Google Chrome will soon flag several websites for invalid certificates

From the earliest days of computing, computer scientists have recognized the need for the secure transport of information. Early computer protocols like Telnet would broadcast information (like usernames and passwords) across the internet without encryption, making it visible to anyone who wanted to look. Those early protocols were replaced with more secure protocols that rely on public-key encryption to transport data, and a similar public-key encryption is what most websites today rely on to move your information securely between their servers and your browser.

Websites use digital certificates to validate their identity and provide public cryptography keys that your browser can use to establish a secure connection. But, your browser won’t trust just any certificate. Instead, your browser has an internal list of trusted certificate issuers (they’re usually called root stores, here’s Chrome’s root store) with which it will automatically establish a secure connection. Today, Google announced that it’s kicking at least one certificate issuer off of that list.

Who gets the boot?

In a post released today on Google’s Security Blog (spotted by 9to5Google), the company singles out the certification authority (CA) Entrust. It doesn’t appear that Entrust has done just one thing to get on Google’s naughty list, rather it’s a pattern of behavior. To get on Google’s nice list, CAs have to jump through more than a few hoops, and Google makes clear in its blog post that Entrust has “fallen short” of its expectations. Indeed, Google doesn’t mince words when it says Entrust’s actions have “eroded confidence in their competence, reliability, and integrity as a publicly-trusted CA Owner.” Ouch.

The exile of Entrust from the annals of the elite CAs won’t take place immediately. Rather, any Entrust certificate issued after October 31, 2024 will no longer be trusted by Chrome as a matter of course. That isn’t to say that Chrome users will lose access to any sites that use certificates issued by Entrust, users will simply need to manually enable trust in Entrust, or wade through a warning screen when visiting a site that uses Entrust’s certificates. These changes will affect all Chrome users except for iOS users.

Why you should care about certificates

You’ve probably come across a few certificate warnings on your browser if you’ve spent any time wandering the web. For the most part it’s not a big deal if you go to one of these browser-designated “dangerous” sites, but you should be aware that these sites most likely aren’t using encryption to move data between the server and the browser. That means if you use a username or password on one of these unsecured sites, someone could be listening in and taking that information from you. In other words, don’t use any personal information on an unsecured site. Having an up-to-date certificate is also a sign of a website that takes itself and its security seriously.

Related

What is end-to-end encryption?

How can an app send messages that only you can decode?

Given that any site using Entrust will now appear as untrustworthy, many big names on the internet are probably scrambling to change their certificate providers. Entrust is currently used by sites such as MoneyGram and the US Department of Energy, but unless Entrust can strike a deal with Google, it’s almost a sure thing that they’ll be switching providers. It’s worth noting that Entrust is currently on Firefox’s list of trusted CAs, but given that Chrome controls over 65% of the browser market, Firefox’s opinion on Entrust isn’t likely to move the needle.

We have reached out to Google, Entrust, and Mozilla for comment on this story and will update if they respond.