As a dedicated team, the Chrome Safety Staff is steadfast in upholding the highest standards of customer safety and privacy, refusing to sacrifice either for any reason.
It is stated that CA (Certificate Authority) certificates embedded within the root store must provide value to Chrome end-users that outweighs the risk associated with their ongoing inclusion. When California homeowners respond to incidents, our revised edition highlights essential factors we consider crucial. When challenges arise, we rely on CA homeowners to drive substantial and tangible transformations, resulting in measurable progress with empirical evidence.
For several years, Entrust’s publicly disclosed practices have consistently fallen short of industry expectations, casting doubt on its competence, reliability, and integrity as a trusted Certificate Authority proprietor.
To ensure the ecological balance and safeguard the natural world, Chrome is committed to implementing measures that will maintain the health of its surrounding environment.
- Starting February 10, 2023, TLS servers using Entrust roots with a Signed Certificate Timestamp (SCT) dated after will no longer be trusted by default.
- TLS servers authenticating with certificates validated against these root sets, whose Subject Alternative Names include an SCT that remains unaffected by this transformation.
The approach strives to minimize disruptions for existing subscribers by leveraging a recently integrated Chrome extension to override default assumptions based on SCTs in digital certificates.
If a Chrome user or enterprise needs to implement any of these certificates on a specific platform and model of Chrome, for instance, it implies a group policy object is conveyed through Windows, the SCT-based constraints outlined above can be superseded, allowing certificates to function as they currently do.
To further minimize the risk of disruption, website operators are encouraged to review the regularly requested questions listed below.
Certification authorities (CAs) occupy a position of utmost trust and responsibility on the internet, providing the essential foundation for secure, encrypted communication between browsers and websites to ensure the integrity of online transactions. As a result of this heightened accountability, there is an implicit expectation that all parties will adhere to cost-effective and universally accepted standards for ensuring safety and compliance, as outlined in the CA/Browser TLS Baseline Requirements.
During the past six years, we’ve observed a pattern of recurring compliance failures, broken promises to improve, and an alarming lack of concrete, quantifiable advancements in response to publicly disclosed incident reports. As a result of considering these components collectively and evaluating their inherent risk to the web ecosystem, we believe Chrome’s ongoing trust in Entrust is no longer justified.
Blocking motion will commence around November 1, 2024, impacting certificates issued from then onwards.
Blocking motion will now seamlessly occur across various platforms, including Windows, macOS, Chrome OS, Android, and Linux. Apple’s app review guidelines prevent the use of Chrome’s Certificate Verifier and Root Retailer on Chrome for iOS devices.
By default, Chrome users in the specified populations visiting websites hosting certificates from Entrust or AffirmTrust after October 31, 2024 will encounter a full-page interstitial.
Certificates issued by various Certificate Authorities (CAs) will not be affected by this proposal.
Website operators can determine whether they are impacted by this issue by utilizing the Chrome Certificates Viewer.
- Visit a website.
- Click on the “Tune” icon
- Click on “Connection is Safe”
- The Chrome Certificates Viewer opens.
- When the “Group (O)” area under the “Issued By” heading contains either “Entrust” or “AffirmTrust”.
- If the “Certificate Details” section under the “Issued By” header contains either “Entrust” or “AffirmTrust” in the “Group (O)” area.
We recommend that impacted website owners transition to a reputable, publicly-trusted Certificate Authority (CA) proprietor at the earliest feasible opportunity. To minimize the impact of hostile online consumer influence, it is proposed that any prevailing certifications that are set to expire on or after November 1, 2025, have their expiration dates deliberately moved forward to occur before October 31, 2024?
While website operators may delay the impact of blockage by opting to obtain and configure a fresh TLS certificate issued by Entrust prior to Chrome’s blocking measure commences on November 1, 2024, they will ultimately need to acquire and configure a new TLS certificate from one of the many other Certificate Authorities (CAs) included in the Chrome trust store.
Sure.
A command-line flag was introduced in Chrome 128, available in Canary/Dev at the time of publication, enabling directors and power users to simulate the effects of an SCT Not After trust constraint as described in this blog post’s FAQ.
1. Close all open instances of Google Chrome.
2. Run Chrome using the following command-line flag, replacing variables as outlined below with specific values:
`chrome –start-maximized –window-size=1920,1080 –profile-directory=”Default” –incognito –enable-features=NetworkService,HangMonitor –disable-gpu –no-first-run –new-profile-window –user-data-dir=C:\Users\YourUsername\AppData\Local\Google\Chrome\User Data`
TrustAnchorCertificateConstraints=-test-crs-constraints=sha256 hashes separated by commas:sct-not-after=${epoch timestamp}
3. The proliferation of flags on websites has far-reaching implications that warrant careful consideration.
Instance: By April 30, 2024, at 23:59:59 GMT, the Chrome Root Store will mistrust all Entrust-based certificate authorities whose not-after dates precede this timestamp. Websites with certificates issued prior to the enforcement date will function as expected in Chrome, while those issued thereafter will display a warning interstitial upon access.
–test-crs-constraints=02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5,
43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339,
6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177,
73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C,
DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88,
0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7,
0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B,
70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A,
BD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423
:sctnotafter=1714521599
“C:UsersUser123AppDataLocalGoogleChrome SxSApplicationchrome.exe” –test-crs-constraints=02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5,43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339,6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177,73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C,DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88,0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7,0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B,70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A,BD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423:sctnotafter=1714521599
“/Purposes/Google Chrome Canary.app/Contents/MacOS/Google Chrome Canary” –test-crs-constraints=02ED0EB28C14DA45165C566791700D6451D7FB56F0B2AB1D3B8EB070E56EDFF5,43DF5774B03E7FEF5FE40D931A7BEDF1BB2E6B42738C4E6D3841103D3AA7F339,6DC47172E01CBCB0BF62580D895FE2B8AC9AD4F873801E0C10B9C837D21EB177,73C176434F1BC6D5ADF45B0E76E727287C8DE57616C1E6E6141A2B2CBC7D8E4C,DB3517D1F6732A2D5AB97C533EC70779EE3270A62FB4AC4238372460E6F01E88,0376AB1D54C5F9803CE4B2E201A0EE7EEF7B57B636E8A93C9B8D4860C96F5FA7,0A81EC5A929777F145904AF38D5D509F66B5E2C58FCDB531058B0E17F3F0B41B,70A73F7F376B60074248904534B11482D5BF0E698ECC498DF52577EBF2E93B9A,BD71FDF6DA97E4CF62D1647ADD2581B07D79ADF8397EB4ECBA9C5E8488821423:sctnotafter=1714521599
No line-breaks will be launched.
What specific aspects of command-line flags would you like to learn more about? For instance, how to create your own command-line interface with Python’s argparse module or understanding the usage of common flags like -h or –help? Let me know and I can provide more information.
Starting with Chrome 127, enterprises can bypass Chrome’s Root Retailer restrictions, including those outlined for Entrust, by installing the corresponding root CA certificates directly on the platform where Chrome is running. For example, this can be done in the Microsoft Certificate Store as a trusted root CA.
Buyers should heed platform provider guidance.
Google’s product teams may roll out various updates at some point in the future.
