Google Says Websites Must Comply With New Security Rules

Google's Chrome Security Team has issued a security and privacy bombshell to the 3.5  billion users of its Chrome web browser. From November 1, the world’s most-used web search tools will no longer trust digital certificates issued by Entrust, one of the world’s most-used certificate authorities. 

From a business perspective, this decision has far-reaching consequences for businesses who rely upon certificteion from Entrust.  Customers affected include Chase Bank, Dell, Ernst & Young, Mastercard and Merrill Lynch, also numerous government agencies worldwide.

In late June Google justifies the decision to revoke Transport Layer Security certificates issued by Entrust and AffirmTrust, acquired by Entrust in 2016, on the grounds of prioritising the security and privacy of Chrome’s users, stating “we are unwilling to compromise on these values.”  

This is a really serious issue, as these certificate authorities act as the foundation of the encrypted connections that users rely upon to connect between their web browser and the Internet.

Mentioning the Chrome Root Program Policy updated in January, Google said that such certificates must provide value to Chrome users that “exceeds the risk of their continued inclusion.” That is no longer the case, according to the Chrome Security Team, which explains that the behaviour of Entrust in responding to publicly disclosed incidents has fallen short of its expectations. 

Google stated this has “eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.”

Google isn’t the only browser business to have problems with Entrust. Mozilla has also been critical regarding incidents with the Certification Authority. Indeed, Mozilla'a Firefox open source browser developers have voiced a list of  complaints that led to a lengthy and detailed response from Entrust in a Report to the Mozilla community published in June.

While Entrust and AffirmTrust TLS server authentication certificates that were signed on or before October 31 will continue to be valid until their expiration date, with effect from November 1st Chrome 127 and lthen Android, ChromeOS, Linux, macOS and Windows platforms will cease to be trusted and blocked. Users will see a ‘connection not private’ dialog  box when attempting to connect to any site using a blocked certificate, warning that the site could be trying to steal personal or financial information. 

Google has recommended that website operators should transition to another Certification Authority as soon as possible. 

Understanding the impact on customer trust, website safety, and the overall digital landscape is critical. 
Nick France, CTO of another certification comonay,  CA Sectigo, commented “Entrust lost the trust of major browser Google and now Mozilla, making its public SSL certificates unusable from November 1st. While regaining trust through a lengthy re-application process is technically possible, it's never been done before and seems unlikely. Customers face a complex and risky transition, further compounded by Entrust suggesting it will revoke active certificates..."

"This entire situation highlights the critical importance of selecting a reliable Certificate Authority with a proven track record, and it raises serious questions about Entrust's future in the industry.” France added.

Although Google recognises that the impact of blocking certificates could be delayed by operators installing a new Entrust TLS certificate before the November 1st deadline, it warned that “website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store.”

Google   |     Chromium   |    Mozilla   |   Forbes   |    Malcare   |    GoDaddy   |   Google  | 

Image: @Entrust_Corp

You Might Also Read: 

AI Is The Next Big Thing For Browser Security:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 


 

« Modern Britain: Disinformation On Social Media Inflames Anti-Immigration Riots
Problems With Underperforming Cyber Security Service Providers [extract] »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Firebrand

Firebrand

Firebrand is the leader in Accelerated Learning in the field of IT and project management.

Egerie

Egerie

EGERIE's RiskManager solution provides a Global, Centralized, and Updated view of risk maps and security measures for your company.

Airbus Cybersecurity

Airbus Cybersecurity

Airbus CyberSecurity is a European specialist in cyber security. Our mission is to protect governments, military and critical national infrastructure enterprises from cyber threats.

Cyberia Group

Cyberia Group

Cyberia is a leading Internet and Security services provider with operations in Saudi Arabia, Lebanon and Jordan.

Penta Security

Penta Security

Founded on its data encryption technology, Penta Security is a leading provider of web and data security products, solutions and services.

Naval Dome

Naval Dome

Naval Dome provides the first maritime multilayer cyber defense solution for mission critical onboard systems.

Huntress Labs

Huntress Labs

Huntress provides managed threat detection and response services to uncover and address malicious footholds that slip past your preventive defenses.

Collins Aerospace

Collins Aerospace

Collins Aerospace provides cybersecurity services and systems to protect critical infrastructure facilities and railroad operations.

Fastcomcorp

Fastcomcorp

Fastcomcorp offers a world-class proactive cyber security defense and risk management consulting. Including Darkweb monitoring and posture assessments.

CyberNet Albania

CyberNet Albania

Cybernet Albania has been providing IT support and services to small businesses since 2016. We strive to eliminate your IT issues before they cause downtime and impact your operations.

OSI Security

OSI Security

OSI Security's primary services include penetration testing, security auditing, web application security testing and risk management.

SOC Prime

SOC Prime

SOC Prime is the only Threat Detection Marketplace where researchers monetize their content to help security teams defend against attacks easier, faster and more efficiently than ever.

Mobilen Communications

Mobilen Communications

Mobilen are dedicated to providing our customers with the highest level of secure data in transit and to bring privacy back to a mobile world.

HYCU

HYCU

HYCU was born of the need to simplify data protection and provide equivalent levels of backup and recovery support across on premises, public cloud, and SaaS workloads.

CBIT Digital Forensics Services (CDFS)

CBIT Digital Forensics Services (CDFS)

CDFS is Australia’s premier supplier of digital forensic tools, industry-embedded training and certification to Law Enforcement, Government, and Corporate Enterprise.

Rite-Solutions

Rite-Solutions

Rite-Solutions is an award-winning software development, systems engineering, and information technology firm.