In a significant move affecting web security and enterprise IT infrastructure, Google has announced that starting November 2024, Chrome will no longer trust Entrust certificates as part of its trusted root store. This decision is part of a broader strategy to enhance online security and streamline certificate management.
Background
Historically, Google, like other browsers, has depended on a system’s root store, which includes certificates from trusted certification authorities (CAs) like Entrust. These certificates play a crucial role in securing and authenticating digital communications across the internet.
Changes in Certificate Policy
Google’s new approach involves managing its own certificate root program/store. This shift allows Google to have more direct control over the certificates it trusts, enabling a more uniform security posture across different platforms. As a result, while certificates issued by Entrust are still valid and trusted generally, they will no longer be automatically trusted by Chrome starting from November 2024.
Implications for Users and Enterprises
This update means that organizations using Entrust certificates will need to consider alternative solutions or adjustments to maintain their websites’ compatibility and trust status with Chrome. Since Chrome is a widely used browser, this change could have significant repercussions for website traffic and user trust if not proactively managed.
Google’s Rationale
Google justifies these changes as a step towards modernizing certificate management and security. The initiative aims to reduce reliance on lengthy certificate validity periods, which can complicate the different platforms and renewal processes. Shorter validity periods encourage automation and the adoption of newer security practices, which are essential in the face of evolving cyber threats and the eventual transition to quantum-resistant cryptographic algorithms.
The move has stirred discussions within the cybersecurity community, with various stakeholders examining the implications for internet security standards and enterprise practices. Google has expressed its intention to work collaboratively with other industry players through forums like the CA/Browser Forum to ensure a balanced approach to web security and certificate management.
As we approach November 2024, enterprises and web administrators need to stay informed about these changes and prepare accordingly. Transitioning to new certificates or adjusting existing security frameworks will be crucial to maintaining seamless and secure online experiences for users.
This development marks a pivotal adjustment in Google’s approach to enhancing security and managing digital certificates, urging enterprises to review and possibly revise their certificate management strategies.