Google Cuts Ties With Entrust in Chrome Over Trust Issues

Google is severing its trust in Entrust after what it describes as a protracted period of failures around compliance and general improvements. From a report: Entrust is one of the many certificate authorities (CA) used by Chrome to verify that the websites end users visit are trustworthy. From November 1 in Chrome 127, which recently entered beta, TLS server authentication certificates validating to Entrust or AffirmTrust roots won't be trusted by default.

Google pointed to a series of incident reports over the past few years concerning Entrust, saying they "highlighted a pattern of concerning behaviors" that have ultimately seen the security company fall down in Google's estimations. The incidents have "eroded confidence in [Entrust's] competence, reliability, and integrity as a publicly trusted CA owner," Google stated in a blog. The move follows a May publication by Mozilla, which compiled a sprawling list of Entrust's certificate issues between March and May this year. Entrust -- after an initial PR disaster -- acknowledged its procedural failures and said it was treating the feedback as a learning opportunity.

It figures

[fahrbot-bot]

Google Cuts Ties With Entrust in Chrome Over Trust Issues

Can't trust a company with "Trust" in their name. Similarly, guess I'm going to have to rethink investing my money in the "Pinky-Swear We Won't Steal Your Money Crypto Exchange" and warn my wife about the clothing brand, "Honest, Our Clothes Won't Make you Look Fat". Sigh, can't trust anyone anymore -- oh, right.

Re:

[Briareos]

Can't trust a company with "Trust" in their name.

That's why we still need to convince Mozilla to add Honest Achmed's root certificate [mozilla.org] instead...

Re:

[AmiMoJo]

The certificate business has been hit hard by all major browsers demoting the "enhanced" ones to the same status as a basic free cert you can get from LetsEncrypt. There is very little reason to pay for one now, at least as far as the web goes.

These guys are going bankrupt soon. Once Chrome removes them their certificates are worthless, and all their existing customers will be wanting refunds.

Shocked Google did it

[Bill, Shooter of Bul]

I'm not trying to minimize Entrust's failures, but they're not insanely bad. It seems like most of it is that they're really slow in revoking certs. Which isn't good, but its not like they're issuing certs to the wrong people. Its really good that Google has set the bar this high, will be interesting to see the fallout. Entrust is very widely used. Grabs popcorn throws it on the ground with a 24 oz coke, then pulls candy bar out of hidden pocket for a true movie watchin experience.

Trust models. I know which one I trust more.

[Seven Spirals]

Let's just ask a basic question. Do you trust the corporate model of SSL security where some other corporate entity "fact checks" the claim that the certificate applicant is legit? Remember these?

DigiNotar (2011): Hackers issued rogue certificates, leading to man-in-the-middle attacks.
Comodo (2011): Attackers issued fraudulent certificates for major domains, targeting Iranian users.
Symantec (2015-2017): Improperly issued numerous certificates, leading to distrust by major browsers.
Trustwave (2012): Issued a subordinate root certificate for internal security monitoring, enabling man-in-the-middle attacks.

.... OR would you rather the trust model was crowd-sourced like PGP's web-of-trust where you first decide who you trust then the model is evaluated based on your trust? I think the whole x.500 suite of protocols are garbage. If it's not the terrible trust model, it's terrible implementations that gave us things like Heartbleed. I'd love to see the whole thing start over from scratch.

We could replace certificate authorities (CA)

[danielcolchete]

If we create a DNS RECORD TYPE for certificate fingerprints and we use that to authenticate public certificates from websites than we won't be required to use a CA anymore. IIUC this is as safe as what we already do today:

- It's already possible to emit a certificate based on dns authentication (https://letsencrypt.org/docs/challenge-types/#dns-01-challenge)

- Browsers already authenticate root certificates based on their fingerprints (https://chromium.googlesource.com/chromium/src/+/main/net

Re:We could replace certificate authorities (CA)

[dskoll]

But the whole point of a certificate is to make sure that if you connect to example.com, you really are connected to that machine. If someone can monkey with your DNS to get you to connect to the wrong machine, they can also monkey with your DNS to feed you whatever key fingerprint they want (think ISPs or state actors who want to MITM users.)

LetsEncrypt's DNS validation is a little different because the machine that does the DNS lookup to do the validation is not the same machine as the one connecting to a web site. So a DNS attack would be harder because you'd have to MITM both LetsEncrypt and your intended victim.

Re:

[jonwil]

The solution to DNS tampering exists. Its called DNSSEC.
I would love to know why no-one wants to actually implement DNSSEC signature validation in things like browsers and other software...

Re:

[jonwil]

It already exists, its called DANE. But for some reason browser manufacturers refuse to implement it even though it has benefits for security...

The end game... ?

[dskoll]

I don't know if Entrust is sloppy to the point of being untrustworthy, but I certainly don't trust Google one little bit.

From Google's POV, the ideal situation would be for Chrome to only trust Google as a CA. Maybe they're floating a trial balloon? "If nobody squawks, maybe we can whittle away at the supported CAs until we have them in our hands, muahahahaaaa!"