New Chrome Security Rules: Google Gives Websites Until November 1st to Comply With New Certificate Authority Regulations

In a major shift for web security, Google Chrome has announced that as of November 1st, it will no longer trust digital certificates issued by Entrust and AffirmTrust. This decision marks a significant change for the 3.45 billion users of Chrome and raises important questions for businesses and organizations that rely on these certificates for secure web connections. Here’s what you need to know about this change, its implications, and what steps you need to take to ensure your website remains secure and accessible.

Google Announced It Will Revoke Trust in Entrust Digital Certificates

On June 27, Google’s Chrome Security Team made a landmark announcement: it will revoke the trust of Transport Layer Security (TLS) certificates issued by Entrust and its subsidiary AffirmTrust. This move is driven by concerns over Entrust’s ability to meet the high standards of security and privacy that Chrome’s users expect. According to the Chrome Root Program Policy, which was last updated in January, certificates must offer more value to users than the risks associated with their inclusion. Google’s decision reflects a lack of confidence in Entrust’s recent handling of publicly disclosed security incidents, which they believe has compromised trust in Entrust as a certificate authority (CA) owner.

Why Is This a Big Deal?

Entrust is one of the world’s most prominent certificate authorities, serving major clients including Chase Bank, Dell, Ernst & Young, Mastercard, and Merrill Lynch, along with numerous government agencies worldwide. The move to revoke trust in Entrust’s certificates affects a vast number of websites and services that rely on these certificates for secure communications. Google’s decision will cause Chrome users to see a “connection not private” warning for any site using a certificate issued by Entrust after October 31, 2023. This could lead to significant disruptions for businesses and organizations that have not prepared for the change.

The Background of the Decision

The announcement comes after Mozilla, the developer behind the Firefox browser, voiced similar concerns about Entrust’s performance. Between March and May of this year, Mozilla raised issues regarding Entrust’s handling of security incidents. This scrutiny led to Entrust’s acknowledgment of its mistakes and a commitment to improve its practices. Despite these efforts, Google determined that the changes were insufficient, as reflected in their June 27 statement. Entrust has expressed disappointment but is committed to providing continuity for its customers and making the necessary adjustments to regain trust in the future.

Entrust’s Response to CA/B Forum and Google’s Recent Decision

In a June 21 posting to the Certification Authority Browser Forum, Entrust’s President of Digital Security Solutions, Bhagwat Swaroop, admitted that some recent security incidents “did not get reported and communicated in the appropriate way with the CA/B Forum.” Swaroop acknowledged that their initial decision not to revoke impacted certificates was “incorrect,” and committed to making “lasting changes, both organizational and cultural, to regain the trust of the root programs and the community.” However, this commitment came too late for Google. An Entrust spokesperson expressed disappointment over the decision but assured that they are working on plans to ensure continuity for their customers. They confirmed that this decision does not affect Entrust’s Verified Mark Certificates, code-signing, or private certificate offerings.

What This Means for Chrome Users

Starting November 1, 2023, any TLS certificates issued by Entrust or AffirmTrust on or before October 31 will no longer be trusted by Chrome 127 and later versions across all major platforms, including Android, ChromeOS, Linux, macOS, and Windows. Users will encounter a “connection not private” warning when trying to visit sites using these certificates, which could deter users from visiting affected websites. However, it’s important to note that users and enterprises can manually trust these certificates through Group Policy Objects on Windows or other explicit trust mechanisms.