Google says it will no longer trust root CA certificates signed by Chunghwa Telecom and Netlock in the Chrome Root Store due to a pattern of compliance failures and failure to make improvements.
The change will come in Google Chrome version 139, which is scheduled for release on 1 August this year. They cite ongoing compliance failures, broken improvement commitments, and lack of measurable progress as the reasons behind this decision.
In its blog, Google says the Chrome Root Program Policy says: “Certification Authority (CA) certificates included in the Chrome Root Store have to provide value to Chrome end users that exceeds the risk of their continued inclusion. It also describes many of the factors we consider significant when CA Owners disclose and respond to incidents. When things don’t go right, we expect CA Owners to commit to meaningful and demonstrable change resulting in evidenced continuous improvement.”
It added: “Chrome’s confidence in the reliability of Chunghwa Telecom and Netlock as CA Owners included in the Chrome Root Store has diminished due to patterns of concerning behavior observed over the past year.”
These patterns, Google continued, indicate a “loss of integrity and fall short of expectations, eroding trust in these CA Owners as publicly-trusted certificate issuers trusted by default in Chrome.”
Both entities have acted as public CAs for years, with their certificates included in the Chrome Root Store, meaning Chrome trusted them by default. Starting on August 1, 2025, Google Chrome will display a “Your Connection is Not Private” warning when users visit websites that continue to use certificates issued by Chunghwa Telecom or Netlock, as their root CAs will no longer be trusted.
Default Trust Withdrawn
Jason Soroko, Senior Fellow at Sectigo, says the CA/Browser Forum’s Baseline Requirements set the minimum global rules for publicly-trusted CAs how identities are vetted, how certificates are logged and audited, and, importantly, how quickly mis-issued certificates must be revoked (24 hours for high-risk problems and no more than five days for most others).
“Chunghwa Telecom was out of compliance and mis-issued certificates and took longer than required to revoke them. NetLock committed similar out of compliance activities,” he adds. “Both CAs repeatedly went past the Baseline-Requirement revocation deadlines, leaving invalid certificates active beyond the allowed window, prompting Chrome to withdraw their default trust.”
No Surprise
“The Internet has a number of foundational trust mechanisms, and they all radiate from our confidence in Domain Name Services (DNS), which answers the question “how do I find this site or service?”, and Certificate Authorities (CAs) which answers “how can I be sure this site or service is who they claim to be? can I trust this app?”, adds Trey Ford, Chief Information Security Officer at Bugcrowd.
Ford says there is a high cost for vigilance and accountability for these foundational services, and enterprises and consumers have widely entrusted those monitoring efforts to the major browser providers. “Divergent from Mozilla’s recent decision to deprecate Entrust with a detailed explanation, Google’s Chrome team has announced the removal of China’s Chunghwa Telecom, and the Hungarian Netlock CA from their root certificate store – without an explanation of why.”
There will be a lot of speculation around why the decision was made – both to deprecate the CAs, and to do so without a thorough and public explanation, Ford says. “As one of the super-scaler cloud providers, supporting enterprises, consumers, and public sector customers, Google’s decision to do so does not come as a surprise, and I trust they will ultimately be found acting in the general public’s best interest in this decision.”
Built on Trust
Thomas Richards, Infrastructure Security Practice Director at Black Duck, says: “The certificates used to secure communications with websites are built on trust; if an organization breaks that trust they should be removed as a trusted issuing authority. Their customers will be impacted with broken security and some users may not be able to reach their websites, however, accountability and compliance are core requirements of doing business, so the issuing authorities need to maintain a level of compliance and security to remain a trusted certificate issuer.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.