Ddos 
In a decisive move to uphold the integrity and trustworthiness of encrypted web communications, Google has announced that Chrome will begin distrusting TLS certificates issued by Chunghwa Telecom and NetLock starting August 1, 2025. This action follows a documented pattern of compliance issues and lack of improvement from both Certification Authorities (CAs).
“Chrome’s confidence in the reliability of Chunghwa Telecom and Netlock as CA Owners included in the Chrome Root Store has diminished due to patterns of concerning behavior observed over the past year,” the official Chrome Root Program blog explains. “These patterns represent a loss of integrity and fall short of expectations.”
CAs serve a critical role in maintaining the trustworthiness of the internet. When trust is broken through repeated compliance failures and unmet improvement promises, browsers must act.
“We have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress,” Google stated. “When these factors are considered in aggregate… continued public trust is no longer justified.”
Beginning with Chrome version 139, the browser will stop trusting new TLS server authentication certificates that chain to the following root CAs, if the earliest Signed Certificate Timestamp (SCT) is after July 31, 2025:
- OU=ePKI Root Certification Authority, O=Chunghwa Telecom Co., Ltd., C=TW
- CN=HiPKI Root CA – G1, O=Chunghwa Telecom Co., Ltd., C=TW
- CN=NetLock Arany (Class Gold) Főtanúsítvány, O=NetLock Kft., C=HU
Chrome users attempting to visit websites using affected certificates issued after July 31, 2025, will encounter full-page security warnings, blocking access by default.
This change impacts Chrome on Windows, macOS, ChromeOS, Android, and Linux. Chrome for iOS is unaffected, as it relies on Apple’s root store.
Website operators can use Chrome’s built-in certificate viewer:
- Visit your site.
- Click the lock icon > “Connection is Secure”.
- Click “Certificate is Valid”.
- Under “Issued By”, look for:
- “Chunghwa Telecom”
- “行政院”
- “NETLOCK Ltd.”
- “NETLOCK Kft.”
If found, action is required. Google advises switching to a different publicly-trusted CA before existing certificates expire.
“Website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store.”
Enterprises using affected certs internally can override Chrome’s distrust mechanism by manually adding the root CA to the trusted store on their platform (e.g., Microsoft Certificate Store). This is supported starting from Chrome 127.
Admins and developers can simulate the impact using the following Chrome command-line flag (from version 128+):
Google encourages early testing and migration to avoid disruption.
As of now, this policy change only applies to Chrome. Google notes: “Other Google product team updates may be made available in the future.”
Donate