Google Says Websites Must Comply With New Security Rules

Uploaded on 2024-08-06 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Google's Chrome Security Team has issued a security and privacy bombshell to the 3.5  billion users of its Chrome web browser. From November 1, the world’s most-used web search tools will no longer trust digital certificates issued by Entrust, one of the world’s most-used certificate authorities. 

From a business perspective, this decision has far-reaching consequences for businesses who rely upon certificteion from Entrust.  Customers affected include Chase Bank, Dell, Ernst & Young, Mastercard and Merrill Lynch, also numerous government agencies worldwide.

In late June Google justifies the decision to revoke Transport Layer Security certificates issued by Entrust and AffirmTrust, acquired by Entrust in 2016, on the grounds of prioritising the security and privacy of Chrome’s users, stating “we are unwilling to compromise on these values.”  

This is a really serious issue, as these certificate authorities act as the foundation of the encrypted connections that users rely upon to connect between their web browser and the Internet.

Mentioning the Chrome Root Program Policy updated in January, Google said that such certificates must provide value to Chrome users that “exceeds the risk of their continued inclusion.” That is no longer the case, according to the Chrome Security Team, which explains that the behaviour of Entrust in responding to publicly disclosed incidents has fallen short of its expectations. 

Google stated this has “eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.”

Google isn’t the only browser business to have problems with Entrust. Mozilla has also been critical regarding incidents with the Certification Authority. Indeed, Mozilla'a Firefox open source browser developers have voiced a list of  complaints that led to a lengthy and detailed response from Entrust in a Report to the Mozilla community published in June.

While Entrust and AffirmTrust TLS server authentication certificates that were signed on or before October 31 will continue to be valid until their expiration date, with effect from November 1st Chrome 127 and lthen Android, ChromeOS, Linux, macOS and Windows platforms will cease to be trusted and blocked. Users will see a ‘connection not private’ dialog  box when attempting to connect to any site using a blocked certificate, warning that the site could be trying to steal personal or financial information. 

Google has recommended that website operators should transition to another Certification Authority as soon as possible. 

Understanding the impact on customer trust, website safety, and the overall digital landscape is critical. 
Nick France, CTO of another certification comonay,  CA Sectigo, commented “Entrust lost the trust of major browser Google and now Mozilla, making its public SSL certificates unusable from November 1st. While regaining trust through a lengthy re-application process is technically possible, it's never been done before and seems unlikely. Customers face a complex and risky transition, further compounded by Entrust suggesting it will revoke active certificates..."

"This entire situation highlights the critical importance of selecting a reliable Certificate Authority with a proven track record, and it raises serious questions about Entrust's future in the industry.” France added.

Although Google recognises that the impact of blocking certificates could be delayed by operators installing a new Entrust TLS certificate before the November 1st deadline, it warned that “website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store.”

Google   |     Chromium   |    Mozilla   |   Forbes   |    Malcare   |    GoDaddy   |   Google  | 

Image: @Entrust_Corp

You Might Also Read: 

AI Is The Next Big Thing For Browser Security:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 


 

« Modern Britain: Disinformation On Social Media Inflames Anti-Immigration Riots
Problems With Underperforming Cyber Security Service Providers [extract] »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MadSec Security

MadSec Security

MadSec Security is a leading consulting company whose expertise are information and cyber security.

ERMProtect

ERMProtect

ERMProtect is a leading Information Security & Training Company that helps businesses improve their cybersecurity posture and comply with regulations.

Turkish Accreditation Agency (TURKAK)

Turkish Accreditation Agency (TURKAK)

TURKAK is the national accreditation body for Turkey. The directory of members provides details of organisations offering certification services for ISO 27001.

Data Destruction London

Data Destruction London

Data Destruction London offers fast, confidential and compliant expert data destruction services to businesses and organisations in London.

e-End

e-End

e-End provides hard drive shredding, degaussing and data destruction solutions validated by the highest electronic certifcations to keep you compliant with GLB, SOX, FACTA, FISMA, HIPAA, COPPA, ITAR.

Blueskytec (BST)

Blueskytec (BST)

Blueskytec has applied its experience of over three decades of working in the field of embedded systems and encryption to provide a scalable and appropriate technology for cyber-physical devices.

Oceania Cyber Security Centre (OCSC)

Oceania Cyber Security Centre (OCSC)

OCSC engages with government and industry to conduct research, develop training opportunities and build capacity for responding to current and emerging cyber security issues.

Defensity

Defensity

Defensity offer bespoke & pre packaged IT Security Solutions for Small business to help companies reduce overall IT related risk.

SecZetta

SecZetta

SecZetta provides third-party identity risk solutions that are easy to use, and purpose built to help organizations execute risk-based identity access and lifecycle strategies.

Tego Cyber

Tego Cyber

Tego Cyber delivers a state-of-the-art threat intelligence platform that helps enterprises deploy the proper resolution to an identified threat before the enterprise is compromised.

Nineteen Group

Nineteen Group

Nineteen Group delivers major-scale exhibitions within the security, fire, emergency services, health and safety, facilities management and maintenance engineering sectors.

BitTrap

BitTrap

BitTrap helps companies worldwide detect attackers and put an early end to breaches, preventing data exfiltration and ransomware altogether.

Adversa AI

Adversa AI

Adversa's mission is to build trust in AI and protect AI from cyber threats, privacy issues, and safety incidents.

Hacker School

Hacker School

Hacker School offers technology motivated training programs that provide Cyber Security Certifications and Courses.

StepSecurity

StepSecurity

StepSecurity provides a comprehensive security platform for GitHub Actions.

Toro Solutions

Toro Solutions

Toro provide managed security & consultancy to keep governments, businesses & society resilient in the space where cyber, physical & people security converge.