Tech
New Chrome Security Rules—Google Gives Websites Until 11/1 To Comply
Updated, Monday, July 1: This article has been updated to include information regarding Mozilla’s role in highlighting issues with Entrust.
An announcement from the Google Chrome Security Team has dropped what can only be described as a security and privacy bombshell for the 3.45 billion users of the Chrome browser. From November 1, the world’s most-used web browser will no longer trust digital certificates issued by Entrust, one of the world’s most-used certificate authorities. How widespread are Entrust digital security certificates? Customers include Chase Bank, Dell, Ernst & Young, Mastercard, and Merrill Lynch, not to mention governments worldwide.
Google To Revoke Trust In Entrust Digital Certificates
The June 27 announcement by Google pulls no punches as it justifies the decision to revoke Transport Layer Security certificates issued by Entrust and AffirmTrust, acquired by Entrust in 2016, on the grounds of prioritizing the security and privacy of Chrome’s users, stating “we are unwilling to compromise on these values.” This is a serious deal, a very serious deal, as these certificate authorities act as the foundation of the encrypted connections that users rely upon between their web browser and the internet.
Referring to the Chrome Root Program Policy, last updated in January, Google said that such certificates must provide value to Chrome users that “exceeds the risk of their continued inclusion.” That is no longer the case, according to the Chrome Security Team, which explains that, across recent years, the behavior of Entrust in responding to publicly disclosed incidents has fallen short of its expectations. Google stated this has “eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.”
Mozilla Lists Entrust Bugs, Leads To Lengthy Report In Response
Google isn’t the only browser business to have problems with Entrust, Mozilla has been very vocal in recent months regarding incidents with the certificate authority. Indeed, it was the Firefox browser developer complaints about such incidents between March and May that led to a lengthy and detailed response from Entrust by way of a report to the Mozilla community published on June 7.
In the report’s executive summary, Entrust, a certificate authority for more than two decades, admitted that the incidents were “unnecessary and based on our own mistakes or misjudgments” and, as such, fell short of the standards the organization expected of itself. “We have thoughtfully considered the community’s questions and comments, and this input is reflected in our plans,” the report stated. Those plans included adding strategic compliance support with the CA/Browser forum, broadening Entrust participation. Compliance governance to be addressed by way of a “cross-functional change control board” that would review policies and key decisions, as well as filling the gaps in change control processes so as to minimize the opportunity for errors. Incident response and revocation policies would also reviewed and clarified, Entrust stated.
The June 7 report concluded that “We have identified the necessary resources and have support at the highest levels of our organization to ensure accountability and execution on these plans.”
The Entrust Response To The CA/B Forum And Google
In a June 21 posting to the Certification Authority Browser Forum, Entrust president of digital security solutions, Bhagwat Swaroop, stated that some recent incidents “did not get reported and communicated in the appropriate way with the CA/B forum,” and added that “Our initial stance of not revoking the impacted certificates was incorrect.” Swaroop continued to state that none of the “lapses” were malicious or made with ill-intent: “As a global CA we must walk a tightrope in balancing the requirements of the root programs and subscriber needs, especially for critical infrastructure. In some cases, we did not strike the right balance.” Swaroop promised that Entrust is committed to making lasting changes, both organizational and cultural, to begin to regain the trust of the root programs and the community.
Entrust Disappointed With The Google Chrome Root Program Decision
It appears that this commitment has come too late as far as Google is concerned. An Entrust spokesperson told The Stack that “The decision by the Chrome Root Program comes as a disappointment to us as a long-term member of the CA/B Forum community. We are committed to the public TLS certificate business and are working on plans to provide continuity to our customers.”
The Entrust spokesperson also confirmed that the decision by the Chrome Root Program does not impact upon its Verified Mark Certificates, nor code-signing and digital signing, or private certificate offerings.
What This Means To Google Chrome Users
While Entrust and AffirmTrust TLS server authentication certificates that were signed on or before October 31 will continue to be valid until their expiration date, effective November 1 Chrome 127 and later, on Android, ChromeOS, Linux, macOS and Windows platforms will cease to be trusted and blocked. Users will see a ‘connection not private’ dialog when attempting to connect to any site using a blocked certificate, warning that the site could be trying to steal personal or financial information.
Google has recommended that website operators should transition to another CA Owner as soon as possible. Although Google conceded that the impact of blocking certificates could be delayed by operators installing a new Entrust TLS certificate before the November 1 deadline, it warned that “website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store.”
It should be pointed out that, according to Google, users will still be able to manually trust root certificates in order to maintain functionality even after the October 31 cut-off date. “Should a Chrome user or enterprise explicitly trust any of the above certificates on a platform and version of Chrome relying on the Chrome Root Store,” Google stated, for example where explicit trust is conveyed through a Group Policy Object on Windows, the constraints “will be overridden and certificates will function as they do today.”