Google to Block Entrust Certificates in Chrome

Introduction

In a significant move that underscores the ongoing efforts to enhance online security, Google has announced that starting November 1, 2024, its Chrome browser will no longer trust TLS server authentication certificates issued by Entrust. This decision follows a pattern of concerning behaviors and unresolved security issues associated with Entrust, prompting Google to take decisive action to protect its users.

Background: The Role of TLS Certificates

Transport Layer Security (TLS) certificates are crucial for establishing secure communications over the internet. They ensure that data transmitted between a user’s browser and a website is encrypted and cannot be intercepted or tampered with by malicious actors. Certificate Authorities (CAs) like Entrust are responsible for issuing these certificates, and their integrity is paramount to maintaining trust in online communications.

Google’s Decision: A Response to Security Concerns

Google’s decision to block Entrust certificates is not made lightly. It follows an extensive review of Entrust’s practices and a series of incidents that have raised red flags within the cybersecurity community. Some of the key issues identified include:

• Delayed Response to Security Flaws: Entrust has been criticized for not addressing identified security vulnerabilities promptly. This delay poses significant risks to users, as unpatched vulnerabilities can be exploited by attackers to compromise secure communications.
• Non-compliance with Industry Standards: The CA/Browser Forum sets stringent standards for the issuance and management of TLS certificates. Entrust’s failure to consistently adhere to these standards has undermined confidence in their certificates.
• Pattern of Concerning Behaviors: Beyond specific incidents, Entrust has demonstrated a pattern of behaviors that are incompatible with the high standards expected of a trusted CA. This includes inadequate transparency and a lack of proactive measures to ensure the security of their certificates.

Implications for Users and Website Operators

The implications of Google’s decision are far-reaching, affecting both end-users and website operators who rely on Entrust certificates. Key points to consider include:

1. End-User Impact:
   • Security Warnings: Starting November 1, 2024, users visiting websites that still use Entrust certificates will encounter security warnings in Chrome, indicating that the connection is not secure. This can deter users from proceeding to these sites, impacting their trust and engagement.
   • Enhanced Security: By blocking certificates from a CA that has demonstrated unreliable practices, Google aims to enhance the overall security of its users, ensuring that they are protected from potential threats stemming from compromised certificates.
2. Website Operator Impact:
   • Certificate Replacement: Website operators who currently use Entrust certificates will need to transition to a different CA by October 31, 2024, to avoid disruptions. This involves obtaining new certificates and configuring their servers to use them.
   • Potential Downtime: Failure to switch to a new CA in time could result in websites being marked as insecure, leading to potential downtime and loss of user trust.

Steps for Website Operators: Ensuring a Smooth Transition

To mitigate the impact of this change, website operators should take proactive steps to ensure a smooth transition away from Entrust certificates. Here are some recommended actions:

1. Audit Existing Certificates:
   • Conduct an audit of all TLS certificates currently in use to identify those issued by Entrust. This will provide a clear understanding of the scope of the transition required.
2. Choose a New Certificate Authority:
   • Research and select a new CA that meets industry standards and has a strong track record of reliability and security. Popular options include Let’s Encrypt, DigiCert, and GlobalSign.
3. Obtain and Install New Certificates:
   • Purchase or obtain new certificates from the chosen CA and install them on your servers. This process typically involves generating a Certificate Signing Request (CSR), submitting it to the CA, and then installing the issued certificate.
4. Update Server Configurations:
   • Ensure that all server configurations are updated to use the new certificates. This includes updating any load balancers, proxies, or other infrastructure components that handle HTTPS traffic.
5. Test the New Configuration:
   • Thoroughly test the new configuration to ensure that the new certificates are working correctly and that there are no disruptions to secure communications. Tools like SSL Labs’ SSL Test can be useful for verifying the configuration.
6. Monitor for Issues:
   • After the transition, monitor your servers and user feedback for any issues that may arise. Address any problems promptly to ensure a seamless user experience.

Chrome for iOS and iPadOS: An Exception to the Rule

Interestingly, the block on Entrust certificates will not extend to Chrome on iOS and iPadOS. This exception is due to Apple’s policies, which manage certificate trust independently of Google. Therefore, users on these platforms will not experience the same security warnings, although it is still advisable for website operators to ensure uniform security standards across all platforms.

Conclusion: A Step Towards Enhanced Security

Google’s decision to block Entrust certificates in Chrome highlights the ongoing efforts to uphold high security standards on the internet. While this move will require significant effort from website operators, it is a necessary step to ensure the integrity of secure communications. By taking proactive measures to transition to a trusted CA, website operators can maintain user trust and continue to provide secure online experiences.

In an era where cyber threats are increasingly sophisticated, maintaining stringent security standards is crucial. Google’s action serves as a reminder to all stakeholders in the digital ecosystem to prioritize security and adhere to best practices to protect users and data.