Google Cuts Ties with Entrust, Will No Longer Accept Certificates Issued by It

• Google has decided to sever ties with Entrust - a prominent certificate authority.
• Entrust has been accused of repeatedly continuing a pattern of concerning behavior.
• Google isn't the only one unhappy with Entrust. In May this year, Mozilla published a similar report. However, that matter was resolved after Entrust agreed to work on the feedback.

The Google Chrome Security Team has announced in a blog that it is cutting ties with Entrust - a prominent certificate authority.

Starting from November 1, 2024, the tech giant will no longer trust digital certificates issued by Entrust. This also includes certificates issued by AffirmTrust which was acquired in 2016.

The said change will be reflected on Chrome browsers from version 127 onwards on Windows, macOS, ChromeOS, Android, and Linux.

The only exception to this is ChromeOS for iOS and iPadOS because Apple's policies do not allow Chrome Root Store to be used. These certificates are used by Chrome to verify that the end users of a website are trustworthy.

Here's how this change can affect your experience.

• Now when you visit a website that uses Entrust's certification, you will get a message stating their connection is not secure.
• However, Google also added that if Chrome and enterprise users want, they can override these settings by choosing to manually trust these certificates.
• In simple terms, it means that even though Google says a certain site is untrustworthy because it uses Entrust's certificates, you as a user, choose to trust it.

The main impact will be on website operators who will have to quickly switch to a new certificate authority before November. If they want, they can try to delay the impact by installing a new TLS certificate issued from Entrust before November.

However, they will absolutely have to switch to a new TLS certificate in the long run.

Entrust supports some of the biggest company websites in the world such as Dell, Mastercard, Ernst & Young, Chase Bank, and as well as some government organizations around the world. So this updated policy is going to leave quite an impact.Why Is Google Taking Action Against Entrust?

Google is against Entrust because it has been continuing a pattern of concerning behavior over a long period of time. The action has been triggered by not only Google's personal investigations but also a series of incident reports concerning Entrust's incompetence.

Such frequent reports have eroded confidence in Entrust's competence, reliability, and integrity as a publicly trusted CA owner." - Google

Google isn't the only one having problems with the way Entrust works. Back in May, Mozilla shared similar grievances. The initial response that was submitted by the company was met with harsh feedback from the Mozilla community.

After that, it submitted a detailed report, accepting its mistakes and shortcomings, and shared a detailed outline of steps to explain how it'll fix the issues. Mozilla was happy with that response.

However, Google is in no mood to forgive - its decision is final. And to soften the blow on Entrust, it has given them a long grace period to take the necessary steps.

This also seems an effort from Google to prevent hackers from using fake Google Chrome to install payloads across devices.

What Does Entrust Have to Say About Google's Decisions

Entrust is naturally unhappy with Google's decision. A spokesperson said that being a long-term member of the CA/B Forum community, such a harsh decision was unexpected.

However, the company has assured its public TLS certificate business remains open.

It also assured that all its other services such as code signing, digital signing, private certificate offering, and its Verified Mark Certificates remain unaffected by this change.

The post Google Cuts Ties with Entrust, Will No Longer Accept Certificates Issued by It appeared first on The Tech Report.