A Certification Authority (CA) issues certificates that help guarantee you’re visiting a legitimate website. Over the years, Chrome has had to distrust some CAs, and the Google browser is about to do that again with certificates from Entrust.
Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports.
Google points to a list of “publicly disclosed incident reports” that highlight a “pattern of concerning behaviors by Entrust that fall short of the [Chrome Root Program Policy requirements], and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.”
When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the Internet ecosystem, it is our opinion that Chrome’s continued trust in Entrust is no longer justified.
Chrome 127+ will no longer trust new TLS server authentication certificates from Entrust (or AffirmTrust) on November 1. End users will see a “Your connection is not private” warning (ERR_CERT_AUTHORITY_INVALID) when they attempt to visit such a site:
Several large websites today use Entrust, including: moneygram.com, merrilledge.com, and ey.com. You can check by clicking the “Tune” icon to the left of the URL in the address bar > Connection is secure > Certificate is valid:
- Website owner action not required, if the “Organization (O)” field listed beneath the “Issued By” heading does not contain “Entrust” or “AffirmTrust”.
- Website owner action is required, If the “Organization (O)” field listed beneath the “Issued By” heading contains “Entrust” or “AffirmTrust”.
Google’s recommendation to website owners is to “transition to a new publicly-trusted CA Owner as soon as reasonably possible” before November 1. Meanwhile, other Google products might take similar actions in the future.
Enterprise customers will be given the ability to continue to trust Entrust if they so choose.
More details of Google’s roadmap and a FAQ can be found here.
FTC: We use income earning auto affiliate links. More.
Comments