Google cuts ties with Entrust in Chrome over trust issues

Google is severing its trust in Entrust after what it describes as a protracted period of failures around compliance and general improvements.

Entrust is one of the many certificate authorities (CA) used by Chrome to verify that the websites end users visit are trustworthy. From November 1 in Chrome 127, which recently entered beta, TLS server authentication certificates validating to Entrust or AffirmTrust roots won't be trusted by default.

Crucially, this applies to certificates whose earliest Signed Certificate Timestamp is dated after October 31, 2024. So current certs will continue to work, but new ones after October 31 won't.

Google pointed to a series of incident reports over the past few years concerning Entrust, saying they "highlighted a pattern of concerning behaviors" that have ultimately seen the security company fall down in Google's estimations.

The incidents have "eroded confidence in [Entrust's] competence, reliability, and integrity as a publicly trusted CA owner," Google stated in a blog.

It follows a May publication by Mozilla, which compiled a sprawling list of Entrust's certificate issues between March and May this year. In response, and after an initial reply that was greeted with harsh feedback from the Mozilla community, Entrust acknowledged its procedural failures, Mozilla noted, and said it was treating the feedback as a learning opportunity. 

It now seems Google hasn't been as accepting of Entrust's apologetic response.

Per the November cutoff, Google is providing a long grace period it said will hopefully minimize any potential disruption. Certificates issued before October 31 will remain trusted as long as they validate to the roots specified in Google's blog.

Google users can manually trust these roots after the change to maintain their current functionality. Enterprises will be able to override the constraints described here starting in Chrome 127, should they want to use Entrust's certificates in their internal network too.

"Certification authorities serve a privileged and trusted role on the internet that underpin encrypted connections between browsers and websites," Google said. "With this tremendous responsibility comes an expectation of adhering to reasonable and consensus-driven security and compliance expectations, including those defined by the CA/Browser TLS Baseline Requirements.

• Google festoons Chrome Enterprise browser with more controls
• Risk of installing dodgy extensions from Chrome store way worse than Google's letting on, study suggests
• Google's Privacy Sandbox more like a privacy mirage, campaigners claim
• Google to push ahead with Chrome's ad-blocker extension overhaul in earnest

"Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly trusted CA poses to the internet ecosystem, it is our opinion that Chrome's continued trust in Entrust is no longer justified."

The changes will be applied to Chrome users across all the major OSes except Chrome on iOS, which doesn't allow Chrome's own certificate verification from working on iPhones and iPads. MacOS is unaffected by this, though, and will block Entrust certs from November like everything else.

For owners of websites, this means they'll need to choose a new CA owner before the November cutoff – but ideally as soon as possible – to ensure visitors aren't met with Chrome's warning page designating the connection to the site as unsafe.

Tim Callan, chief experience officer at Sectigo, said in an email to The Reg that the news serves as a reminder to CAs that they must hold themselves to the standards the industry expects of them.

"CAs have to hold themselves to the highest of standards, not only for the sake of their business but for all the people and businesses that depend on them. With a shorter lifecycle timeline of 90 days looming, and the implications of Quantum Computing also on the horizon, things aren't getting any less complicated.

"It's more important than ever that CAs and CLM providers stay at the top of their game and fully comply with CA/Browser Forum rules and baseline requirements."

A spokeperson at Entrust sent a statement to The Register: "The decision by the Chrome Root Program comes as a disappointment to us as a long-term member of the CA/B Forum community. We are committed to the public TLS certificate business and are working on plans to provide continuity to our customers." ®

Editor's note: This article was revised to make clear that new certificates will be affected by this change.