Google will revoke basic digital security certificates
Updated, Monday, July 1: This article has been updated to include information about Mozilla’s role in highlighting problems with Entrust.
An announcement from the Google Chrome security team has dropped what can only be described as a security and privacy bombshell for the 3.45 billion users of the Chrome browser. As of November 1, the world’s most used web browser will no longer trust digital certificates issued by Entrust, one of the world’s most used certificate authorities. How widespread are Entrust digital security certificates? Clients include Chase Bank, Dell, Ernst & Young, Mastercard and Merrill Lynch, not to mention governments around the world.
Google will revoke trust in Entrust digital certificates
Google’s June 27 announcement pulls no punches as it justifies the decision to revoke the transport layer security certificates issued by Entrust and AffirmTrust, acquired by Entrust in 2016, on the grounds of prioritizing the security and privacy of Chrome users , stating that “we are not willing to compromise these values.” This is a serious deal, a very serious deal, as these CAs act as the foundation of the encrypted connections that users rely on between their web browser and the Internet.
Citing the Chrome Core Program rules, last updated in January, Google said such certificates must provide value to Chrome users that “exceeds the risk of their continued inclusion.” That’s no longer the case, according to Chrome’s security team, which explains that Entrust’s behavior in responding to publicly disclosed incidents has fallen short of expectations in recent years. Google said this “undermined confidence in their competence, reliability and integrity as a publicly trusted CA owner”.
Mozilla lists Entrust errors, resulting in a long report in response
Google isn’t the only business browser to have problems with Entrust, Mozilla has been very vocal in recent months about incidents with the certificate authority. In fact, complaints from Firefox browser developers about such incidents between March and May led to a lengthy and detailed response from Entrust via a report to the Mozilla community published on June 7.
In the summary of the report, Entrust, a certification body for more than two decades, admitted that the incidents were “unnecessary and based on our own errors or misjudgments” and as such did not meet the standards the organization expects of itself. “We have carefully considered the community’s questions and comments, and this input has been reflected in our plans,” the report states. These plans include adding strategic compliance support to the CA/Browser Forum, expanding Entrust’s involvement. Compliance management should be addressed through a “cross-functional change control board” that will review policies and key decisions, as well as fill gaps in change control processes so as to minimize the opportunity for error. Incident response and cancellation policies will also be reviewed and clarified, Entrust said.
The June 7 report concluded that “We have identified the necessary resources and have support at the highest levels of our organization to ensure accountability and implementation of these plans.”
Entrust’s response to the CA/B forum and Google
In a June 21 post on the CA’s browser forum, Entrust’s president of digital security solutions, Bhagwat Swarup, said some recent incidents “were not properly reported and communicated with the CA/B forum” and added , that “Our initial stance of not revoking the affected certificates was incorrect.” Swaroop went on to say that none of the “lapses” were malicious or made with bad intentions: “As a global CA, we have to walk a tightrope to balance the requirements of the main programs and the needs of the subscribers, especially for critical infrastructure. In some cases, we didn’t get the balance right.” Swaroop pledged that Entrust is committed to making lasting changes, both organizational and cultural, to begin to restore trust in core programs and the community.
Confide, disappointed with Google Chrome’s core program solution
This commitment appears to be overdue as far as Google is concerned. An Entrust spokesperson told The Stack that, “The resolution of the Chrome Root program comes as a disappointment to us as a long-time member of the CA/B Forum community. We are committed to the public TLS certificate business and are working on plans to ensure continuity for our customers.”
The Entrust spokesperson also confirmed that the Chrome Root program decision does not affect its Verified Brand certificates, nor its code signing and digital signing, or private certificate offerings.
What this means for Google Chrome users
Although Entrust and AffirmTrust TLS server authentication certificates that are signed on or before October 31 will continue to be valid until the expiration date, effective November 1, Chrome 127 and later on Android, ChromeOS, Linux platforms , macOS and Windows will cease to be trusted and blocked. Users will see a “connection is not private” dialog box when trying to connect to any site using a blocked certificate, warning that the site may be trying to steal personal or financial information.
Non-personal link warning for Chrome users
Google recommended website operators to switch to another CA owner as soon as possible. While Google acknowledged that the impact of certificate blocking could be slowed by operators installing a new Entrust TLS certificate before the November 1 deadline, it warned that “website operators will inevitably need to collect and install a new TLS certificate from one of many other CAs included in the Chrome Root Store.”
It should be noted that according to Google, users will still be able to manually trust root certificates to maintain functionality even after the October 31st cut-off date. “If a Chrome user or enterprise explicitly trusts any of the above certificates on a Chrome platform and version relying on the Chrome Root Store,” Google said, for example when the explicit trust is passed through a Windows Group Policy object, the restrictions “will be revoked and the certificates will function as they do today.”
