Urgent action required: Google to end trust in Entrust certificates

2 days ago 43

 Google to end trust in Entrust certificatesGoogle has announced that it will start blocking websites that use certificates from Entrust in its Chrome browser beginning 1 November 2024.

This decision affects Chrome versions across macOS, Windows, ChromeOS, Linux and Android platforms. However, Chrome for iPadOS and iOS will remain unaffected due to Apple’s policies, which do not permit the use of the Chrome Root Store.

The primary reasons for this move are compliance issues and Entrust’s inability to address security problems promptly. Google has emphasised the importance of maintaining compliance and ensuring the reliability of trusted certificates to protect the integrity of the internet ecosystem.

A loss of confidence

Entrust’s failure to meet these critical standards has led to a loss of confidence in its competence, reliability and integrity as a publicly trusted certificate authority. The Google Chrome security team said that over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviour by Entrust that falls short of the above expectations and have eroded confidence in their competence, reliability and integrity as a publicly trusted certificate authority owner.

As a result, Google will no longer trust TLS server authentication certificates issued by Entrust, starting with Chrome browser versions 127 and higher by default. Although Chrome users and enterprise customers have the option to override these settings, it is strongly advised to transition to a publicly trusted certificate authority to avoid security risks and potential disruptions.

After the deadline, when users attempt to navigate to a site using an Entrust or AffirmTrust certificate, they will encounter an interstitial message warning that their connection is not secure and private. This move underscores the importance of using trusted certificates to ensure a safe browsing experience for users.

Switch to a trusted CA

Website operators affected by this decision are encouraged to switch to a different publicly trusted certificate authority before 31 October 2024 to minimise disruption. Google advises that while website operators could delay the impact of the blocking action by choosing to collect and install a new TLS certificate issued from Entrust before Chrome’s blocking action begins on 1 November 2024, they will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store.

For companies currently using Entrust certificates, Google’s decision has significant implications, says Rob Brown, group president and executive director of CYBER1. “I strongly encourage anyone using Entrust certificates to audit their environment as a matter of urgency to assess the impact this might have on their business before it’s too late.”

He says certificate authorities (CAs) play a crucial role in issuing SSL/TLS certificates that verify the legitimacy of websites. “These certificates facilitate encrypted communications between users and websites, ensuring the integrity and security of data. In addition, the responsibility that CA’s carry is huge, and any mistakes on their part can result in catastrophic consequences.”

Immediate actions are needed

Brown says this is why immediate actions are needed to mitigate the impact. “Companies should audit all their current Entrust certificates and plan to replace them with certificates from a trusted CA. The impact on website accessibility is also a major concern. Visitors to websites using Entrust certificates will encounter interstitial warnings in Chrome, indicating that the connection is neither secure nor private. This can deter users and negatively impact the user experience. Furthermore, the presence of these security warnings can harm the trust and reputation of companies, as users may perceive their sites as unsafe.”

Brown says compliance and security concerns are paramount, and maintaining compliance with industry standards and browser requirements is crucial. “Failure to do so can result in security vulnerabilities and a loss of user trust. Using trusted certificates from reputable CAs ensures that data exchanged between users and websites is secure, protecting against potential cyberthreats.”

Operationally, Brown says IT teams will need to update server configurations to integrate new certificates, which may involve significant planning and testing to ensure a smooth transition. Companies should also communicate with stakeholders, including customers and partners, about the upcoming changes and reassure them of ongoing security and compliance measures.

Committed to improvement

In a statement, Entrust said it recognises what led it to this point and is committed to improvement.

It says the recent errors resulted from a misinterpretation of CA/Browser Forum compliance requirements and attempts to resolve this led to further non-security-related mis-issuances. In aiming to provide additional flexibility by extending and delaying revocations, Entrust did not align with the CA/Browser Forum’s five-day revocation requirement for mis-issuances.

This scrutiny, says Entrust, brought to light past commitments that, if fully implemented, could have prevented these incidents. The company acknowledges the need for improvement and has thoroughly assessed its CA operations in recent months.

CYBER1’s Rob Brown

Following this assessment, Entrust claims to have made organisational, process and policy changes. For instance, it integrated the CA product compliance team into its global compliance and operations teams for enhanced capabilities. Entrust established a cross-functional change control board and a technical change review board to prevent similar issues. The company says it is accelerating R&D for TLS certificate compliance and automation, improving the tracking of public commitments, and revising its incident response practices.

Entrust says it remains dedicated to serving as a public CA and will promptly address open issues and promised improvements.

In conclusion, Brown says that by prioritising compliance and trusted certificates, Google aims to enhance the overall security and reliability of the Internet, protecting users and maintaining the integrity of online communications.

Should any organisations require any assistance in better understanding the impact then they are welcome to contact CYBER1 for assistance in this matter.

About CYBER1 Solutions
CYBER1 Solutions is a cybersecurity specialist operating in Southern Africa, East and West Africa, Dubai, and elsewhere in the Europe, Middle East and Africa region. Our solutions deliver information security; IT risk management; fraud detection; governance and compliance; and a full range of managed services. We also provide bespoke security services across the spectrum, with a portfolio that ranges from the formulation of our customers’ security strategies to the daily operation of endpoint security solutions. To do this, we partner with world-leading security vendors to deliver cutting-edge technologies augmented by our wide range of professional services. Our services allow organisations in every sector to prevent attacks by providing the visibility into vulnerabilities they need to rapidly detect compromises, respond to breaches and stop attacks before they become an issue. For more, visit c1-s.com/middle-east-europe.