Chrome will distrust CA certificates from Entrust later this year
A Certification Authority (CA) issues certificates that help guarantee you're visiting a legitimate website. Over the years, Chrome has had to distrust some CAs, and the Google browser is about to do that again with certificates from Entrust.
Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports.
Google points to a list of "publicly disclosed incident reports" that highlight a "pattern of concerning behaviors by Entrust that fall short of the [Chrome Root Program Policy requirements], and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner."
When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the Internet ecosystem, it is our opinion that Chrome's continued trust in Entrust is no longer justified.
[...] Google's recommendation to website owners is to "transition to a new publicly-trusted CA Owner as soon as reasonably possible" before November 1. Meanwhile, other Google products might take similar actions in the future.
[...] More details of Google's roadmap and a FAQ can be found here.
Google cuts ties with Entrust in Chrome over trust issues
Google is severing its trust in Entrust after what it describes as a protracted period of failures around compliance and general improvements.
Entrust is one of the many certificate authorities (CA) used by Chrome to verify that the websites end users visit are trustworthy. From November 1 in Chrome 127, which recently entered beta, TLS server authentication certificates validating to Entrust or AffirmTrust roots won't be trusted by default.
Google pointed to a series of incident reports over the past few years concerning Entrust, saying they "highlighted a pattern of concerning behaviors" that have ultimately seen the security company fall down in Google's estimations.
The incidents have "eroded confidence in [Entrust's] competence, reliability, and integrity as a publicly trusted CA owner," Google stated in a blog.
It follows a May publication by Mozilla, which compiled a sprawling list of Entrust's certificate issues between March and May this year. In response, and after an initial reply that was greeted with harsh feedback from the Mozilla community, Entrust acknowledged its procedural failures, Mozilla noted, and said it was treating the feedback as a learning opportunity.
It now seems Google hasn't been as accepting of Entrust's apologetic response.
[...] Tim Callan, chief experience officer at Sectigo, said in an email to The Reg that the news serves as a reminder to CAs that they must hold themselves to the standards the industry expects of them.
"CAs have to hold themselves to the highest of standards, not only for the sake of their business but for all the people and businesses that depend on them. With a shorter lifecycle timeline of 90 days looming, and the implications of Quantum Computing also on the horizon, things aren't getting any less complicated.
[...] A spokeperson at Entrust sent a statement to The Register: "The decision by the Chrome Root Program comes as a disappointment to us as a long-term member of the CA/B Forum community. We are committed to the public TLS certificate business and are working on plans to provide continuity to our customers."
A little web scraping shows that there are some pretty big name websites that currently use Entrust certs.
(Score: 4, Interesting) by Anonymous Coward on Monday July 01 2024, @09:11AM
Does Chrome on Windows still use Microsoft CA cert stuff? If so, how would the distrust of Entrust work? Blacklist on Chrome itself?
See also: https://www.proper.com/root-cert-problem/ [proper.com]
This might be true even with more recent versions of Windows.
(Score: 4, Insightful) by Rosco P. Coltrane on Monday July 01 2024, @02:39PM (7 children)
Right or wrong, Google unilaterally decided to kill off another company.
That's the power of monopolies.
(Score: 4, Interesting) by JoeMerchant on Monday July 01 2024, @03:01PM (5 children)
This is the side of "web of trust" that many people never consider: some players just aren't trustworthy.
You are right: with a monopoly deciding who is trustworthy and who is not, they have absolute unquestionable authority and may unilaterally "freeze out" other players for any reason, or none.
I feel like the Internet has become the battlefield of the new cold war, if not WWIII. Hopefully this go around you won't be forced to choose one of two sides. If we can develop a wide variety of "trustworthy" definitions suitable for the wide variety of users in the world, that would be a much better basis for continuing global trade and communication / community than the old Axis vs Allies model.
🌻🌻🌻 [google.com]
(Score: 4, Informative) by Rosco P. Coltrane on Monday July 01 2024, @03:09PM (4 children)
My beef is that nobody gave it to them. They just took it and nobody can do a damn thing about it.
(Score: 5, Insightful) by JoeMerchant on Monday July 01 2024, @03:17PM (2 children)
>nobody gave it to them
In my view they "earned it" via the responsibilities they took on and the lack of other players successfully offering similar products.
You are absolutely right, this is a monopoly situation, and some kind of anti-monopoly response is called for. Prescription and management of that remedy will be a huge undertaking.
My preference would be to "fork" Google into five or more clone companies who share technology development resources, but make independent management decisions like these. Possibly managed from the U.S., Europe, Asia, South America and Africa...
🌻🌻🌻 [google.com]
(Score: 2) by Freeman on Monday July 01 2024, @05:51PM (1 child)
Ah, yes, take the Ma Bell approach. Only took them how long to consolidate again? Pre-1984 *Worst Choices* (except maybe the choices we have today), 1984-2000, bunch of choices, 2000-present (massive consolidation with the final participants being AT&T, Verizon, and T-Mobile). Seems like it's time to start splitting up some companies again.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 4, Insightful) by JoeMerchant on Monday July 01 2024, @06:11PM
AT&T had far more government backing in achieving their monopoly status.
Pre-breakup, AT&T was charging $20 per hour for a voice connections over 50km in distance. I think, without the breakup or other serious intervention, that would have continued for a very long time.
Without the breakup, AT&T management would have seen the potential of the internet to not only slaughter, but vaporize their cash cows, and they would have thrown every regulatory wrench at their disposal at the suppression of internet access to their home, business and government customers. I mean, they're not evil for wanting to preserve the status quo, are they? Serving their shareholders, providing stable employment, reliable service...
Without the breakup, Iridium probably would have been a raging commercial success.
What kind of progress did telecommunication make in those 16 years?
>Seems like it's time to start splitting up some companies again.
/no s
🌻🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Friday July 05 2024, @01:05AM
Nobody gave it to them? Microsoft gave it to them by making a crappier browser (and browser experience) for years.
Who forced millions of people to use IE and Edge to download and install the Chrome browser? It's even become a meme.
If millions of people choose Chrome even though a competing one is preinstalled I think your beef is misplaced.
See also: https://www.businessinsider.com/microsoft-azure-google-chrome-presentation-video-2017-11 [businessinsider.com]
For the desktop browser there's no monopoly at all. Clearly people can switch if they want and they switched AWAY from IE. Edge has got better but that's more because they switched to Chrome's base code.
For mobile on Android there's nothing stopping you from installing and using Firefox mobile, or Opera etc. That there's no migration similar to the IE to Chrome thing for Android just means that for most people Chrome isn't significantly worse than competing mobile browsers.
(Score: 2) by DannyB on Monday July 01 2024, @07:06PM
How is this about monopolies?
It is a problem that only Google, or only Apple, or only Microsoft or Mozilla, or others could do this. But it doesn't seem to be a problem of monopolies.
The CAs aren't monopolies either. (CA is either Certificate Authority or Coward Anonymous)
What it says is that if any single big browser company doesn't trust a CA then that CA is out because just that browser giving warnings is enough that no company will want certificates that cause them an avalanche of support calls.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.