Google Says Websites Must Comply With New Security Rules

Uploaded on 2024-08-06 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Google's Chrome Security Team has issued a security and privacy bombshell to the 3.5  billion users of its Chrome web browser. From November 1, the world’s most-used web search tools will no longer trust digital certificates issued by Entrust, one of the world’s most-used certificate authorities. 

From a business perspective, this decision has far-reaching consequences for businesses who rely upon certificteion from Entrust.  Customers affected include Chase Bank, Dell, Ernst & Young, Mastercard and Merrill Lynch, also numerous government agencies worldwide.

In late June Google justifies the decision to revoke Transport Layer Security certificates issued by Entrust and AffirmTrust, acquired by Entrust in 2016, on the grounds of prioritising the security and privacy of Chrome’s users, stating “we are unwilling to compromise on these values.”  

This is a really serious issue, as these certificate authorities act as the foundation of the encrypted connections that users rely upon to connect between their web browser and the Internet.

Mentioning the Chrome Root Program Policy updated in January, Google said that such certificates must provide value to Chrome users that “exceeds the risk of their continued inclusion.” That is no longer the case, according to the Chrome Security Team, which explains that the behaviour of Entrust in responding to publicly disclosed incidents has fallen short of its expectations. 

Google stated this has “eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.”

Google isn’t the only browser business to have problems with Entrust. Mozilla has also been critical regarding incidents with the Certification Authority. Indeed, Mozilla'a Firefox open source browser developers have voiced a list of  complaints that led to a lengthy and detailed response from Entrust in a Report to the Mozilla community published in June.

While Entrust and AffirmTrust TLS server authentication certificates that were signed on or before October 31 will continue to be valid until their expiration date, with effect from November 1st Chrome 127 and lthen Android, ChromeOS, Linux, macOS and Windows platforms will cease to be trusted and blocked. Users will see a ‘connection not private’ dialog  box when attempting to connect to any site using a blocked certificate, warning that the site could be trying to steal personal or financial information. 

Google has recommended that website operators should transition to another Certification Authority as soon as possible. 

Understanding the impact on customer trust, website safety, and the overall digital landscape is critical. 
Nick France, CTO of another certification comonay,  CA Sectigo, commented “Entrust lost the trust of major browser Google and now Mozilla, making its public SSL certificates unusable from November 1st. While regaining trust through a lengthy re-application process is technically possible, it's never been done before and seems unlikely. Customers face a complex and risky transition, further compounded by Entrust suggesting it will revoke active certificates..."

"This entire situation highlights the critical importance of selecting a reliable Certificate Authority with a proven track record, and it raises serious questions about Entrust's future in the industry.” France added.

Although Google recognises that the impact of blocking certificates could be delayed by operators installing a new Entrust TLS certificate before the November 1st deadline, it warned that “website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store.”

Google   |     Chromium   |    Mozilla   |   Forbes   |    Malcare   |    GoDaddy   |   Google  | 

Image: @Entrust_Corp

You Might Also Read: 

AI Is The Next Big Thing For Browser Security:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 


 

« Modern Britain: Disinformation On Social Media Inflames Anti-Immigration Riots
Problems With Underperforming Cyber Security Service Providers [extract] »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Perforce Software

Perforce Software

Perforce helps companies build complex software products more collaboratively, securely, and efficiently.

Oxygen Forensics

Oxygen Forensics

Oxygen Forensics offer the most advanced forensic data examination tools for mobile devices and cloud services.

Senetas

Senetas

Senetas is a leading developer and manufacturer of certified high-assurance encryption solutions, dedicated to protecting network transmitted data without compromising performance.

Direct Recruiters Inc

Direct Recruiters Inc

Direct Recruiters is a relationship-focused search firm that assists IT Security and Cybersecurity companies with recruiting high-impact talent.

Australian Cyber Security Centre (ACSC)

Australian Cyber Security Centre (ACSC)

The Australian Cyber Security Centre (ACSC) brings cyber security capabilities from across the Australian Government together into a single location.

Thinklogical

Thinklogical

Thinklogical manufactures secure, KVM, video, audio, and computer peripheral signal switching solutions for defence C4ISR applications.

Nation-E

Nation-E

Nation-E offers innovative cyber security solutions for industrial installations, critical infrastructure and smart grids.

SecuGen

SecuGen

SecuGen is a leading provider of advanced, optical fingerprint recognition technology, products, tools and platforms for physical and information security.

Vector InfoTech

Vector InfoTech

Vector InfoTech is a leader in Industrial Security, Networks, IT and Telecommunications.

Bird & Bird

Bird & Bird

Bird & Bird is an international law firm with a focus on helping organisations being changed by technology and the digital world. Areas of expertise include cyber security.

Acceptto

Acceptto

Acceptto offers the first unified and continuous authentication identity access platform with No-Password.

Kintent

Kintent

With Kintent, compliance becomes a habit, is simple to understand and achieve, and is continuously testable so that your customers can see that you are adhering to all your trust obligations.

Ibento Global

Ibento Global

Ibento organises the CyberX series of cybersecurity conferences.

Kompleye

Kompleye

Kompleye is a recognized cybersecurity and compliance audit organization that offer a comprehensive solution for different industries.

Serbus

Serbus

Serbus Secure is a fully managed suite of secure communication, enterprise mobility and mobile device security tools.

Fortreum

Fortreum

Fortreum aim to simplify cybersecurity in the marketplace to accelerate your business outcomes.