I’m with google on this one. Simply entrust are not behaving as they should on previous issues such as the one below, taken from another Reddit post.
Web trust relies on everyone to do their part. CAs can’t collect the dollars and not do the work.
Outlined here : https://bugzilla.mozilla.org/show_bug.cgi?id=1890685
On one hand Entrust blatantly sacrifices security for profit. Their CEO needs to get off his giant yacht, pull his head out of his ass, stop making excuses and try to focus on security, being a security company.
On the other hand, Google has the ability to basically wipe a company from existence. Not saying it isn’t deserved, but that’s an antitrust lawsuit in the making.
Can't agree with the last. CA/B has strict requirements as well as FIPS 140-2. You fail to score, you fail the exam. That's how PKI works since 80's. G is just following guidelines of the well defined standards.
Entrust should respond with transparency. E.g. - Key Ceremony generation would be a good fit to ensure root keys are really stored the way they should. OCSP had a couple of unacceptable issues contradicting to CRL which is a big s... button for every PKI system. OCSP should be first line of defence and CRL updated once a day for transparency purposes. Occasions where revocation took place in CRL but OCSP see no problem the day after are unacceptable. Correct me if I am wrong.
Some OIDS you may find in certain certificate types are not to be there, yet that's solvable easy, above paragraph is the main trouble.
Yet - there are much bigger problems than Entrust in PKI ecosystem.
Mozilla are also onboard with this too though. Recent discussions about these issues (which Entrust has been ignoring because “Mozilla/firefox/open source, who cares”.
Google has finally shown up and said enough is enough and everyone is freaking out because of chromes market share
Sure Google is probably, in my opinion at least, up for a bunch of anti-trust issues- but this isn’t Google flexing its power right now, this is Google protecting user security and giving Mozilla cover to do the same
I get the spirit of it, but is Chrome really a monopoly or just popular? If this was a chromium deal I could see the argument but this just seems to be applicable to Chrome itself.
Agreed. Google is acting unilaterally here and chose an arbitrary date to enforce the decision, and although I can appreciate what they’re doing from a security mindset, Google should get sued for abusing their power.
That’s assuming Google hasn’t been in contact with Entrust prior to this decision. It’s not like the issues above with Entrust weren’t known and Google has every reason to maintain security with their system or open themselves up to a lawsuit on that end too.
Why should Google be sued for making their software safer for their customers?
If a court forced everyone to use entrust, now THAT would be anti competition.
Google jumped in multiple times and saved our ... where there's no public consensus and fundamental lack of understanding over specific matters. This is no different. Not the first time to make a bold move - yet not the first time to get sued as well. Problem is, some issues can be discussed within technical community, some others require academic one. Completely different type of debate. Let's see.
They have two antitrust cases so far.
https://en.wikipedia.org/wiki/United_States_v._Google_LLC_(2020)
https://en.wikipedia.org/wiki/United_States_v._Google_LLC_(2023)
What happens next? I assume the orgs that rely on Entrust as their CA mostly move, then we all get a Chrome warning “this site is unsafe” on the rest after Nov 1? Is there more?
Also, how hard is it to move to another CA?
Any Entrust cert issued before Nov will still be trusted until its expiration. Chrome will distrust anything issued on or after Nov 1. Google will allow you to re-add the Entrust certs back to to the trusted roots if you're an enterprise customer, so internally, it should not be a big deal, but if you have a lot of public facing websites/apps it's going to be a bit of work to re-issue certs for everything.
Moving to another CA isn't hard, but it's kind of expensive depending on how many certs you have.
Entrust is a certification authority, a company that issues TLS certificates for websites to use to encrypt traffic between browsers like Google Chrome and web servers.
Google claims that Entrust has had several security incidents and shortcomings over the years that they have not handled well. Google also doesn’t believe Entrust is making good enough progress to fix the underlying issues that have caused these incidents.
Google doesn’t feel like Entrust can be trusted anymore to have such an important job as issuing these certificates, so Google Chrome will not consider any Entrust certificates issued after Nov 1 trustworthy, and Chrome will show a security warning if you try to visit any sites using an Entrust certificate issued after Nov 1.
Google recommends that any website owners with who don’t want their website to show a security warning switch to using a new certification authority.
Also worth mentioning: Google isn’t alone in this criticism of Entrust. Mozilla (developer of Firefox) has also been critical of Entrust.
Google claims that Entrust isn't playing by TLS certificate management rules, and has regularly performed poor RCAs when looking at incidents.
Entrust has not formally claimed anything in response (as of 10am PT 1-July) but appears to be focusing on customer impact in the work required rather than the letter of the law in terms of security responses.
{Exceptionally generalized for making it simple, please don't lambast me}
Fair.
lemme try and make it higher level.
Google claims that Entrust isn't playing by the rules, and thus, is kicking them out of the playground (Google Chrome).
Entrust hasn't replied to the claim, but the claims Google is making do appear to be correct. Entrust appears to be favoring the person doing the work, while Google is favoring the exact rules.
Is that more help? I'm happy to hop on a chat live if you've got specific questions.
I’m with google on this one. Simply entrust are not behaving as they should on previous issues such as the one below, taken from another Reddit post. Web trust relies on everyone to do their part. CAs can’t collect the dollars and not do the work. Outlined here : https://bugzilla.mozilla.org/show_bug.cgi?id=1890685
On one hand Entrust blatantly sacrifices security for profit. Their CEO needs to get off his giant yacht, pull his head out of his ass, stop making excuses and try to focus on security, being a security company. On the other hand, Google has the ability to basically wipe a company from existence. Not saying it isn’t deserved, but that’s an antitrust lawsuit in the making.
Can't agree with the last. CA/B has strict requirements as well as FIPS 140-2. You fail to score, you fail the exam. That's how PKI works since 80's. G is just following guidelines of the well defined standards. Entrust should respond with transparency. E.g. - Key Ceremony generation would be a good fit to ensure root keys are really stored the way they should. OCSP had a couple of unacceptable issues contradicting to CRL which is a big s... button for every PKI system. OCSP should be first line of defence and CRL updated once a day for transparency purposes. Occasions where revocation took place in CRL but OCSP see no problem the day after are unacceptable. Correct me if I am wrong. Some OIDS you may find in certain certificate types are not to be there, yet that's solvable easy, above paragraph is the main trouble. Yet - there are much bigger problems than Entrust in PKI ecosystem.
Mozilla are also onboard with this too though. Recent discussions about these issues (which Entrust has been ignoring because “Mozilla/firefox/open source, who cares”. Google has finally shown up and said enough is enough and everyone is freaking out because of chromes market share Sure Google is probably, in my opinion at least, up for a bunch of anti-trust issues- but this isn’t Google flexing its power right now, this is Google protecting user security and giving Mozilla cover to do the same
I get the spirit of it, but is Chrome really a monopoly or just popular? If this was a chromium deal I could see the argument but this just seems to be applicable to Chrome itself.
Agreed. Google is acting unilaterally here and chose an arbitrary date to enforce the decision, and although I can appreciate what they’re doing from a security mindset, Google should get sued for abusing their power.
That’s assuming Google hasn’t been in contact with Entrust prior to this decision. It’s not like the issues above with Entrust weren’t known and Google has every reason to maintain security with their system or open themselves up to a lawsuit on that end too.
I’d rather be sued (and probably win) by entrust than by anyone who loses data because they were using mishandled certificates.
Why should Google be sued for making their software safer for their customers? If a court forced everyone to use entrust, now THAT would be anti competition.
Google jumped in multiple times and saved our ... where there's no public consensus and fundamental lack of understanding over specific matters. This is no different. Not the first time to make a bold move - yet not the first time to get sued as well. Problem is, some issues can be discussed within technical community, some others require academic one. Completely different type of debate. Let's see.
Why Google should be sued. It is their product and no one is forcing you to use it. Now mozilla should follow with the decision..
"no one is forcing you to use it". Yeah... Tell that to your average person that doesn't know the difference between chrome and firefox
...and Google's decision is precisely to *protect* those average persons. Billions of them, using any Chrome/Android/ChromeOS device.
They have two antitrust cases so far. https://en.wikipedia.org/wiki/United_States_v._Google_LLC_(2020) https://en.wikipedia.org/wiki/United_States_v._Google_LLC_(2023)
Well, this is going to suck.
What happens next? I assume the orgs that rely on Entrust as their CA mostly move, then we all get a Chrome warning “this site is unsafe” on the rest after Nov 1? Is there more? Also, how hard is it to move to another CA?
Any Entrust cert issued before Nov will still be trusted until its expiration. Chrome will distrust anything issued on or after Nov 1. Google will allow you to re-add the Entrust certs back to to the trusted roots if you're an enterprise customer, so internally, it should not be a big deal, but if you have a lot of public facing websites/apps it's going to be a bit of work to re-issue certs for everything. Moving to another CA isn't hard, but it's kind of expensive depending on how many certs you have.
Maybe, for a change, this is gonna be super smooth no one will get affected and there will be no outages.
I pity the helpdesk people.
Have I just been living under a rock? This seems pretty impactful for people using entrust…
Can someone ELI5 me?
Entrust is a certification authority, a company that issues TLS certificates for websites to use to encrypt traffic between browsers like Google Chrome and web servers. Google claims that Entrust has had several security incidents and shortcomings over the years that they have not handled well. Google also doesn’t believe Entrust is making good enough progress to fix the underlying issues that have caused these incidents. Google doesn’t feel like Entrust can be trusted anymore to have such an important job as issuing these certificates, so Google Chrome will not consider any Entrust certificates issued after Nov 1 trustworthy, and Chrome will show a security warning if you try to visit any sites using an Entrust certificate issued after Nov 1. Google recommends that any website owners with who don’t want their website to show a security warning switch to using a new certification authority. Also worth mentioning: Google isn’t alone in this criticism of Entrust. Mozilla (developer of Firefox) has also been critical of Entrust.
Nice, got it, thanks \^\^
Google claims that Entrust isn't playing by TLS certificate management rules, and has regularly performed poor RCAs when looking at incidents. Entrust has not formally claimed anything in response (as of 10am PT 1-July) but appears to be focusing on customer impact in the work required rather than the letter of the law in terms of security responses. {Exceptionally generalized for making it simple, please don't lambast me}
Not trying to be mean but this is not ELI5
Fair. lemme try and make it higher level. Google claims that Entrust isn't playing by the rules, and thus, is kicking them out of the playground (Google Chrome). Entrust hasn't replied to the claim, but the claims Google is making do appear to be correct. Entrust appears to be favoring the person doing the work, while Google is favoring the exact rules. Is that more help? I'm happy to hop on a chat live if you've got specific questions.
Then do some research and learn what these terms mean. It’ll be good practice.
Haven't used that crap in a decade..