Google announced that starting around Nov. 1, 2024, its Chrome browser will begin blocking websites using certificates from Entrust. The company says this decision follows Entrust’s compliance failures and its inability to promptly address security issues.
Entrust is one of the numerous certificate authorities (CAs) Chrome relies on to verify the trustworthiness of websites visited by end users, and it’s one of the most-used ones worldwide. Entrust’s customers include major entities such as Chase Bank, Dell, Ernst & Young, Mastercard, and Merrill Lynch, as well as various governments around the world.
“Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted [certificate authority] owner,” Google’s Chrome security team said.
Consequently, the tech giant announced that starting with Chrome browser versions 127 and higher, it will no longer trust TLS server authentication certificates issued by Entrust by default. Users navigating to a website with a certificate issued by Entrust or AffirmTrust will encounter an interstitial message warning them that their connection is not secure and private.
After the change, Google users can manually trust these roots to maintain current functionality. Enterprise customers will also have the option to override the constraints starting in Chrome 127 if they wish to use Entrust’s certificates within their internal networks.
The blocking will apply to the Windows, macOS, ChromeOS, Android, and Linux versions of the browser. Chrome for iOS and iPadOS will be exempt due to Apple’s policies that prevent the use of the Chrome Root Store.
The move follows a May report by Mozilla, which detailed numerous issues with Entrust’s certificates between March and May this year. In response to the report and the harsh feedback from the Mozilla community, Entrust acknowledged ““unnecessary” failures “based on our own mistakes or misjudgments” and said “this input is reflected in our plans.”