Sign in Subscribe

Chrome Drops Trust in Two Certificate Authorities

Chrome Drops Trust in Two Certificate Authorities

Google has announced that its Chrome browser will no longer trust certificates from two major certificate authorities due to a lack of trust and confidence. Over the past year, Google observed patterns of concerning behavior, leading them to conclude that continued trust in these authorities is no longer justified.

The organizations in question are Chunghwa Telecom from Taiwan and Netlock from Budapest. These authorities are part of a select few recognized by Chrome and other browsers, allowing them to issue digital certificates. These certificates are essential as they encrypt traffic and verify the authenticity of websites. The padlocks seen in address bars symbolize the trust secured by these certificates.

According to a statement by the Chrome security team, there were various compliance failures and unmet improvement commitments from these authorities, which failed to show any measurable progress. This lack of progress and trust has led to their removal from Chrome's recognized certificate authorities.

Ryan Hurst, a researcher with decades of experience in working with certificate authorities, notes that such distrust events occur approximately every 15 months. Mozilla's records show several infractions by these organizations, such as failing to disclose important certificate information, not revoking misissued certificates promptly, and not providing mandated updates following security incidents.

Google did not highlight specific offenses leading to this decision, but some well-documented cases include Netlock's repeated compliance failures and Chunghwa Telecom's misleading certificate issuance practices. Chrome will cease to trust all new certificates issued by these authorities after July 31, giving affected users time to transition to new certificate providers.

For users encountering sites with revoked certificates, Chrome will display an error page, signaling a lack of trust. This decision underscores Google's commitment to ensuring the highest security standards for its users.