Google’s Shift in Trust for Digital Certificates: Key Changes Ahead
In a significant update to its security policies, Google has announced it will no longer trust digital certificates issued by Chunghwa Telecom and Netlock. This decision arises from patterns of concerning behavior observed over the last year, raising alarms about compliance and security.
Timeline for the Change
The changes are slated for implementation in Chrome version 139, which is expected to launch in early August 2025. Users of the current major version, Chrome 137, will need to be mindful as these modifications roll out. All Transport Layer Security (TLS) server authentication certificates issued by Chunghwa Telecom and Netlock after July 31, 2025, at 11:59:59 p.m. UTC, will be affected by this policy shift. However, any certificates issued before this cutoff date will remain valid and operational.
Who Are the Affected Certificate Authorities?
Chunghwa Telecom is the largest integrated telecom service provider in Taiwan, while Netlock is a Hungarian company specializing in digital identity solutions, including electronic signatures and authentication. The trust placed in these CAs will be removed due to ongoing compliance failures and insufficient responsiveness to previous incidents, according to the Chrome Security Team.
Reasons for the Trust Withdrawal
Google’s Chrome Root Program pointed out various compliance issues, lack of measurable progress on concerns raised in earlier public disclosures, and an overall pattern that warranted a loss of public trust. The Chrome Security Team stated that the inherent risk posed by CAs that cannot ensure reliability and compliance justifies this significant change in policy.
Implications for Users
For Chrome users operating on various platforms such as Windows, macOS, ChromeOS, Android, and Linux, visiting sites that have certificates issued by Chunghwa Telecom or Netlock after the deadline will result in a full-screen security warning. This could deter users from accessing such sites, thereby impacting businesses relying on these certificates.
Recommendations for Website Operators
Website administrators who leverage the digital certificates from these soon-to-be-untrusted CAs are strongly encouraged to check the status of their certificates using the Chrome Certificate Viewer. Transitioning to a new, publicly trusted CA should be prioritized to ensure ongoing accessibility and user trust.
Solutions for Enterprises
For larger organizations, there is a workaround. Enterprise users can override the constraints set by the Chrome Root Store by installing the relevant root CA certificate as a locally trusted root on their systems. Nevertheless, this bypass can present challenges, especially regarding maintaining security standards across various platforms.
Broader Context in Certificate Trust
This announcement comes in the wake of similar trust retractions involving root CA certificates signed by Entrust, which Google, Apple, and Mozilla decided to disavow starting in November 2024. Entrust subsequently divested its certificate business to Sectigo, highlighting ongoing scrutiny in the realm of certificate authorities.
In March, Google also introduced new practices that the CA/Browser Forum adopted, including Multi-Perspective Issuance Corroboration (MPIC) and stricter controls in validating domain ownership. These enhancements aim to improve domain control validation and address security loopholes in X.509 certificates.
As these changes unfold, both users and website operators must stay informed to navigate the evolving landscape of web security effectively. Awareness of the implications and proactive measures is essential for maintaining a safe online environment.
