Jonathan Care’s Post

Is trust enough? Not always according to Google, at least not when it comes to the certificate authority Entrust: "Google is severing its trust in Entrust after what it describes as a protracted period of failures around compliance and general improvements." "'Certification authorities serve a privileged and trusted role on the internet that underpin encrypted connections between browsers and websites,' Google said. 'With this tremendous responsibility comes an expectation of adhering to reasonable and consensus-driven security and compliance expectations, including those defined by the CA/Browser TLS Baseline Requirements.'" "'Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly trusted CA poses to the internet ecosystem, it is our opinion that Chrome's continued trust in Entrust is no longer justified.'" Fortunately Google is not just shutting Entrust certificate's off cold turkey. Any certificates issued before October 31, 2024 will continue to work throughout their lifespan but new certificates issues after October 31, 2024 will not be trusted. Mozilla has seen similar issues with their own report from May: "It follows a May publication by Mozilla, which compiled a sprawling list of Entrust's certificate issues between March and May this year."

Is your Chrome still under padlock? Soon, the secure connection icon will disappear. Even if you try hard, in Chrome 117, you won't be able to find 🔒 HTTPS in the browser bar anymore. Is that all now? Is Pandora's box open, and can we do without an SSL certificate on our website? Of course not! We'll tell you how the world will change without the padlock in HTTPS on Google Chrome and what will happen to websites without SSL certificates. Read blog: https://lnkd.in/gPDmty2Q

#Google To Revoke Trust In #Entrust Digital Certificates. Starting around November 1, 2024, Google #Chrome will begin blocking websites that use certificates issued by Entrust. This decision has been made due to compliance issues and security concerns that Entrust has not adequately addressed in a timely manner, as outlined by Google. What This Means for You: If your website uses an Entrust certificate, visitors using Chrome will not be able to access your site once this change takes effect. To prevent this disruption, strongly recommend that you replace your current Entrust certificate with a certificate from another trusted #certificate authority (CA) as soon as possible. https://lnkd.in/dhFJFBz9

If you are using #Entrust Certificates this is big news! Make sure to change your certificate issuer before November 2024. Also take this opportunity to automate your SSL Certificate lifecycle with #ACME

BREAKING NEWS: Entrust is officially distrusted by Google Chrome with immediate effect! What: All external Entrust SSL/TLS certificates (including AffirmTrust) valid after October 31, 2024, will be distrusted (external Entrust SSL/TLS certificates expiring before November 1, 2024, will not be affected, but can't be renewed from an Entrust Root CA). When: With the release of Google Chrome 127, which is already in beta and expected to go live in production July 12-23, 2024. In other words: Now! Why: This dramatic change happens due to concerning behaviour from Entrust regarding non-compliant security practices and vague explanations to these issues combined with slow and incompetent responses to the questions raised by the industry. Who: All Entrust SSL/TLS customers including resellers and partners will be affected. Invalid certificates already issued and soon to be not possible to issue certificates from Entrust and AffirmTrust Root CAs. Sources: - https://lnkd.in/dmH_6zpD - https://lnkd.in/dUFJKmqH What's next: Read our 3 simple steps to avoid business critical outages here: https://lnkd.in/d3dJf2H2

With 22 years of experience in the web-PKI industry, only once have I experienced anything like this, when Symantec was distrusted in 2017. The difference from that incident to the distrust of Entrust is that in 2017 the market was given around a year to replace the Symantec certificates. This time the market is given 2-3 weeks before Google Chrome 127 will be released (Chrome 127 is already passed beta test this week), hence this could potentially be heading for disaster for enterprises all around the world. We will be happy to help and in the first place help you to discover whether you're affected by this dramatic decision. The one-off TRUSTZONE SSL360 scan (www.trustzone.com) is 100% accurate for the submitted domains and free of charge in a limited period in order to help the market to avoid business critical services from stop working.

Great article on how safe passkeys are and the move away from passwords! 😀

Google is pushing technology in to Chromium (the base for Chrome, MS Edge, and many others) to encourage websites to block other web browsers, disallow browser extensions (e.g. ad blockers), or smaller/new search engines, operating systems, etc. Edit: to clarify they will do this by scanning your computer to check what you are using - approved browser, approved extensions, approved OS - or Google spider etc. and sites will block everything else. A clear push to eliminate competition. Are the authorities capable of regulating something this ingenious? https://lnkd.in/ekHbrmDt #google #web #monopoly #browsers

Google Cuts Ties With Entrust in Chrome Over Trust Issues: Google is severing its trust in Entrust after what it describes as a protracted period of failures around compliance and general improvements. From a report: Entrust is one of the many certificate authorities (CA) used by Chrome to verify that the websites end users visit are trustworthy. From November 1 in Chrome 127, which recently entered beta, TLS server authentication certificates validating to Entrust or AffirmTrust roots won't be trusted by default. Google pointed to a series of incident reports over the past few years concerning Entrust, saying they "highlighted a pattern of concerning behaviors" that have ultimately seen the security company fall down in Google's estimations. The incidents have "eroded confidence in [Entrust's] competence, reliability, and integrity as a publicly trusted CA owner," Google stated in a blog. The move follows a May publication by Mozilla, which compiled a sprawling list of Entrust's certificate issues between March and May this year. Entrust -- after an initial PR disaster -- acknowledged its procedural failures and said it was treating the feedback as a learning opportunity. Read more of this story at Slashdot.

Google Cuts Ties With Entrust in Chrome Over Trust Issues: Google is severing its trust in Entrust after what it describes as a protracted period of failures around compliance and general improvements. From a report: Entrust is one of the many certificate authorities (CA) used by Chrome to verify that the websites end users visit are trustworthy. From November 1 in Chrome 127, which recently entered beta, TLS server authentication certificates validating to Entrust or AffirmTrust roots won't be trusted by default. Google pointed to a series of incident reports over the past few years concerning Entrust, saying they "highlighted a pattern of concerning behaviors" that have ultimately seen the security company fall down in Google's estimations. The incidents have "eroded confidence in [Entrust's] competence, reliability, and integrity as a publicly trusted CA owner," Google stated in a blog. The move follows a May publication by Mozilla, which compiled a sprawling list of Entrust's certificate issues between March and May this year. Entrust -- after an initial PR disaster -- acknowledged its procedural failures and said it was treating the feedback as a learning opportunity. Read more of this story at Slashdot.