Google is making some important changes to the security of digital certificates on the web, the company announced on its Security blog. The big news is that Google will no longer trust certificates from two large security companies (Entrust or AffirmTrust) due to repeated security flaws.
According to Google, the companies, which are certification authorities (CAs), have demonstrated patterns of unmet improvement commitments, compliance failures, and no measurable progress in how quickly the company responds to publicly disclosed incident reports.
Digital certificates are online files that authenticate and protect a site’s data and are often targeted by hackers. Exploiting a vulnerable digital certificate can be a big problem for online security, which is why Google takes this measure so seriously.
Get Microsoft Office for Windows/Mac for $25
$229
Save $204
Lifetime access to Word, Excel, PowerPoint, Outlook, OneNote, Publisher, and Access.
$229
Save $204
As a result of Google’s decision, Chrome users will see warnings about untrusted connections starting October 31, 2024.
Users will see this warning about TLS server authentication certificates when they upgrade to Chrome 127+ and the error ERR_CERT_AUTHORITY_INVALID when accessing this type of site. Sites that use Entrust include merrilledge.com, moneygram.com, and ey.com.
You can always check if a connection is secure by clicking the “Tune in” icon in Chrome to the left of the Address bar > The connection is secure > The certificate is valid. Website owners can rest assured if the organization field under the “Issued by” heading does not include Entrust or AffirmTrust.
Google recommends website owners switch to a new publicly trusted CA owner as soon as possible before the deadline. This is also likely to set a precedent for future actions by the tech giant regarding other Google products.
However, it is worth noting that enterprise customers will have the option to continue to rely on Entrust if that is what they choose to do.
This is not the first time that Google has warned companies that they must improve their behavior. In 2015, it also gave an ultimatum to Symantec regarding unauthorized HTTPS certificates that employees had been issuing. Despite news about sites being labeled untrustworthy, there are ways to dramatically increase security in Google Chrome, such as encrypting passwords.
