Monday, December 23, 2024

New Chrome Security Rules—Google Gives Web Users Until 11/1 To Comply

Must read

An announcement from the Google Chrome Security Team has dropped what can only be described as a security and privacy bombshell for the 3.45 billion users of the Chrome browser. From November 1, the world’s most-used web browser will no longer trust digital certificates issued by Entrust, one of the world’s most-used certificate authorities. How widespread are Entrust digital security certificates? Customers include Chase Bank, Dell, Ernst & Young, Mastercard, and Merrill Lynch, not to mention governments worldwide.

Google To Revoke Trust In Entrust Digital Certificates

The June 27 announcement by Google pulls no punches as it justifies the decision to revoke Transport Layer Security certificates issued by Entrust and AffirmTrust, acquired by Entrust in 2016, on the grounds of prioritizing the security and privacy of Chrome’s users, stating “we are unwilling to compromise on these values.” This is a serious deal, a very serious deal, as these certificate authorities act as the foundation of the encrypted connections that users rely upon between their web browser and the internet.

Forbes280 Million Google Chrome Users Installed Dangerous Extensions, Study Says

Referring to the Chrome Root Program Policy, last updated in January, Google said that such certificates must provide value to Chrome users that “exceeds the risk of their continued inclusion.” That is no longer the case, according to the Chrome Security Team, which explains that, across recent years, the behavior of Entrust in responding to publicly disclosed incidents has fallen short of its expectations. Google stated this has “eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.”

The Entrust Response

In a June 21 posting to the Certification Authority Browser Forum, Entrust president of digital security solutions, Bhagwat Swaroop, stated that some recent incidents “did not get reported and communicated in the appropriate way with the CA/B forum,” and added that “Our initial stance of not revoking the impacted certificates was incorrect.” Swaroop continued to state that none of the “lapses” were malicious or made with ill-intent: “As a global CA we must walk a tightrope in balancing the requirements of the root programs and subscriber needs, especially for critical infrastructure. In some cases, we did not strike the right balance.” Swaroop promised that Entrust is committed to making lasting changes, both organizational and cultural, to begin to regain the trust of the root programs and the community.

It appears that this commitment has come too late as far as Google is concerned. An Entrust spokesperson told The Stack that “The decision by the Chrome Root Program comes as a disappointment to us as a long-term member of the CA/B Forum community. We are committed to the public TLS certificate business and are working on plans to provide continuity to our customers.”

ForbesBiden Bans Kaspersky Software, Gives Users 100 Days To Find Alternative

What This Means To Google Chrome Users

While Entrust and AffirmTrust TLS server authentication certificates that were signed on or before October 31 will continue to be valid until their expiration date, effective November 1 Chrome 127 and later, on Android, ChromeOS, Linux, macOS and Windows platforms will cease to be trusted and blocked. Users will see a ‘connection not private’ dialog when attempting to connect to any site using a blocked certificate, warning that the site could be trying to steal personal or financial information.

Google has recommended that website operators should transition to another CA Owner as soon as possible. Although Google conceded that the impact of blocking certificates could be delayed by operators installing an new Entrust TLS certificate before the November 1 deadline, it warned that “website operators will inevitably need to collect and install a new TLS certificate from one of the many other CAs included in the Chrome Root Store.”

Latest article