Google’s recent announcement about ceasing to trust certifications from Entrust, a well-known certificate authority, has sent shockwaves through the tech industry. This decision, which will take effect from November 1, 2024, will impact Chrome browsers starting from version 127 onwards. The reason behind this move is Google’s concern over Entrust’s failure to comply with industry standards and address security issues adequately.
In recent years, there have been several incident reports that have raised serious doubts about Entrust’s ability to act as a reliable certificate authority. These reports have shed light on concerning behaviors and highlighted compliance failures, which have eroded confidence in the company’s competence, reliability, and integrity. It is important to note that Google is not the only company expressing dissatisfaction with Entrust, as Mozilla has also documented its own concerns about the certificate authority.
Beginning November 1, TLS server authentication certificates validated to Entrust or AffirmTrust roots will no longer be trusted by default in Chrome browsers. However, users will still have the option to manually trust these certificates if they wish to maintain existing functionalities, albeit with an implied risk. There is also a deadline for website operators currently using Entrust certificates to transition to a new certificate authority before the November cutoff to avoid any disruptions.
The Chrome Security Team has expressed disappointment over Entrust’s lack of improvement commitments and tangible progress in response to publicly disclosed incident reports over the past six years. This further emphasizes the seriousness of the issue and underscores the need for action. The change will be implemented in Chrome 127 on Windows, macOS, ChromeOS, Android, and Linux, while Apple’s policies prevent the Chrome Certificate Verifier and corresponding Chrome Root Store from being used on Chrome for iOS.
A spokesperson from Entrust commented on Google’s decision, expressing disappointment and assuring customers that they are working on providing continuity in their TLS certificate services. However, this move by Google raises questions about the future of Entrust and its position in the market. Trust is crucial in the certificate authority industry because organizations rely on these authorities to verify the authenticity of websites and secure their online communications.
This incident serves as a reminder of the importance of maintaining high standards and compliance in the tech industry. Security and reliability are paramount factors when it comes to certificates, as they provide the foundation for secure online transactions and communication. If certificate authorities fail to meet these expectations, it not only undermines the trust of users but also poses significant risks to cybersecurity.
The actions taken by Google and Mozilla showcase a larger trend in the industry where companies are becoming more proactive in addressing security concerns. There is a growing recognition that relying on outdated or compromised certificates can have serious consequences. This incident will likely prompt other tech giants and organizations to reassess their relationships with certificate authorities and the measures they take to ensure the security and integrity of their products.
In conclusion, Google’s decision to cease trusting certifications from Entrust reflects a significant shift in the industry’s approach to security and compliance. As users become more aware of the potential risks associated with compromised certificates, the need for reliable and trustworthy certificate authorities becomes paramount. This incident serves as a wake-up call to the tech industry, reminding us all of the importance of maintaining high standards and proactively addressing security concerns. Only by doing so can we ensure a safer and more secure online environment for everyone.
Source link
