Entrust, a long-established certificate authority (CA) known for providing digital certificates crucial to online security, is facing a severe blow to its credibility. In a significant move, Google and Mozilla, two of the largest web browsers, have announced that they will stop trusting all new root certificates issued by Entrust. This decision comes after years of incidents that raised concerns about Entrust’s operational procedures and incident handling. Both companies cited repeated failures in compliance with the CA/Browser Forum’s stringent rules, particularly in how Entrust managed security breaches and mishandled certificate mis-issuances. As a result, any newly issued certificates from Entrust will no longer be trusted by browsers, leaving many companies and websites using Entrust certificates to urgently seek alternatives.
For over two decades, Entrust has been a major player in the digital certificate industry, with its certificates used for securing communications and transactions across the internet. Digital certificates are a cornerstone of online security, ensuring that web traffic is encrypted and that users can trust the websites they visit. With its loss of trust, any website or service using a newly issued Entrust certificate will be flagged as untrusted by web browsers, resulting in warning messages such as “Your connection is not private” or “This site is not secure.” While existing certificates will continue to function until they expire, the disruption to new certificate issuance is a significant issue for those relying on Entrust for their cybersecurity needs.
The decision to revoke trust in Entrust’s certificates is rooted in a series of concerning events over the years. Google and Mozilla pointed to multiple incidents where Entrust failed to handle security breaches in a timely and transparent manner. These incidents included delays in revoking mis-issued certificates, insufficient communication with affected parties, and an overall failure to meet the expectations set by the Certification Authority Browser Forum. The CA/Browser Forum mandates that all certificate authorities demonstrate continuous improvement, particularly in how they handle incidents. Unfortunately, Entrust’s repeated shortcomings have eroded the confidence of major industry players, ultimately leading to the decision to deem their certificates untrustworthy.
This move by Google and Mozilla highlights the growing importance of transparency and security in the digital certificate industry. It also underscores the challenges faced by certificate authorities when they fail to uphold the high standards required for managing digital trust. While Entrust remains operational and continues to provide certificates through its partnership with SSL.com, which is still a trusted CA, its reputation has been significantly damaged. The company will now need to focus on regaining trust, both within the industry and with its customers, if it hopes to restore its position as a reliable certificate authority in the future.
Reference: