Starting November, Google Chrome Will No Longer Trust Entrust CA Certificates Due to Repeated Issues
Brook.X
Established in 1994, the American private software company Entrust has been issuing digital certificates that will soon be distrusted by Google and the Mozilla Foundation. Google has announced that starting from November 1, 2024, Chrome version 127 and later will no longer trust new certificates issued by Entrust or its affiliate, AffirmTrust.
While Mozilla's Firefox has not yet announced a specific date for distrusting Entrrust certificates, the proposal to revoke their trustworthiness has been under discussion for some time. Therefore, it is highly likely that Firefox will follow suit in a similar move.
It's important to note that existing certificates will continue to be trusted by both Chrome and Firefox. Only certificates issued after November 1 will be invalidated, leading browsers to default to blocking access to websites using these certificates.
Example with Google Chrome:
Websites using TLS certificates issued by Entrust after November 1 will encounter an error when loaded in Chrome. Users will be warned that their connection is not private and will see the error code ERR_CERT_AUTHORITY_INVALID, indicating an issue with the certificate issuer.
Users can still proceed to the website by clicking "Advanced" and then continuing to the site, but Chrome's address bar will display a red exclamation mark to indicate problems with the website's HTTPS connection.
Reasons for Distrust:
Google's blog post did not specify the exact reasons for the distrust but highlighted that Entrust has had multiple issues in recent years. Links to discussions on Mozilla Bugzilla reveal various problems with Entrust's certificates, such as non-compliance with OCSP standards, hyphens in the ST field of certificates, delays in CPS updates, and continued use of SHA-1 signed OCSP responses, among others.
Unlike previous instances where ROOT CAs were distrusted for issuing incorrect certificates intentionally, Entrust has not been accused of such practices. However, the accumulation of security infrastructure issues has eroded the industry's trust in this authority.
Effectively a Death Sentence:
For a ROOT CA, being distrusted by Chrome and Firefox is tantamount to a death sentence, as these browsers dominate the market. Apple is likely to revoke Entrust certificates in Safari as well, potentially crippling Entrust's TLS certificate business. The future of Entrust's code signing certificates will depend on Microsoft's decision to revoke their trust.
Years ago, the well-known security firm Symantec faced a similar situation due to certificate issues, leading to the discontinuation or sale of its CA business and multiple sales of its security business. Symantec has since become almost invisible in the industry.
