Google to distrust Entrust SSL/TLS certificates: What this means for the industry
2024-7-1 19:4:0 Author: securityboulevard.com(查看原文) 阅读量:0 收藏

In a significant move to enhance digital certificate security, Google has announced its decision to distrust all public SSL certificates issued by Entrust, effective after October 31, 2024.

This announcement has sent not just ripples, but waves through the industry, particularly among Entrust customers who now face the urgent task of transitioning to new Certificate Authorities (CAs).

The catalyst for distrust

Google’s decision is rooted in a series of compliance failures by Entrust. Over the past several months, Entrust has experienced significant issues, including extremely delayed revocations and multiple lapses in meeting established security standards. Google’s Security Blog noted, “Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports.” This lack of progress and ongoing issues justified the revocation of trust in Entrust’s public roots.

To be trusted by a browser, a CA must comply with specific requirements defined by the CA/Browser Forum. Transparency is crucial, as CAs are expected to work in good faith with browsers to fix and prevent issues. Recent root program audits indicated a lack of confidence in Entrust’s TLS certificate issuance practices, so this news wasn’t completely unexpected to the industry, and prompted Google’s decision to distrust Entrust certificates in the Chrome browser.

Implications for businesses

For businesses using Entrust certificates, this development necessitates immediate action. Starting November 1, 2024, any website using an Entrust certificate will be treated as an unsecured site on Google Chrome, and likely other major browsers will follow suit. Companies must replace these certificates before the deadline to avoid their websites being flagged as untrusted.

If customers do not transfer from Entrust to another CA before the deadline, they risk service disruptions due to expired certificates, leading to websites and services becoming inaccessible or displaying security warnings. This can also expose sensitive data to security risks as encryption and authentication become compromised. Additionally, Entrust customers may face compliance issues with industry regulations, resulting in legal and financial penalties. The loss of trust from customers encountering security warnings can harm the organization’s reputation and business. Although customers may feel there is time to make decisions, these transitions must occur ahead of the deadline as addressing expired certificates after they expire can be complex and costly, straining IT resources and causing operational challenges.

Key actions required:

  1. Replace Entrust Certificates: Companies need to identify all instances of Entrust certificates within their infrastructure and replace them with certificates from a trusted CA before the October 31 deadline.
  2. Evaluate Certificate Authorities: This incident underscores the importance of choosing a reputable CA. The CA/Browser Forum sets standards to ensure digital trust, and businesses should look for CAs that adhere strictly to these guidelines.

Choosing a reputable Certificate Authority

Considering Entrust’s failings, businesses must reassess their relationships with CAs. A reputable CA should demonstrate robust compliance with industry standards, transparent operations, and a proven track record of security and reliability. Companies like Sectigo, which offers comprehensive certificate lifecycle management solutions, present viable alternatives.

Sectigo Certificate Manager (SCM) is a cloud-native platform that provides full visibility and automated lifecycle management for all public and private certificates, regardless of the issuing CA. It can be instrumental in ensuring a smooth transition from Entrust certificates and maintaining robust security postures.

Industry-wide impact

Google’s decision has broader implications beyond the immediate need for certificate replacement. It highlights the critical role of CAs in maintaining digital trust and the ongoing necessity for stringent compliance and security measures. The CA/B Forum’s standards are designed to protect the integrity of digital communications, and failures like those exhibited by Entrust can erode this trust, necessitating firm actions from browser vendors like Google.

Future outlook:

  • Increased Scrutiny: Other CAs will likely face increased scrutiny, prompting a reevaluation of their compliance and security practices.
  • Enhanced Standards: The CA/B Forum may introduce more rigorous standards to prevent similar incidents, ensuring that CAs adhere to the highest levels of security and reliability.
  • Proactive Measures: Companies should adopt proactive measures in managing their digital certificates, including regular audits, compliance checks, and staying informed about industry developments.

Moving ahead

Google’s distrust of Entrust TLS certificates serves as a stark reminder of the crucial role that Certificate Authorities play in the digital ecosystem. For businesses, this development is a call to action to reassess and fortify their digital security strategies, ensuring they partner with reliable and compliant CAs. The industry, meanwhile, must continue to evolve, embracing higher standards and more robust compliance measures to maintain and enhance digital trust.

Navigating this transition may be challenging, but with the right tools and partners, businesses can ensure a seamless shift to trusted certificates, safeguarding their operations and customer trust in the digital age. By automating certificate lifecycle management and practicing enterprise-wide crypto-agility, organizations can ensure a seamless CA migration with minimal disruption and maximum security. As the cryptography landscape continues to evolve with new quantum-safe algorithms and 90-day certificates, organizations should implement automation and become crypto-agile today as a best practice for maintaining a resilient security posture.

How Sectigo can help you with simple CA migration

Sectigo Certificate Manager (SCM) is a scalable, CA-agnostic certificate lifecycle management (CLM) solution that automates all certificate processes end-to-end. You can discover, inventory, monitor, replace, revoke and renew all your public and private certificates, through a central management console. Sectigo’s products bring together visibility, automation, and control across on-premises, multi-cloud, hybrid cloud, IoT, and containerized environments to simplify certificate lifecycle management, improve efficiency, build crypto-agility, and ensure continuous compliance.

To quickly migrate from Entrust CA to Sectigo, request a demo today and we will support you through this transition.

Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!

*** This is a Security Bloggers Network syndicated blog from Sectigo authored by Sectigo Team. Read the original post at: https://www.sectigo.com/resource-library/google-to-distrust-entrust-ssl-tls-certificates-what-this-means-for-the-industry


文章来源: https://securityboulevard.com/2024/07/google-to-distrust-entrust-ssl-tls-certificates-what-this-means-for-the-industry/
如有侵权请联系:admin#unsafe.sh