Encryption & Key Management , Security Operations
Entrust Will Stop Operating As Trusted Certificate Authority
Google Designates Entrust 'Untrustworthy' After Years of 'Concerning Behaviors'Certificate authority Entrust is about to face a worst-case scenario for any CA: browser makers no longer trusting it nor any new digital certificates it issues.
Citing years of problems, Google Chrome and the Java Runtime Engine on Tuesday will cease trusting all new root certificate authorities run by Minneapolis-based Entrust. Mozilla at month's end will follow suit. As a result, no public-facing site or service with a newly issued Entrust-issued digital certificate will be treated as trustworthy by browsers. Existing certificates will continue to work until they expire - typically 398 days or less after being issued.
Attempting to browse to any site that uses an untrusted certificate displays a browser error message stating "your connection is not secure" or "your connection is not private," although a user can still click an "advanced" button to reach such sites.
Becoming untrusted represents an ignominious turn for Entrust, which began selling digital certificates in 1999. Such certificates remain vital for securing the internet and encrypting communications between browsers and sites by providing the "s" - as in, secure - in HTTPS. Everything from sending payment card data to e-commerce sites to accessing health information from patient portals to reading emails online relies on being able to trust the underlying digital certificates.
All of this relies on trust, based on CAs following baseline requirements set by the industry's Certification Authority Browser Forum, also known as the CA/Browser Forum. These rules stipulate in part that whenever a CA suffers an incident, it must file a report to bug-tracking service Bugzilla - "regardless of perceived impact" - that includes "detailed, candid, timely and transparent" information that demonstrates the CA understands the incident's root cause and is moving swiftly to resolve it.
"When things don't go right, we expect CA owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement," Google said.
Browser makers say Entrust fell short. "Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations and has eroded confidence in their competence, reliability and integrity as a publicly trusted CA owner," Google said in June.
The technology giant said that as a result, Entrust-issued digital certificates would shortly be considered "no longer trustworthy," and that anyone with Entrust-issued certificates should immediately begin transitioning them to a trusted CA.
While Google didn't detail every last issue with Entrust, a list of incidents from March to May published by Mozilla highlighted multiple, major problems, including serious "incident handling, communication and operational procedures." In just one of those incidents, Entrust faced serious pushback from the community for not only failing to quickly revoke mis-issued certificates but continuing to issue them, then arguing that it shouldn't have to comply with the CA/Browser Forum rule it was breaking.
Internet intelligence firm Censys said that as of July, Entrust ranked 22nd out of the 464 CAs then trusted by Google, with 4 million certificates issued, while its AffirmTrust brand ranked 78th, with just 37,646 certificates. Censys found 876,681 physical and virtual hosts utilizing one of Entrust's nine CAs, with Disney appearing to account for 30,000 of those hosts.
Not the First Time
This isn't the first time a CA has become untrusted. After mounting concerns over how Symantec's digital certificate business validated and issued digital certificates, Google, Mozilla, Apple and Microsoft in 2018 announced that they would soon be "distrusting Symantec certificate authorities," including Thawte, VeriSign, Equifax, GeoTrust and RapidSSL. They urged anyone using Symantec CAs to replace their certificates using a trusted CA instead, "including DigiCert, which recently acquired Symantec's CA business."
Despite Utah-based DigiCert, the world's largest certificate authority, acquiring Symantec's website security and public key infrastructure business in 2017, the community still deep-sixed Symantec CAs.
DigiCert said it offered all affected Symantec digital certificate holders a free move to its trusted certificates.
Rapid Response
An episode earlier this year highlighted the type of response that the community likely expects to see when incidents come to light. On July 29, DigiCert announced that it discovered a bug in its internal processes that sometimes led the company to incorrectly validate ownership for domains owned or controlled by some customers before it issued certificates to those customers.
As a result, DigiCert warned that on July 30, it would be revoking the 83,267 incorrectly validated certificates issued to 6,807 customers. Under CA/Browser Forum rules, erroneously issued certificates "must be revoked within 24 hours, without exception," and any "failure to comply can result in a distrust of the certificate authority," DigiCert told them.
Facing pushback, including from critical infrastructure operators as well as a lawsuit seeking a temporary restraining order, DigiCert backtracked somewhat, saying that after liaising with browser makers, it could offer a five-day extension to customers, upon request. On Aug. 3, the company revoked all of the certificates.
After failing to operate with such transparency and punctuality, what's next for Entrust? The company said it will continue to provide digital certificates to customers, in the form of Entrust-branded certificates issued by SSL.com, which remains a trusted CA.