Google is making some serious changes to digital certificate security on the web, the company announced on its Security blog. The big news is that Google will no longer trust certificates from two large security firms — Entrust or AffirmTrust — due to repeated security lapses.
According to Google, the companies, which are Certificate Authorities (CA), have demonstrated patterns of unmet improvement commitments, compliance failures, and no measurable progress in how fast the company responds to publicly disclosed incident reports.
Digital certificates are an online file that authenticates and secures the data of a site, and they’re frequently the target of hackers. Exploiting a vulnerable digital certificate can be a huge deal for online security, hence why Google’s taking the measure so seriously.
As a result of Google’s decision, Chrome users will see warnings about untrusted connections as early as October 31, 2024. According to Entrust, however, certificates issued before then will remain valid and trusted by Google.
Users will see this warning regarding TLS server authentication certificates when they update to Chrome 127+ and the ERR_CERT_AUTHORITY_INVALID error when they access this type of site. Sites that use Entrust include merrilledge.com, moneygram.com, and ey.com.
You can always check if a connection is secure by clicking the “Tune” icon in Chrome on the left of the address bar > Connection is secure > Certificate is valid. Website owners can rest easy if the organization field under the “Issued By” heading doesn’t list Entrust or AffirmTrust.
Google is advising website owners to move to a new publicly trusted CA Owner as soon as possible before the deadline. It is also likely that this may set a precedent for future actions by the tech giant regarding other Google products.
However, it’s worth noting that Enterprise customers will have the option of continuing to trust Entrust if that is what they choose to do.
This isn’t the first time Google has warned companies to clean up their act. In 2015, they also gave Symantec an ultimatum concerning unauthorized HTTPS certificates that employees had been issuing. Despite the news of sites being tagged unreliable, there are ways you can dramatically increase security in Google Chrome, such as by encrypting your passwords.
