The Chrome Security Team has announced that starting with Chrome 127, certificates issued by Entrust and AffirmTrust will no longer be trusted if their earliest Signed Certificate Timestamp (SCT) is dated after October 31, 2024.
This move aims to uphold the integrity of the Web PKI ecosystem and protect Chrome users from potential security risks associated with non-compliant Certificate Authorities (Cas).
Background and rationale
Certificate Authorities (CAs) are critical to internet security because they issue digital certificates that verify the authenticity of websites, enabling encrypted connections between browsers and web servers. This encryption ensures that data transmitted between users and websites remains private and secure.
Users should care about using trusted certificates because they provide assurance that the website they are interacting with is legitimate and has not been tampered with by malicious actors. Without trusted CAs, the risk of data breaches, phishing attacks, and other security threats increases significantly, undermining the overall trust and safety of online interactions.
In a post published on its security blog space, Google explained that the decision to implement this block stems from a series of publicly disclosed incident reports that revealed concerning behaviors by Entrust over the past several years.
These behaviors, which include compliance failures and unmet improvement commitments, have eroded confidence in Entrust’s competence, reliability, and integrity as a CA. As CAs play a critical role in securing encrypted connections on the internet, their failure to meet security and compliance standards poses significant risks for users, which Google finds unacceptable.
Affected certificates
The distrust will specifically affect TLS server authentication certificates validating to the following Entrust roots:
- Entrust Root Certification Authority – EC1
- Entrust Root Certification Authority – G2
- Entrust.net Certification Authority (2048)
- Entrust Root Certification Authority (2006)
- Entrust Root Certification Authority – G4
- AffirmTrust Commercial
- AffirmTrust Networking
- AffirmTrust Premium
- AffirmTrust Premium ECC
Certificates issued by these roots before October 31, 2024, will remain trusted. However, any certificates issued after this date will be distrusted by default starting November 1, 2024, when Chrome 127 is expected to be released. This will apply across all platforms where Chrome operates, except for iOS due to Apple’s policies.
Scope of impact
Starting from November 2024, Chrome will stop loading sites with certificates issued by Entrust or AffirmTrust after October 31, 2024, unless users or enterprises explicitly trust these certificates through local settings. Affected websites will display a security warning, preventing users from accessing them until the certificates are replaced, or if the user specifically chooses to proceed nonetheless.
RestorePrivacy
Entrust and AffirmTrust are significant players in the digital certificate market, and it’s estimated that thousands of websites currently use certificates issued by these authorities, so the impact for internet users could be significant. This concerns not only sites people directly attempt to access, but also APIs and other online services using those certificates.
Chrome’s built-in Certificate Viewer tool can help users determine if a website’s certificate is affected by Google’s decision.
For website operators, Google suggests that they move quickly to identify if they use certificates from Entrust or AffirmTrust, obtain and install new certificates from a trusted CA included in the Chrome Root Store before October 31, 2024. Finally, it’s important to test the new configurations by using command-line flags in Chrome 128 (available in Canary/Dev) to simulate the SCTNotAfter distrust constraint and ensure the new certificates work correctly.