In a significant move concerning global cybersecurity, Google announced it will cease to trust digital certificates issued by two well-known certificate authorities (CA)—Chunghwa Telecom and Netlock. This ground-breaking decision will affect Chromium-based browsers and signals a notable shift in Google’s digital trust strategy. According to CPO Magazine, these actions will be enforced in the Chrome 139 update, scheduled for August 2025.
Erosion of Trust: The Core of Google’s Decision
The decision came on the heels of “concerning compliance issues” with these authorities, indicating a breach of trust that Google can no longer overlook. The Chromium Security Team cited some major patterns, such as repeated compliance failures and inadequate responses to security improvement commitments, as the main reasons for this decision. Google plans to implement these changes across various platforms, impacting Chrome users on Windows, Linux, macOS, ChromeOS, and Android.
Effects and Advisory for Web Administrators
Starting July 31, security warnings will alert users accessing websites secured with certificates from Chunghwa Telecom or Netlock. Web administrators are advised to transition to different certificate providers swiftly. Google even provides an option for operating systems to locally trust such certificates, thereby allowing continuity for enterprise users who may rely heavily on them.
Global Browser Implications and Responses
This decision marks a pivotal moment in the cybersecurity landscape, as Google acts independently while browsers like Firefox, Edge, and Safari have not yet echoed similar steps. The cascade effect of Google’s crackdowns was evident as Apple’s trust in Netlock’s certificates diminished back in November 2024.
The Road Ahead for Certificate Authorities
As Google strengthens its security framework, the spotlight on certificate authority compliance grows brighter. Chunghwa Telecom, Netlock, and counterparts like Entrust face increased scrutiny. With the March 2025 security requirement ramp-up, more certificate authorities might yet experience Google’s rigorous trust evaluations.
Conclusion: A Call for Enhanced Compliance
Google’s actions stand as a call to the entire cybersecurity community, emphasizing the importance of steadfast compliance and transparency. The ongoing commitment to security and trust sets a new standard for digital certificate authorities worldwide. As the internet landscape evolves, so too must the mechanisms safeguarding its integrity.
