Sustaining Digital Certificate Security – Entrust Certificate Distrust
Google's Chrome Security Team distrusts specific Entrust certificates due to reliability concerns. Chrome 127 onwards won't trust certain Entrust TLS server authentication certificates dated after October 31, 2024. Website operators should review certificates for compliance.
Read original article
Google's Chrome Security Team has announced the distrust of certain Entrust certificates due to a pattern of concerning behaviors that have eroded confidence in their reliability. Starting from Chrome 127, TLS server authentication certificates from specific Entrust roots with SCTs dated after October 31, 2024, will no longer be trusted by default. This action aims to maintain the integrity of the Web PKI ecosystem. Website operators are advised to review their certificates to ensure compliance. Enterprises using Entrust certificates internally can override these constraints by locally trusting the root CA certificate. The blocking action will begin on November 1, 2024, affecting certificates issued thereafter. Chrome users visiting websites with affected certificates after this date will see a full-page interstitial warning. Other Google products may also implement similar updates in the future.
Related
US Bans Kaspersky Software
The US Commerce Department banned Kaspersky's antivirus sales to new customers from July 20, limiting updates for existing users until September 29. Alleged national security concerns over Kaspersky's Russian ties prompted the ban.
BeyondCorp (2014)
Google's BeyondCorp approach rethinks enterprise security by moving away from traditional perimeter security to enhance protection in the changing tech environment. Visit the link for more details on this innovative strategy.
Namecheap Takes Down Polyfill.io Service Following Supply Chain Attack
Namecheap took down Polyfill.io due to a supply chain attack. Malware was distributed to 110,000 websites, redirecting mobile users to a betting site. Google warned affected pages. Users should remove Polyfill.io and consider alternatives like Cloudflare or Fastly.
TeamViewer Security Breach
TeamViewer detected an internal IT irregularity, investigating with cyber experts. No impact on product environment or customer data. Emphasis on security, transparency, and proactive measures to maintain trust and safety.
Chrome will distrust CA certificates from Entrust later this year
Google will stop trusting Entrust CA certificates from November 1, citing compliance failures. Websites using Entrust certs, like moneygram.com and ey.com, must switch to a new CA to avoid security warnings. Enterprise customers can still trust Entrust.
23 commentshttps://groups.google.com/a/ccadb.org/g/public/c/29CRLOPM6OM...
How dysfunctional does a company have to be to let this happen?
I was wondering how Chrome was able to revoke a certificate based on time without trusting the CA to not back date certificates and it looks like this is due to being able to trust certificate transparency logs instead. This is where they get the signed certificate timestamps (SCT) from.
I’m also an author on https://webpki.substack.com. I will be writing my thoughts on the distrust soon.
I can try to answer any questions folks may have. I can also help folks find ways they can also be involved!
Root programs can only do so much and need surveillance of the CAs from the community.
https://groups.google.com/a/ccadb.org/g/public/c/29CRLOPM6OM...
And for a CA, credibility is everything
This continues to annoy me. Chrome (and other browsers) have detailed trust constraints, e.g. SCTNotAfter, in their own root stores. Why can’t administrators do the same thing?
Directly from Entrust: "Yes, there has been ongoing internal discussion and reflection on the issues found in this and other incidents, which has led to the action items described previously and ongoing changes, including the decision to revoke the certificates affected by this bug. Exceptional circumstances would need to be provided and justified by the Subscribers. Given the nature of the feedback we have received to date, we doubt that the community has any real interest in anything that Entrust could suggest, except to use against Entrust in a destructive, not constructive, way. We therefore would like more explicit and clear guidelines or a definition of “exceptional circumstances” to be adopted and applied equally to all CAs, perhaps through updates in the CA/B Forum requirements."
it looks like Entrust is selling on the order of a few dozen certs a week to maybe upwards of 100-200.
EDIT: I've asked Google if Gmail will be discontinuing support for Entrusts VMC certificate (and thus BIMI logos), I would guess not since BIMI has some actual requirements, but assumptions are not the best way to make decisions about risk (like our BIMI logo not working later this fall).
There's now also the problem of competing with a free alternative that increasingly almost everyone knows about.
Wonder how secure that is? That has real potential for extracting value.
chase.com aa.com
Related
US Bans Kaspersky Software
The US Commerce Department banned Kaspersky's antivirus sales to new customers from July 20, limiting updates for existing users until September 29. Alleged national security concerns over Kaspersky's Russian ties prompted the ban.
BeyondCorp (2014)
Google's BeyondCorp approach rethinks enterprise security by moving away from traditional perimeter security to enhance protection in the changing tech environment. Visit the link for more details on this innovative strategy.
Namecheap Takes Down Polyfill.io Service Following Supply Chain Attack
Namecheap took down Polyfill.io due to a supply chain attack. Malware was distributed to 110,000 websites, redirecting mobile users to a betting site. Google warned affected pages. Users should remove Polyfill.io and consider alternatives like Cloudflare or Fastly.
TeamViewer Security Breach
TeamViewer detected an internal IT irregularity, investigating with cyber experts. No impact on product environment or customer data. Emphasis on security, transparency, and proactive measures to maintain trust and safety.
Chrome will distrust CA certificates from Entrust later this year
Google will stop trusting Entrust CA certificates from November 1, citing compliance failures. Websites using Entrust certs, like moneygram.com and ey.com, must switch to a new CA to avoid security warnings. Enterprise customers can still trust Entrust.