Google to Drop Entrust Certificates from Chrome Starting November 2024
In a significant move that underscores the critical nature of digital security, Google has announced that, starting November 1, 2024, Chrome 127 and all subsequent versions will no longer trust newly issued digital certificates from the American private software company, Entrust, and its affiliate, AffirmTrust. This decision, which also implicates the Mozilla Foundation, marks a pivotal shift in the landscape of internet security and certificate trustworthiness.
Founded in 1994, Entrust has long been a stalwart in the digital certification domain. However, despite its extensive history, recent years have seen a decline in the industry’s confidence in Entrust’s ability to uphold stringent security standards. Google’s announcement does not delve into specific reasons but refers to multiple ongoing issues with Entrust’s certificates, as discussed in detail on Mozilla’s Bugzilla platform.
While there is no confirmed timeline for when Firefox will follow suit, the conversation around deprecating Entrust certificates has been a persistent theme within Mozilla. Given this context, it seems highly probable that Firefox will mirror Chrome’s stance shortly.
It is crucial to note that both Chrome and Firefox will maintain trust in certificates issued before the November 1 deadline. Post this date, however, any new certificates from Entrust will be invalidated, and users attempting to access sites with these certificates will encounter a warning indicating that their connection is not private, accompanied by the error code ERR_CERT_AUTHORITY_INVALID. In such cases, users can proceed by clicking “Advanced,” but the red exclamation mark in the Chrome address bar will signify an insecure HTTPS connection.
The specific grievances highlighted include non-compliance with Baseline Requirements (BR) standards in Online Certificate Status Protocol (OCSP) responses, the presence of hyphens in the ST field of issued certificates, failures in revoking Organizational Validation (OV) TLS certificates, delayed Certificate Policy Statements (CPS) updates, and the continued use of SHA-1 signed OCSP responses. These cumulative issues, though not malicious in nature, reflect significant lapses in foundational security practices.
“While website operators could delay the impact of blocking action by choosing to collect and install a new TLS certificate issued from Entrust before Chrome’s blocking action begins on November 1, 2024, website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store,” Google said.