Google Chrome is set to implement a major security measure by distrusting certificates issued by Entrust, a prominent Certificate Authority (CA), starting in late 2024. This decision is expected to impact a wide range of websites, including those belonging to major organizations such as Bank of America, ESPN, and IRS.GOV.
Digital certificates, specifically SSL/TLS certificates, play a crucial role in establishing secure connections between users and websites. These certificates, issued by trusted CAs, serve as a security seal that helps users verify the legitimacy of a website and ensures encrypted communication to prevent data breaches.
The decision to remove Entrust from Chrome’s list of trusted CAs comes after several years of what Google describes as “compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress.” This pattern of shortcomings has led Google to lose confidence in Entrust’s ability to maintain security standards and act as a reliable CA.
While the impact of this move may seem minimal given that Entrust certificates represent only a small fraction compared to providers like Let’s Encrypt, the ripple effect is significant due to the high-profile websites that rely on Entrust for their security certificates. Organizations such as Bank of America, BookMyShow, ESPN, and government websites like IRS.gov are among those affected by this decision.
For users and website owners, the implications of Chrome’s decision are clear. Starting from November 1, 2024, users visiting websites with Entrust certificates will be greeted with a full-page warning indicating that the site is not secure. While existing Entrust certificates will be given a grace period until their expiration date, website owners are advised to transition to a different CA before that time.
To maintain a secure web environment, it is imperative for website owners using Entrust certificates to act promptly and switch to a different CA. Let’s Encrypt, a popular and reliable option, is recommended for its free and trusted services. By prioritizing user protection, Chrome’s decision aims to eliminate trust in potentially compromised certificates and uphold security standards across the internet ecosystem.
In the context of Entrust’s controversy, discussions on Mozilla’s Bug Tracker have shed light on specific incidents that have raised concerns about the CA’s adherence to security practices. Issues like the failure to revoke specific EV TLS certificates and a lack of transparency in incident handling have amplified calls for stricter oversight of CAs like Entrust.
While internal networks have the option to bypass Chrome’s changes by installing affected certificates as trusted, the broader implications of Entrust’s compliance incidents highlight the need for consistent and stringent security measures in the issuance and handling of certificates. The decision to distrust Entrust certificates serves as a reminder of the importance of holding CAs accountable for maintaining the highest security standards to ensure the safety of internet users.

Lidhja e burimit