Chrome to distrust Entrust certificates by November 2024! Learn why some websites might show security warnings & what you, as a user, need to know.
Google Chrome, one of the world’s most popular web browsers, is set to distrust certificates issued by Entrust, a major certificate authority (CA), later this year. This move, announced in June 2024, has significant implications for website security and user trust online.
Why the Distrust?
Google cites a “pattern of concerning behaviours” by Entrust over the past six years. These include failing to meet compliance standards outlined in Google’s Chrome Root Program Policy. This policy ensures that CAs uphold practices that guarantee the security and validity of the certificates they issue.
Specifically, Google points to Entrust’s:
- Compliance failures: Not adhering to industry best practices for CA operations.
- Unmet commitments: Failing to follow through on promises to improve security measures.
- Lack of progress: Not demonstrably addressing vulnerabilities identified in public incident reports.
These issues, according to Google, have eroded confidence in Entrust’s ability to act as a trusted CA.
What Does This Mean for Users?
After the distrust takes effect (around November 1, 2024), websites relying on certificates issued by Entrust after that date will be flagged as insecure in Chrome. Users attempting to access such sites will encounter warnings like “Your connection is not private.” This can significantly impact user trust and discourage them from accessing the website.
What Websites Are Affected?
The impact will depend on how quickly websites transition away from Entrust certificates issued after the cut-off date. Most existing certificates issued by Entrust before the deadline will still be valid and trusted by Chrome. However, websites that haven’t obtained new certificates from a different trusted CA will face security warnings.
What Has Google Said?
Google, through its security blog, emphasizes its commitment to user safety. They believe that distrust is necessary to maintain a high bar for web security. Google also encourages Entrust to address the concerns raised and work towards regaining Chrome’s trust.
Expert Comment
Tim Callan, Chief Experience Officer at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) comments on the latest development highlighting the importance of public trust when it comes to CAs.
“The Entrust news is a sharp reminder of why it is so important for Certificate Authorities (CAs) to take their role as stewards of public trust very seriously. CAs have to hold themselves to the highest of standards, not only for the sake of their business but for all the people and businesses that depend on them,“ Tim said.
“With a shorter lifecycle timeline of 90 days looming, and the implications of Quantum Computing also on the horizon, things aren’t getting any less complicated. It’s more important than ever that CAs and CLM providers stay at the top of their game and fully comply with CA/Browser Forum rules and baseline requirements,“ he added.
What Should Users Do?
For now, there’s no immediate action required by users. However, it’s important to be aware of the upcoming change. You might encounter security warnings for some websites later this year. In such cases, it’s best to exercise caution and avoid entering sensitive information on those sites until they resolve their certificate issue.
