being used.
As a result, users visiting websites with certificates issued by Entrust or AffirmTrust will encounter an interstitial message warning them that their connection is neither secure nor private.
Affected website operators are urged to transition to a publicly-trusted certificate authority owner by October 31, 2024, to minimize disruption. According to Entrust’s website, its solutions are utilized by Microsoft, Mastercard, VISA, and VMware, among others.
“While website operators could delay the impact of the blocking action by opting to obtain and install a new TLS certificate issued from Entrust before Chrome’s blocking action commences on November 1, 2024, they will ultimately need to acquire and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store,” Google remarked.
