Google Chrome’s New Move: Blocking Entrust SSL Certificates from November 2024 Onwards

On June 28, 2024, Google announced a major security update that will significantly impact website owners and internet users. Starting November 1, 2024, Google Chrome will no longer trust SSL certificates issued by Entrust and AffirmTrust. This decision is due to repeated compliance failures and unmet commitments by Entrust, raising serious concerns about their reliability and competence.

Importance of SSL Certificates

SSL certificates are critical for internet security. They ensure encrypted connections between users and websites, protecting data from being intercepted by malicious actors. These certificates are issued by Certificate Authorities (CAs), which are trusted entities that verify the authenticity of websites. Without these certificates, users’ data could be vulnerable to cyberattacks.

Reasons for the Block

Google’s decision to block Entrust and AffirmTrust SSL certificates is based on several factors:

• Compliance Failures: Entrust has faced multiple publicly disclosed incidents over the years, revealing significant compliance failures.
• Unmet Commitments: Despite commitments to improve, Entrust has not shown tangible progress in addressing these issues.
• Security Risks: The ongoing issues pose significant risks to the internet ecosystem, prompting Google to take action.

Implementation Details

The blocking of Entrust certificates will commence with the release of Chrome version 127. This update will affect all major operating systems, including Windows, macOS, ChromeOS, Android, and Linux. However, Chrome for iOS will remain unaffected due to Apple’s policies.

Affected Certificates

Starting November 1, 2024, Chrome will no longer trust TLS server authentication certificates issued by Entrust if their earliest Signed Certificate Timestamp (SCT) is dated after October 31, 2024. The affected Entrust roots include:

• Entrust Root Certification Authority – EC1
• Entrust Root Certification Authority – G2
• Entrust.net Certification Authority (2048)
• Entrust Root Certification Authority (2006)
• Entrust Root Certification Authority – G4
• AffirmTrust Commercial
• AffirmTrust Networking
• AffirmTrust Premium
• AffirmTrust Premium ECC

Certificates issued before this date will remain trusted until they expire.

Impact on Users and Website Operators

Users visiting websites with affected certificates will encounter a full-page interstitial warning indicating that their connection is not secure.

This can severely impact user trust and website traffic. Therefore, website operators using Entrust or AffirmTrust certificates must act swiftly to avoid disruptions.

Actions for Website Operators

Website operators are urged to transition to a new publicly-trusted CA included in the Chrome Root Store before the deadline. Here are the steps they should take:

1. Identify Affected Certificates: Determine which of your certificates are issued by Entrust or AffirmTrust.
2. Select a New CA: Choose a reliable CA from the Chrome Root Store, such as DigiCert, GlobalSign, or Sectigo.
3. Purchase New Certificates: Obtain new SSL certificates from the selected CA.
4. Replace Old Certificates: Install the new certificates on your servers and update configurations.
5. Test and Validate: Ensure that the new certificates are properly installed and functioning.

Impact on Enterprises

Enterprises using Entrust certificates for internal networks can override the Chrome Root Store constraints by installing the corresponding root CA certificate locally on Chrome’s platform. This allows internal systems to continue functioning without disruption while maintaining security.

Google’s Security Initiatives

Google’s decision to block Entrust SSL certificates is part of its broader strategy to enhance internet security. Over the years, Google has introduced several measures to ensure the security and integrity of online communications:

• Shorter Certificate Lifespans: Google has advocated for shorter validity periods for SSL certificates, reducing the maximum duration to one year. This ensures that cryptographic standards remain current and any vulnerabilities are quickly addressed.
• Strict Validation Processes: Google enforces stringent validation processes for CAs, ensuring that only trusted entities can issue SSL certificates.
• Enhanced Browser Security: Chrome continuously updates its security protocols to protect users from emerging threats.

Industry Reactions

The cybersecurity community has had mixed reactions to Google’s announcement:

• Support for Stricter Standards: Many experts agree with Google’s strict stance on security, emphasizing the importance of maintaining trust in CAs.
• Concerns About Disruption: Some industry professionals worry about the potential disruptions and additional costs for businesses transitioning to new CAs.

Despite these concerns, the consensus is that these measures will ultimately lead to a more secure internet.

Key Takeaway Points

• Google Chrome will block Entrust SSL certificates starting November 1, 2024, due to compliance failures and security concerns.
• Certificate Authorities (CAs) play a crucial role in internet security by issuing digital certificates that verify website authenticity and enable encrypted connections.
• Website operators using Entrust or AffirmTrust certificates must transition to a new publicly-trusted CA included in the Chrome Root Store before the deadline to avoid disruptions.
• Google’s decision is part of a broader strategy to enhance internet security by enforcing stricter validation processes and shorter certificate lifespans.
• Industry reactions are mixed, with support for stricter standards and concerns about potential disruptions and costs.

Also Read: Bridging the Cybersecurity Talent Gap: A Global Imperative