Google Chrome to Revoke Access to Entrust Certificates

In a recent development impacting internet security, Google Chrome has announced plans to revoke trust for Entrust SSL/TLS certificates within its Chrome Root Store. This decision is set to affect not only Chrome but also other Chromium-based browsers such as Microsoft Edge and Brave, unless their respective distributions choose to maintain trust for Entrust certificates independently.

it is our opinion that Chrome's continued trust in Entrust is no longer justified.

Google Security Blog

Understanding SSL/TLS Certificates

SSL/TLS certificates play a crucial role in ensuring secure communication over the internet. These digital certificates authenticate the identity of websites and encrypt data transmitted between servers and clients, safeguarding against eavesdropping and tampering. The certificate issuance process involves a hierarchical structure of Certificate Authorities (CAs), including root CAs and intermediate CAs. Root CAs are at the top of this hierarchy, issuing intermediate certificates that, in turn, can issue end-entity certificates to websites. This chain of trust ensures that browsers can verify the authenticity of a website’s SSL/TLS certificate back to a trusted root CA. The root CA’s themselves go through stringent auditing from firms including the big 5. This process and a proven positive track record allows them to convince browsers and operating systems to ship these root certificates with their software and hardware. There are quite a few trusted root certificates, but what makes this case so extraordinary is the size of Entrust.

Impact on Entrust Certificates

Entrust is recognized as the world’s third-largest provider of SSL/TLS certificates in the enterprise market, serving 10% of the main websites of Fortune 500 companies (as of 28th June 2024). With DigiCert at 1st place with a 35% market share, and Let’s Encrypt 2nd, with a 15% share. Note that the enterprise market’s certificate distribution is not representative of the entire market. But many large organizations who rely on Entrust certificates to secure their websites and ensure trust with their users will now be scrambling to change certificate providers by the 31st October deadline. Should they fail to do so in time, it will mean that browsers such as Chrome will no longer trust the website’s authenticity, warning users of an insecure connection.

Chrome Root Store and Beyond

The Chrome Root Store, managed by Google, is the source of truth for which CAs and their respective certificates are trusted by default in the Chrome browser and other Chromium-based browsers. While Google’s decision directly affects Chrome, other browsers like Microsoft Edge and Brave, which also rely on the Chromium engine, may follow suit unless their maintainers decide otherwise. As of July 1st, Mozilla Firefox, which is not Chromium based, was yet to make a decision. For further insights into the Chrome Root Store and its implications, refer to Google’s official documentation. This resource provides detailed information on the criteria for inclusion and exclusion of CAs and certificates within the Chrome ecosystem. The decision by Google Chrome to revoke trust for Entrust certificates underscores the critical role of certificate authorities in maintaining internet security. Organizations affected by this change must evaluate their SSL/TLS certificate provider options to ensure continued trust and security for their online operations. It starts by building an SSL/TLS certificate inventory for your organization.

Is this situation unprecedented?

The move by Google Chrome to revoke trust for Entrust certificates echoes similar actions taken in the past against other certificate authorities. For instance, the DigiNotar incident in 2011 highlighted vulnerabilities in the trust model when rogue certificates were issued, leading to widespread security concerns. Subsequently, Symantec faced repercussions in 2017 due to improperly issued certificates, prompting browser vendors to reduce trust in Symantec certificates and eventually remove them from trusted stores.

BIMI - Brand Indicators for Message Identification

BIMI, or Brand Indicators for Message Identification, is a standard that enhances email security and authenticity. It allows organizations to display their logos next to authenticated emails in supporting email clients. By linking a brand’s logo to verified email domains through DMARC (Domain-based Message Authentication, Reporting & Conformance), BIMI helps recipients quickly recognize legitimate messages, reducing phishing risks and improving brand trust. This visual verification can significantly enhance email marketing effectiveness and customer confidence in received communications. While there are a large number of root and intermediate TLS/SSL certificate providers, for BIMI, only two certificate providers are currently recognized by BIMI Group. Google’s announcement only discusses the SSL/TLS root certificates, and it does not directly mention the two BIMI certificates in use by Entrust; “Entrust Certificate Authority - VMC1”, and “Entrust Verified Mark CA - VMC2” respectively. It is not yet clear whether Google’s email client Gmail will cease to recognize BIMI, but should it do so, then Digicert would gain a monopoly on BIMI. Further slowing down rollout. Only 14 use Entrust, and 12 use DigiCert, making just over 5% of Fortune 500 companies. Should Entrust BIMI certificates also have their trust revoked by Google or any of the many independent BIMI-adhering mailbox providers around the world, then DigiCert would gain a complete monopoly on issuing BIMI certificates.

[2021] VMCs are being issued by two BIMI-qualified Certification Authorities, DigiCert and Entrust Datacard.

BIMI Group

See the response from Entrust here.