Google has made a big announcement to support web security standards by blocking websites using certificates issued by Entrust in its Chrome browser, effective November 1, 2024. This decision was made in response to what Google’s Chrome security team describes as persistent compliance failures and inadequate handling of security issues by the certificate authority.
Google has responded to security concerns after incidents in recent years have shown that Entrust was not always quick to address them. The tech giant called attention to an Entrust behavior pattern that it feels erodes trust in the company’s ability to uphold the integrity and dependability expected of a publicly trusted certificate authority.
Starting with Chrome browser versions 127 and higher, TLS server authentication certificates from Entrust will no longer be automatically trusted. Users who visit websites using Entrust certificates will receive an interstitial warning message stating that their connection is not secure and private.
Google highlighted that, while these settings can be changed by users, it encourages affected website operators to switch to certificates issued by other trusted authorities to minimize disruptions. This step is critical because the blocking action will affect Chrome browsers on Windows, macOS, ChromeOS, Android, and Linux platforms.
However, Chrome for iOS and iPadOS will be unaffected due to Apple’s restrictions on using the Chrome Root Store. This exception demonstrates the complexities of maintaining consistent security standards across multiple operating environments.
They had also recommended that website operators who depend on Entrust certificates from companies such as Microsoft, Mastercard, VISA, and VMware take prompt action and, before the November 2024 deadline, obtain new certificates from alternative certificate authorities listed in the Chrome Root Store. If users fail to do so, they may not be able to safely access their websites using Chrome browsers if this isn’t done.
Entrust, whose certificates are used by well-known companies such as Microsoft, Mastercard, VISA, and VMware, among others, has been encouraged to address these issues as soon as possible to minimize disruptions to its clients’ operations.
Overall, Google’s decision highlights the critical role that certificate authorities play in ensuring secure and encrypted online connections. By taking proactive steps to enforce higher security standards, Google hopes to protect the internet ecosystem from potential risks posed by non-compliant practices.
It also states that website operators should review and update their security certificates for seamless user experiences.