Google cuts ties with Entrust in Chrome over trust issues (www.theregister.com)
from kid@sh.itjust.works to cybersecurity@sh.itjust.works on 28 Jun 2024 16:47
https://sh.itjust.works/post/21502185

#cybersecurity

threaded - newest

autotldr@lemmings.world on 28 Jun 2024 16:50 next collapse

This is the best summary I could come up with:


From November 1 in Chrome 127, which recently entered beta, TLS server authentication certificates validating to Entrust or AffirmTrust roots won’t be trusted by default.

The incidents have “eroded confidence in [Entrust’s] competence, reliability, and integrity as a publicly trusted CA owner,” Google stated in a blog.

“Certification authorities serve a privileged and trusted role on the internet that underpin encrypted connections between browsers and websites,” Google said.

"Over the past six years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports.

Tim Callan, chief experience officer at Sectigo, said in an email to The Reg that the news serves as a reminder to CAs that they must hold themselves to the standards the industry expects of them.

A spokeperson at Entrust sent a statement to The Register: "The decision by the Chrome Root Program comes as a disappointment to us as a long-term member of the CA/B Forum community.


The original article contains 647 words, the summary contains 166 words. Saved 74%. I’m a bot and I’m open source!

MajorHavoc@programming.dev on 28 Jun 2024 19:13 collapse

I would love to see the certificate authority model become less and less important.

“Can you write a small check to an organization we are all pretty sure isn’t outright malicious?”

Is a surprisingly good pragmatic protection against malicious SSL certificates, I will admit.

But there’s significant flaws with the approach - notably power dynamics and creation of large scary targets for bad actors.

I would love to see CA acceptance move from PASS/FAIL to a dynamic risk score, that is based on my own browsing behavior (calculated solely within my browser).

If I spend 90% of my time browsing domains at example(dot)mycorporation(dot)com, there’s a great chance that anything new signed by the same authorities can be automatically trusted.

It would still put a lot of power in the hands of Amazon and Google, but would reduce that power in scale to the amount of services they’re actually providing to each user.