Google Says Websites Must Comply With New Security Rules

Google's Chrome Security Team has issued a security and privacy bombshell to the 3.5  billion users of its Chrome web browser. From November 1, the world’s most-used web search tools will no longer trust digital certificates issued by Entrust, one of the world’s most-used certificate authorities. 

From a business perspective, this decision has far-reaching consequences for businesses who rely upon certificteion from Entrust.  Customers affected include Chase Bank, Dell, Ernst & Young, Mastercard and Merrill Lynch, also numerous government agencies worldwide.

In late June Google justifies the decision to revoke Transport Layer Security certificates issued by Entrust and AffirmTrust, acquired by Entrust in 2016, on the grounds of prioritising the security and privacy of Chrome’s users, stating “we are unwilling to compromise on these values.”  

This is a really serious issue, as these certificate authorities act as the foundation of the encrypted connections that users rely upon to connect between their web browser and the Internet.

Mentioning the Chrome Root Program Policy updated in January, Google said that such certificates must provide value to Chrome users that “exceeds the risk of their continued inclusion.” That is no longer the case, according to the Chrome Security Team, which explains that the behaviour of Entrust in responding to publicly disclosed incidents has fallen short of its expectations. 

Google stated this has “eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.”

Google isn’t the only browser business to have problems with Entrust. Mozilla has also been critical regarding incidents with the Certification Authority. Indeed, Mozilla'a Firefox open source browser developers have voiced a list of  complaints that led to a lengthy and detailed response from Entrust in a Report to the Mozilla community published in June.

While Entrust and AffirmTrust TLS server authentication certificates that were signed on or before October 31 will continue to be valid until their expiration date, with effect from November 1st Chrome 127 and lthen Android, ChromeOS, Linux, macOS and Windows platforms will cease to be trusted and blocked. Users will see a ‘connection not private’ dialog  box when attempting to connect to any site using a blocked certificate, warning that the site could be trying to steal personal or financial information. 

Google has recommended that website operators should transition to another Certification Authority as soon as possible. 

Understanding the impact on customer trust, website safety, and the overall digital landscape is critical. 
Nick France, CTO of another certification comonay,  CA Sectigo, commented “Entrust lost the trust of major browser Google and now Mozilla, making its public SSL certificates unusable from November 1st. While regaining trust through a lengthy re-application process is technically possible, it's never been done before and seems unlikely. Customers face a complex and risky transition, further compounded by Entrust suggesting it will revoke active certificates..."

"This entire situation highlights the critical importance of selecting a reliable Certificate Authority with a proven track record, and it raises serious questions about Entrust's future in the industry.” France added.

Although Google recognises that the impact of blocking certificates could be delayed by operators installing a new Entrust TLS certificate before the November 1st deadline, it warned that “website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store.”

Google   |     Chromium   |    Mozilla   |   Forbes   |    Malcare   |    GoDaddy   |   Google  | 

Image: @Entrust_Corp

You Might Also Read: 

AI Is The Next Big Thing For Browser Security:


If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 


 

« Modern Britain: Disinformation On Social Media Inflames Anti-Immigration Riots
Problems With Underperforming Cyber Security Service Providers [extract] »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Ridgeback Network Defense

Ridgeback Network Defense

Ridgeback is an enterprise security software platform that defeats malicious network invasion in real time. Ridgeback champions the idea that to defeat an enemy you must engage them.

Cradlepoint

Cradlepoint

With Cradlepoint customers leverage the speed and economics of wired and wireless Internet broadband for branch, mobile, and IoT networks while maintaining end-to-end visibility, security and control.

SecuTech Solutions

SecuTech Solutions

SecuTech is a global leader in providing strong authentication and software licensing management solutions.

Boldon James

Boldon James

Boldon James are market leaders in data classification and secure messaging software.

Styra

Styra

Styra allows companies to secure cloud environments and applications, including those built on the popular Kubernetes open-source cloud platform.

Matrix42

Matrix42

Matrix42 software for digital workspace experience manages devices, applications, processes and services simple, secure and compliant.

MagiQ Technologies

MagiQ Technologies

MagiQ produced the world’s first commercial quantum cryptography product that delivered advanced, future-proof network security.

NodeSource

NodeSource

NodeSource helps organizations run production-ready Node.js applications with greater visibility into resource usage and enhanced awareness around application performance and security.

Gordian Networks

Gordian Networks

Gordian Networks offers complete managed IT services and IT support for small to large businesses.

KanREN

KanREN

KanREN is a member based consortium offering custom, world-class network services and support for researchers, educators, and public service institutions in the state of Kansas.

Pointsharp

Pointsharp

Pointsharp delivers software and services that help organizations secure data, identities, and access in a user-friendly way.

Defence Innovation Accelerator for the North Atlantic (DIANA)

Defence Innovation Accelerator for the North Atlantic (DIANA)

The NATO DIANA accelerator programme is designed to equip businesses with the skills and knowledge to navigate the world of deep tech, dual-use innovation.

Issue53

Issue53

We empower organizations to thrive in the digital landscape. Strengthen your defenses, enhance resilience – Choose Issue53 for a secure and future-ready IT environment.

Barquin Solutions

Barquin Solutions

Barquin Solutions is a full-service information technology consulting firm focused on supporting U.S. federal government agencies and their partners.

runZero

runZero

runZero delivers the most complete security visibility possible, providing you the ultimate foundation for successfully managing exposures and compliance.

Frenos

Frenos

The Frenos Platform helps enterprises understand their most probable attack paths while highlighting the most effective risk mitigations to deter and defend against today’s adversaries.

Relyance AI

Relyance AI

Relyance AI - One unified platform for privacy, security, & governance.