Google has announced that it will begin blocking websites that use Entrust certificates in its Chrome browser starting around November 1, 2024, citing compliance violations and the certificate authority’s failure to address security issues in a timely manner.
“Over the past few years, public incident reports have highlighted a concerning pattern of Entrust’s behavior that fails to meet the above expectations and has undermined confidence in the company’s competency, reliability, and integrity as a publicly trusted[certificate authority]owner,” Google’s Chrome security team said.
As such, the tech giant said it will not trust Entrust’s TLS server authentication certificates by default in Chrome browser version 127 and later, although it said Chrome users and enterprise customers will be able to override these settings if they wish.
Google further noted that certificate authorities play a privileged and trusted role in ensuring encrypted connections between browsers and websites, and that Entrust’s lack of progress in publicly disclosing incident reports and unfulfilled promises of improvements pose risks to the internet ecosystem.
The blocking will apply to Windows, macOS, ChromeOS, Android and Linux versions of the browser, with a notable exception being Chrome for iOS and iPadOS due to Apple’s policy of not allowing the use of the Chrome root store.
As a result, users who visit websites that offer certificates issued by Entrust or AffirmTrust see an intermediate message warning them that their connection is not secure or private.
Affected website operators are being urged to transition to a publicly trusted certificate authority holder by October 31, 2024, to minimize disruption. According to Entrust’s website, its solutions are used by Microsoft, Mastercard, VISA, VMware, and others.
“Website operators can delay the impact of the blocking by choosing to collect and install new TLS certificates issued by Entrust before Chrome’s blocking begins on November 1, 2024, but website operators will necessarily need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store,” Google said.
