Google Chrome Will No Longer Trust Two Certificate Authorities Due to Compliance Issues

Published:

spot_img

Google’s Shift in Trust for Digital Certificates: Key Changes Ahead

In a significant update to its security policies, Google has announced it will no longer trust digital certificates issued by Chunghwa Telecom and Netlock. This decision arises from patterns of concerning behavior observed over the last year, raising alarms about compliance and security.

Timeline for the Change

The changes are slated for implementation in Chrome version 139, which is expected to launch in early August 2025. Users of the current major version, Chrome 137, will need to be mindful as these modifications roll out. All Transport Layer Security (TLS) server authentication certificates issued by Chunghwa Telecom and Netlock after July 31, 2025, at 11:59:59 p.m. UTC, will be affected by this policy shift. However, any certificates issued before this cutoff date will remain valid and operational.

Who Are the Affected Certificate Authorities?

Chunghwa Telecom is the largest integrated telecom service provider in Taiwan, while Netlock is a Hungarian company specializing in digital identity solutions, including electronic signatures and authentication. The trust placed in these CAs will be removed due to ongoing compliance failures and insufficient responsiveness to previous incidents, according to the Chrome Security Team.

Reasons for the Trust Withdrawal

Google’s Chrome Root Program pointed out various compliance issues, lack of measurable progress on concerns raised in earlier public disclosures, and an overall pattern that warranted a loss of public trust. The Chrome Security Team stated that the inherent risk posed by CAs that cannot ensure reliability and compliance justifies this significant change in policy.

Implications for Users

For Chrome users operating on various platforms such as Windows, macOS, ChromeOS, Android, and Linux, visiting sites that have certificates issued by Chunghwa Telecom or Netlock after the deadline will result in a full-screen security warning. This could deter users from accessing such sites, thereby impacting businesses relying on these certificates.

Recommendations for Website Operators

Website administrators who leverage the digital certificates from these soon-to-be-untrusted CAs are strongly encouraged to check the status of their certificates using the Chrome Certificate Viewer. Transitioning to a new, publicly trusted CA should be prioritized to ensure ongoing accessibility and user trust.

Solutions for Enterprises

For larger organizations, there is a workaround. Enterprise users can override the constraints set by the Chrome Root Store by installing the relevant root CA certificate as a locally trusted root on their systems. Nevertheless, this bypass can present challenges, especially regarding maintaining security standards across various platforms.

Broader Context in Certificate Trust

This announcement comes in the wake of similar trust retractions involving root CA certificates signed by Entrust, which Google, Apple, and Mozilla decided to disavow starting in November 2024. Entrust subsequently divested its certificate business to Sectigo, highlighting ongoing scrutiny in the realm of certificate authorities.

In March, Google also introduced new practices that the CA/Browser Forum adopted, including Multi-Perspective Issuance Corroboration (MPIC) and stricter controls in validating domain ownership. These enhancements aim to improve domain control validation and address security loopholes in X.509 certificates.

As these changes unfold, both users and website operators must stay informed to navigate the evolving landscape of web security effectively. Awareness of the implications and proactive measures is essential for maintaining a safe online environment.

spot_img

Related articles

Recent articles

Indian Peacekeepers Provide Free Medical Care, Offering Hope to Over 300 Displaced Individuals

UNMISS Initiatives Improve Healthcare in Upper Nile State Addressing Security Concerns As security issues persist in parts of Upper Nile state, the United Nations Mission...

Surge in Android Malware Targets Devices with Overlays, Virtualization Fraud, and NFC Theft

Rising Threat of Android Malware: An Insight into AntiDot and Other Emerging Threats Cybersecurity experts are sounding the alarm about a new strain of Android...

U.S. Seizes $225.3 Million from Cryptocurrency Scams

U.S. Government Targets $225.3 Million in Cryptocurrency Linked to Scams The U.S. Department of Justice (DoJ) has initiated a substantial civil forfeiture complaint aiming to...

NAB Fined Over $750K for Breaches of Consumer Data Right

NAB Fined Over Consumer Data Right Breaches Overview of the Fine National Australia Bank (NAB) has recently incurred significant penalties, amounting to $751,200, as a result...