What is the Entrust Issue?

At the end of June,  Google announced that following a history of issues with how Entrust was managed, they will no longer include Entrust root certificates in Chrome's root programme after 31st October 2024.  This has several impacts that customers should be aware of.... 

Trust - Entrust certificates issued after 31st October 2024 will not be trusted by the Chrome browser (which has 65% market share). Anyone accessing a website using one of these certificates will see an error, eroding user trust in your services and potentially leading to loss of traffic and business.

Precedent - This sets a precedent for stricter enforcement of Root certificate policies by Google and other browsers (Microsoft,  Apple, Mozilla).  So this scenario,   and the mitigations that customers choose to take,  may be repeated in future. 

Practice – Certificate provision is one of many parts of the underlying workings of the internet where little thought is given by many businesses to resilience.  "Pick a public CA and stick with it" is a common approach as it's simple and has always worked.  This issue should see customers seek to re-examine that approach and diversify their certificate sources. 

Does it matter to me?

If you are certain that you don't use Entrust certs for public-facing websites and services or you don't care about users receiving security warnings when accessing your website then you may decide not to do anything (although giving your 1st line support the heads-up about this is probably a wise idea). 

We call out "public-facing websites and services" here for a specific reason.   It is the browser on the end user's device that decides whether to trust a certificate from your website or to warn the user not to proceed.   Your organisation can control what certificates your own devices trust,   but you cannot do this for computers belonging to the public or other organisations.

It is important to note that certificates underpin the security of your websites and digital services. While Google are only forcing this change from 1st November onward, the problems that led to this decision exist today. So if you are using Entrust, acting now rather than waiting for Google's arbitrary enforcement deadline is probably wise.

What should I do?

You need to look at both addressing the issue tactically and also ensuring you improve your organisation's policies and processes around certificate usage if needed.....

1. Update your people and working practices to:  

   1. not use new Entrust certificates while this issue persists. 

   2. Ensure your staff use a diverse set of CAs for their certificate sources,  mitigating the risk of failure or loss of compliance by any single party. 

2. Identify every instance where Entrust certs are used by your organisation for internet services and seek to replace them. 

With around 3 working months to address the issue (holidays included),  now is the time to start if you have any concerns. 

How?

Organisations with a large internet presence may find these changes challenging.   It is not in the least bit unusual to not know where in your infrastructure Entrust certs are used...   after all "certs are simple and have always worked". 

You can address this alone if you start now and can spare the  right people to identify Entrust certificate use and replace it.   But if you don't have the capacity or capability right now to address it,  Through Technology can help. 

With our partner NodeZro,  we have tooling online now that will automatically detect where Entrust certificates are used within your organisation's internet-facing websites and services.. We find Entrust certificates through scanning of the public internet,  meaning we can provide you with a complete picture of your exposure to this issue within a few business hours without any integration effort or changes to your systems.

.... and if you need help to plan and manage their replacement, we can assist with that too. If you think you may be exposed to this issue and want to discuss it, please get in touch for an initial talk by emailing enquiries@throughtechnology.uk or via our website.

----------------------------------------

PS.  Entrust have stated that they are committed to addressing the issues leading to Googles decision and are working with Google and other browser trust programmes to ensure future compliance.  You can read their recent statement here:  Thoughts on the Google Chrome Announcement and Our Commitment to the Public TLS Certificate Business - Entrust Blog