In a significant move impacting the security landscape of the internet, Google has announced plans to block websites using certificates issued by Entrust starting from around November 1, 2024. This decision, set to take effect in Chrome browser versions 127 and higher, stems from what Google’s Chrome security team describes as compliance failures and concerns regarding Entrust’s handling of security incidents.

Background and Rationale, Certificate authorities (CAs) like Entrust play a crucial role in ensuring secure connections between browsers and websites through TLS (Transport Layer Security) certificates. However, Google’s decision underscores persistent issues and lapses in security incident response by Entrust, which have reportedly eroded trust and confidence in their ability to uphold security standards.

Over recent years, publicly disclosed incident reports have highlighted a pattern of behavior by Entrust that Google deems inadequate for a publicly-trusted certificate authority. These concerns include delays in addressing security vulnerabilities and unmet commitments to improve security practices.

Implications for Users and Website Operators. Upon implementation, users accessing websites secured with Entrust certificates via Chrome browsers will encounter an interstitial warning indicating that the connection is insecure and not private. This move aims to alert users to potential risks associated with such connections, encouraging them to exercise caution.

For website operators currently using Entrust certificates, Google recommends transitioning to certificates issued by other trusted authorities before the November 1 deadline to avoid disruption. This proactive step is crucial to maintaining secure connections for users and mitigating the impact of Google’s blocking action.

Scope and Exceptions, the blocking action is expected to affect Chrome users across various platforms, including Windows, macOS, ChromeOS, Android, and Linux. Notably, Chrome for iOS and iPadOS will not be affected due to Apple’s policies restricting the use of the Chrome Root Store.

Industry Response and Next Steps, Entrust, whose services are utilized by prominent organizations such as Microsoft, Mastercard, VISA, and VMware, among others, faces a critical period to address these concerns and ensure compliance with industry standards. Website operators are urged to act swiftly to migrate to alternative CAs included in the Chrome Root Store to maintain uninterrupted service for their users.

Google’s decision reflects its commitment to safeguarding the internet ecosystem by holding certificate authorities accountable for maintaining robust security practices. As the deadline approaches, stakeholders in cybersecurity and web operations are advised to stay informed and take necessary actions to uphold security standards and ensure uninterrupted access to secure online services.

While Google’s move to block Entrust certificates in Chrome represents a proactive measure to enhance security, it also underscores the evolving challenges and responsibilities faced by certificate authorities in an increasingly interconnected digital landscape. Adherence to stringent security protocols remains paramount in safeguarding user trust and data integrity across the internet.