Given the growing sophistication of cyber criminals, it’s crucial to connect to secure websites to falling victim to their schemes. One way to achieve this is by manually entering the domain of the website you want to visit. Then, you need to ensure that the URL is displayed with the HTTPS prefix and, depending on the browser, that a padlock icon appears next to it.
Internally, this security process is based on TLS certificates. These certificates are digital identity cards issued by trusted certificate authorities (CAs). If you try to visit a website that lacks a certificate or has an invalid one, most browsers will notify you and warn you about the associated risks.
Entrust Certificates Are in Serious Trouble
Google Chrome, the world’s most widely used web browser, will stop accepting TLS certificates issued by Entrust and AffirmTrust (which has been owned by Entrust since 2016). With this move, Google says it wants to protect its users. According to the tech giant, incidents involving Entrust have “eroded confidence in [its] competence, reliability, and integrity as a publicly-trusted CA Owner.”
That said, the impact of this decision is significant since Entrust is a CA with nearly 30 years in business and, according to Forbes, provides services to clients such as MasterCard, Dell, Chase Bank, and several governments around the world. Google has stated that the change won’t be immediate and that it will allow affected websites some time to switch to other certificate providers.
Specifically, this change will come into effect on “approximately November 1, 2024,” starting from Chrome version 127 and later (the current version is Chrome 126) on several platforms, including Windows, macOS, ChromeOS, Android, and Linux. As such, certificates issued by Entrust and AffirmTrust after October 31, 2024, won’t be trusted by default. As a result, websites using these certificates will display a warning message.
Certainly, no company wants its users to encounter a warning message like the one shown below. This poses a direct risk to users’ security and to the company’s reputation. It’s important to note that certificates signed by Entrust and AffirmTrust on or before October 31, 2024, won’t be affected by this change and will remain valid.
TLS certificates have a maximum validity of 13 months. Though certificates initially had a longer validity period, they’ve been shortened for security reasons. A new certificate is less vulnerable. As you can see in the screenshots above and below, sites such as mastercard.us and dell.com have certificates that expire on July 11, 2025, and July 24, 2024, respectively.
To check the certificate a website uses in Google Chrome, click on the button to the left of the domain name. If the connection is secure, you’ll see a message saying the certificate is valid. If the certificate is invalid, clicking on the message will provide the details as to why. The process is similar for all other browsers.
Users don’t need to do anything but remain vigilant to avoid inconvenience. System administrators, for their part, should note that even when these certificates are no longer accepted by default, they can still allow them manually. If you’re managing a website, it’s important to know which certificates you’re using so that necessary measures can be taken to ensure their operation.
Image | Xataka On
View 0 comments