Google Chrome's Entrust Certificate Block: A Deeper Dive with Implications

 

The Breakdown:

• Google's Distrust: In November 2024, Chrome will stop trusting certificates issued by Entrust, a leading certificate authority (CA). This means Chrome will no longer recognize Entrust certificates as valid for verifying website identities and securing connections.
• Why the Distrust?: Google cites concerns about Entrust's adherence to security standards and their responsiveness to reported security issues. Publicly disclosed incidents suggest a pattern of concerning behavior by Entrust, leading Google to question their overall competence and reliability in maintaining a secure web environment.

Technical Implications:

• Certificate Authorities (CAs): CAs like Entrust play a crucial role in online security. They issue certificates that act as digital identification cards for websites, allowing browsers like Chrome to verify their legitimacy and establish secure encrypted connections.
• Impact on Websites: Websites using Entrust certificates will be flagged by Chrome as insecure. This will manifest as warning messages for users visiting these sites, indicating an "unsecure" or "not private" connection. While not an immediate security risk in itself, these warnings can significantly deter users from accessing the website, impacting traffic and trust.

Consequences for Different Parties:

• Chrome Users: Users encountering websites with blocked Entrust certificates will be met with security warnings. They may choose to proceed with caution or abandon the website altogether.
• Website Owners: Website owners relying on Entrust certificates face potential disruptions starting November 1st. Users may be hesitant to visit their sites due to the security warnings. To avoid this, website owners must obtain new certificates from a different, trusted CA before the deadline.

Action Plan for Website Owners:

1. Identify a New Trusted CA: Research and choose a reputable CA included in Chrome's trusted Root Store. Popular options include DigiCert, Sectigo, or Let's Encrypt.
2. Obtain a New TLS Certificate: Generate a new TLS server authentication certificate from the chosen CA. This process typically involves verifying website ownership and domain control.
3. Implement the New Certificate: Install the new certificate on your web server to replace the existing Entrust certificate. This might require configuration changes depending on your server setup.
4. Deadline: Ideally, complete this transition before October 31st, 2024, to ensure a smooth user experience come November 1st.

Additional Considerations:

• Chrome Version: This change only applies to Chrome versions 127 and above. Older versions might still trust Entrust certificates, but this is not recommended due to security concerns.
• Chrome for iOS/iPadOS: Due to Apple's restrictions, Chrome for iOS and iPadOS are not affected by this change.
• Temporary Fix (Not Recommended): Website owners can technically delay the impact by installing a new Entrust certificate before November 1st. However, this is not a long-term solution. Eventually, they will need a certificate from a trusted CA on Chrome's Root Store for continued user trust and security.

The Takeaway:

The Google Chrome block on Entrust certificates highlights the importance of website owners staying informed about security updates and proactively managing their website's security infrastructure. By transitioning to a trusted CA before the deadline, website owners can ensure a seamless user experience and maintain user trust in their online presence.