Source URL: https://security.googleblog.com/2025/05/sustaining-digital-certificate-security-chrome-root-store-changes.html
Source: Google Online Security Blog
Title: Sustaining Digital Certificate Security – Upcoming Changes to the Chrome Root Store
Feedly Summary:
AI Summary and Description: Yes
**Summary:** Google Chrome has announced the removal of default trust for Certification Authorities (CAs) Chunghwa Telecom and Netlock, effective August 1, 2025, due to observed compliance failures and lapses in integrity. This change is aimed at enhancing the security and trustworthiness of encrypted connections on the web, marking a significant shift in how trust is managed for CAs within Chrome’s ecosystem.
**Detailed Description:**
The announcement from the Chrome Security Team outlines a significant update regarding the trust evaluation of Certification Authorities included in the Chrome Root Store. Key points include:
– **Removal of Default Trust:**
– Google Chrome will cease default trust in CAs Chunghwa Telecom and Netlock, effective with Chrome version 139 and higher, beginning August 1, 2025.
– This decision stems from prolonged concerns over compliance, integrity, and reliability, which threaten user trust and the security of encrypted communications.
– **Guidelines for Website Operators:**
– TLS certificates issued by the affected CAs, with Signed Certificate Timestamps (SCTs) after the specified date, will trigger a full-page interstitial warning for users.
– Website operators must check their certificates using the Chrome Certificate Viewer to determine their status and are advised to transition to alternative publicly-trusted CAs before certificate expiration to maintain site accessibility.
– **Impact Assessment:**
– The update applies across various platforms (Windows, macOS, ChromeOS, Android, and Linux) but excludes iOS due to Apple policy constraints.
– **Compliance and Governance:**
– The action reflects broader trends in digital governance, demanding that CAs adhere to established security standards and compliance regulations, such as those outlined by the CA/Browser Forum TLS Baseline Requirements.
– Ongoing lapses in these standards can lead to escalated risks and compromise the foundational trust of internet security protocols.
– **Testing and Internal Network Considerations:**
– Chrome has provided a testing capability via command-line flags for administrators to simulate the new constraints before they take effect.
– Enterprises utilizing affected certificates can override the constraints by installing local root CA certificates, ensuring continued functionality within their internal networks.
In conclusion, this action by Chrome represents a considerable step towards improving online security and accountability within Certificate Authorities. It underscores the importance of compliance in maintaining user trust and the overall integrity of internet security practices. Security professionals in the cloud, AI, and infrastructure domains must be particularly aware of these changes as they could impact applications, architectures, and client relationships reliant on secure communications.