Google Says Websites Must Comply With New Security Rules

Google's Chrome Security Team has issued a security and privacy bombshell to the 3.5  billion users of its Chrome web browser. From November 1, the world’s most-used web search tools will no longer trust digital certificates issued by Entrust, one of the world’s most-used certificate authorities. 

From a business perspective, this decision has far-reaching consequences for businesses who rely upon certificteion from Entrust.  Customers affected include Chase Bank, Dell, Ernst & Young, Mastercard and Merrill Lynch, also numerous government agencies worldwide.

In late June Google justifies the decision to revoke Transport Layer Security certificates issued by Entrust and AffirmTrust, acquired by Entrust in 2016, on the grounds of prioritising the security and privacy of Chrome’s users, stating “we are unwilling to compromise on these values.”  

This is a really serious issue, as these certificate authorities act as the foundation of the encrypted connections that users rely upon to connect between their web browser and the Internet.

Mentioning the Chrome Root Program Policy updated in January, Google said that such certificates must provide value to Chrome users that “exceeds the risk of their continued inclusion.” That is no longer the case, according to the Chrome Security Team, which explains that the behaviour of Entrust in responding to publicly disclosed incidents has fallen short of its expectations. 

Google stated this has “eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.”

Google isn’t the only browser business to have problems with Entrust. Mozilla has also been critical regarding incidents with the Certification Authority. Indeed, Mozilla'a Firefox open source browser developers have voiced a list of  complaints that led to a lengthy and detailed response from Entrust in a Report to the Mozilla community published in June.

While Entrust and AffirmTrust TLS server authentication certificates that were signed on or before October 31 will continue to be valid until their expiration date, with effect from November 1st Chrome 127 and lthen Android, ChromeOS, Linux, macOS and Windows platforms will cease to be trusted and blocked. Users will see a ‘connection not private’ dialog  box when attempting to connect to any site using a blocked certificate, warning that the site could be trying to steal personal or financial information. 

Google has recommended that website operators should transition to another Certification Authority as soon as possible. 

Understanding the impact on customer trust, website safety, and the overall digital landscape is critical. 
Nick France, CTO of another certification comonay,  CA Sectigo, commented “Entrust lost the trust of major browser Google and now Mozilla, making its public SSL certificates unusable from November 1st. While regaining trust through a lengthy re-application process is technically possible, it's never been done before and seems unlikely. Customers face a complex and risky transition, further compounded by Entrust suggesting it will revoke active certificates..."

"This entire situation highlights the critical importance of selecting a reliable Certificate Authority with a proven track record, and it raises serious questions about Entrust's future in the industry.” France added.

Although Google recognises that the impact of blocking certificates could be delayed by operators installing a new Entrust TLS certificate before the November 1st deadline, it warned that “website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store.”

Google   |     Chromium   |    Mozilla   |   Forbes   |    Malcare   |    GoDaddy   |   Google  | 

Image: @Entrust_Corp

You Might Also Read: 

AI Is The Next Big Thing For Browser Security:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 


 

« Modern Britain: Disinformation On Social Media Inflames Anti-Immigration Riots
Problems With Underperforming Cyber Security Service Providers [extract] »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Titania

Titania

Titania provide network security and compliance software. Find your Network Security gaps before hackers do with our security & compliance tools.

Gurucul

Gurucul

Gurucul predictive security analytics protects against insider threats, account compromise and data exfiltration on-premises and in the cloud.

InfoWatch

InfoWatch

InfoWatch solutions allow you to protect data and information assets that are critically important to your business.

Cybertekpro

Cybertekpro

Cybertekpro is a specialist insurance broker providing Cyber Liability insurance and cyber risk assessment services.

SecureAppbox

SecureAppbox

SecureAppbox provide solutions that protects the communication of sensitive data as well as advice on data security and compliance with GDPR.

Security Engineered Machinery (SEM)

Security Engineered Machinery (SEM)

SEM provides comprehensive end-of-life solutions for the protection of sensitive information in government and commercial markets.

Proton Data Security

Proton Data Security

Proton Data Security is a certified small business specializing in the design, manufacturing and sales of data security products for permanent erasure of hard drives, tapes and optical media.

Mendoza Ventures

Mendoza Ventures

Mendoza Ventures is a venture capital fund focusing on pre-seed Artificial Intelligence (AI), Fintech, and Cybersecurity startups.

Ukrainian Academy of Cyber Security (UACS)

Ukrainian Academy of Cyber Security (UACS)

UACS is a professional non-profit public organization established to promote the development of an extensive network and ecosystem of education and training in the field of cyber security.

Navixia

Navixia

As a leading Swiss IT security specialist, Navixia offers a global and pragmatic approach to information security.

Boxphish

Boxphish

Boxphish provides a proven solution to reduce Human Error and Cyber Human Risk via automated learning journeys and intelligent phishing simulations.

Drawbridge

Drawbridge

Drawbridge is a premier provider of cybersecurity software and solutions to the alternative investment industry.

FoxTech

FoxTech

FoxTech is an independent, friendly and deeply specialised cyber security company in the UK, with expertise spanning decades of Public Sector and Government services.

Armo

Armo

Armo technology enhances any Kubernetes deployment with security, visibility, and control from the CI/CD pipeline through production.

AKS iQ

AKS iQ

AKS iQ leads the RegTech sector with AI, automating regulatory compliance in the banking industry and ensuring paperless TBML and CFT adherence in finance.

BTQ Technologies

BTQ Technologies

BTQ is a global quantum technology company focused on securing mission critical networks.