Google announced today a significant change to its Chrome browser’s security protocols, revoking trust in digital certificates issued by Entrust and AffirmTrust. This decision stems from the Certificate Authorities’ (CAs) repeated failure to meet security standards, posing potential risks to user data and online safety.
Digital certificates are essential to internet security, acting as the online equivalent of passports for websites. They verify a site’s identity and encrypt data to protect it from prying eyes. However, when a CA fails to uphold rigorous security standards, the certificates they issue can be compromised, potentially leading to data breaches and other cyber threats.
Google’s decision to distrust Entrust and AffirmTrust comes after a pattern of unmet improvement commitments, compliance failures, and slow responses to publicly disclosed security incidents. This move underscores Google’s commitment to maintaining a high level of security for Chrome users.
Starting from October 31, 2024, Chrome users who update to version 127 or later will see warnings when visiting sites secured by certificates issued by Entrust or AffirmTrust. The warnings will highlight that the connection is not trusted, and users will encounter an error message (ERR_CERT_AUTHORITY_INVALID) when attempting to access these sites.
Major websites that currently rely on Entrust include Merrill Lynch, MoneyGram, and Ernst & Young. Google strongly advises these sites and others in a similar situation to switch to a different, publicly trusted CA as soon as possible to avoid disruptions and ensure the continued security of their users’ data.
While this move may seem drastic, it’s not unprecedented. In 2015, Google issued a similar ultimatum to Symantec due to the unauthorized issuance of HTTPS certificates. This latest action reiterates Google’s proactive stance in upholding internet security standards.
Chrome users can easily check the validity of a site’s certificate by clicking on the “lock” icon next to the address bar. If the certificate is issued by Entrust or AffirmTrust, users should exercise caution and consider using an alternative browser or waiting until the site switches to a trusted CA.
For enterprise users, Google will provide an option to continue trusting Entrust certificates, acknowledging that some organizations may have unique security requirements or constraints.
Google’s decision to revoke trust in Entrust and AffirmTrust certificates is a significant development in the ongoing battle for internet security. It serves as a stern warning to CAs to adhere to the highest security standards to maintain the trust of browser vendors and users alike.
