Firefox’s Mozilla Follows Google in Distrusting Entrust’s TLS Certificates

Mozilla has announced it will officially stop trusting Entrust as a root certificate authority (CA) starting November 30, 2024, due to a prolonged period of compliance failures. This decision follows a similar move by Google Chrome, which cut ties with Entrust a month earlier, citing a pattern of concerning behaviors. 

Google’s Initial Decision 

In June 2024, Google was the first to drop Entrust as a CA, stating that the company had exhibited a “pattern of concerning behaviors.” This decision came after numerous compliance incidents were reported, leading Google to lose confidence in Entrust’s ability to meet industry standards. 

Mozilla’s Stance 

Mozilla’s root store manager, Ben Wilson, shared an email explaining the decision, highlighting that despite Entrust’s efforts to address the issues, their response did not inspire confidence. Wilson emphasized that Entrust’s updated report did not differ meaningfully from previous commitments made in 2020, which were subsequently broken. 

Mozilla’s decision was based on multiple factors: 

• Repeated Compliance Failures: Between March and May 2024, Mozilla noted 22 separate incidents involving Entrust, many related to delays and missed deadlines. 
• Inadequate Response: Entrust’s response to Mozilla’s concerns did not demonstrate a significant change or improvement in their operations. 
• Historical Context: Entrust’s previous commitments in 2020 were not upheld, leading to the current situation. 

Akamai’s Response to Google Chrome’s Distrust of Entrust 

Following Google’s decision, Akamai has announced specific measures regarding Entrust-issued certificates. While Akamai will continue to support Entrust-issued edge certificates used on their Secure CDN until they expire, they recommend replacing these certificates to avoid disruption in secure traffic delivery to Google Chrome clients. For origin connections, Akamai will remove all Entrust and AffirmTrust root certificates from their trust store by March 1, 2025. Users are advised to replace affected certificates promptly to maintain secure connections and avoid potential traffic disruptions. 

Why Distrust Happens? 

1. The Role of CAs and Compliance 

Certification authorities (CAs) are crucial in establishing trust on the internet, providing certificates that enable encrypted connections between browsers and websites. To maintain this trust, CAs must adhere to strict industry standards and security practices, as defined by the CA/Browser (CA/B) Forum’s Baseline Requirements. These standards cover: 

• Validation Processes: Proper validation of certificate requests to ensure the authenticity of the entity requesting the certificate. 
• Operational Security: Robust security measures to protect the CA’s infrastructure and prevent unauthorized issuance of certificates. 
• Adherence to Protocols: Compliance with established protocols for certificate issuance, management, and revocation. 

2. Audits and Accountability 

CAs are held accountable through regular audits conducted by independent third parties. These audits verify that the CA complies with the CA/B Forum’s Baseline Requirements. Failure to meet these standards can result in browsers distrusting the CA’s certificates. 

3. The Decision-Making Process 

When a browser like Google Chrome or Mozilla Firefox decides to distrust a CA, the process involves: 

• Evidence Gathering: Investigating the CA’s certificate issuance processes, operational security, and adherence to industry standards. This evidence is collected from transparency logs, forums, and public disclosures. 
• Assessment Against Standards: Evaluating the evidence against the CA/B Forum’s Baseline Requirements to determine compliance. 
• Public Disclosure and Response: Sharing findings with the CA and the public, allowing the CA to respond and outline corrective actions. 
• Final Decision: Based on the CA’s response and the severity of the issues, the browser may decide to distrust the CA if the response is deemed insufficient. 

The Impact of Distrust 

When a CA is distrusted, all certificates issued by that CA are no longer recognized as valid by the browser. This has significant implications: 

• Security Warnings: Websites using certificates from the distrusted CA will show security warnings, potentially leading to loss of user trust and vulnerabilities. 
• Compliance Risks: Organizations may face regulatory violations and audit failures if they do not replace distrusted certificates. 
• Operational Disruptions: Replacing certificates can cause service disruptions, increase operational costs, and require significant resources.

4. Detailed Mechanism of Distrust

1. Incident Reporting: The process begins with the detection and reporting of compliance incidents. These can be reported by security researchers, other CAs, or through automated monitoring systems. 
2. Initial Review: The CA/B Forum or the browser’s root store management team conducts an initial review of the reported incidents. If the incidents are deemed serious, a more thorough investigation is initiated. 
3. Investigation: The investigation involves examining the CA’s certificate issuance practices, reviewing audit reports, and assessing the overall security posture of the CA. 
4. Public Disclosure: The findings of the investigation are made public, and the CA is given an opportunity to respond and outline corrective actions. 
5. Evaluation of Response: The browser’s root store management team evaluates the CA’s response. If the response is deemed inadequate or if the CA fails to implement the corrective actions, the browser may proceed with distrust. 
6. Distrust Decision: The final decision to distrust the CA is made, and an official announcement is released. The browser updates its root store to remove trust in the CA’s root certificates. 
7. Impact on Certificates: All certificates issued by the distrusted CA become invalid. Websites using these certificates will show security warnings, and users are advised to replace the certificates with those from a trusted CA. 

Historical Context of Symantec

The decision to distrust Entrust is reminiscent of the 2018 incident involving Symantec. Google found multiple instances of improper certificate issuance by Symantec, leading to a phased removal of trust in its certificates by major browsers. This ultimately resulted in Symantec selling its CA business to DigiCert. 

How Enterprise Organizations Can Prepare? 

To mitigate the impact of CA distrust, organizations should adopt a defense-in-depth strategy with Crypto-Agility: 

• Backup CAs: Have alternative CAs ready to issue replacement certificates. 
• Automated Tools: Use automated certificate lifecycle management tools to streamline the replacement process. 
• Regular Audits and Monitoring: Conduct regular audits and continuous monitoring to detect and address compliance issues promptly. 
• Incident Response Plan: Maintain an updated incident response plan to handle CA compromises efficiently. 

Conclusion 

The distrust of Entrust by Mozilla and Google underscores the importance of strict compliance and robust security practices for CAs. Organizations relying on digital certificates must remain vigilant, ensuring they can adapt quickly to changes in the CA landscape to maintain security and trust. 

Mozilla’s decision to distrust Entrust highlights the need for transparency, accountability, and continuous improvement in the CA ecosystem. By understanding the mechanisms behind CA distrust and implementing best practices for Crypto-Agility, organizations can better prepare for and respond to such incidents, ensuring the security and trustworthiness of their digital communications.