![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![[DEALS] FileJump 2TB Cloud Storage: Lifetime Subscription (85% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Apple Shares Official Trailer for 'The Wild Ones' [Video]](https://www.iclarified.com/images/news/97515/97515/97515-640.jpg)
Google to Remove Two Certificate Authorities from Chrome Root Store
Google has announced plans to remove two Certificate Authorities (CAs) from Chrome’s Root Store due to ongoing security concerns. The Chrome Root Program and Security Team revealed that Chunghwa Telecom and Netlock will no longer be trusted by default in Chrome 139 and higher for certificates issued after July 31, 2025. This decision comes after […] The post Google to Remove Two Certificate Authorities from Chrome Root Store appeared first on Cyber Security News.
Google has announced plans to remove two Certificate Authorities (CAs) from Chrome’s Root Store due to ongoing security concerns.
The Chrome Root Program and Security Team revealed that Chunghwa Telecom and Netlock will no longer be trusted by default in Chrome 139 and higher for certificates issued after July 31, 2025.
This decision comes after what Google describes as “patterns of concerning behavior” that have eroded their confidence in these CA owners as publicly trusted certificate issuers.
Ongoing Compliance Failures
According to the Google Report, both Chunghwa Telecom and Netlock have demonstrated compliance failures and unmet improvement commitments over several months and years.
The Chrome team specifically cited “a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports” as reasons for the removal.
The Chrome Root Program Policy states that CA certificates included in the Chrome Root Store must provide value that exceeds the risk of their continued inclusion. Google has determined that these CAs no longer meet this threshold requirement.
The affected root certificates include:
- OU=ePKI Root Certification Authority,O=Chunghwa Telecom Co., Ltd.,C=TW.
- CN=HiPKI Root CA – G1,O=Chunghwa Telecom Co., Ltd.,C=TW.
- CN=NetLock Arany (Class Gold) Főtanúsítvány,OU=Tanúsítványkiadók (Certification Services),O=NetLock Kft.,L=Budapest,C=HU.
The implementation will utilize Chrome’s Signed Certificate Timestamp (SCT) feature to determine which certificates should no longer be trusted.
Transport Layer Security (TLS) server authentication certificates that validate to the affected root CA certificates, whose earliest SCT is dated after July 31, 2025, will no longer be trusted by default in Chrome 139 and higher.
Importantly, certificates issued on or before this cutoff date will continue to function normally until their expiration.
This approach aims to minimize disruption while maintaining security. Chrome users or enterprises that explicitly trust these certificates (for example, through Group Policy Objects on Windows) will override the SCT-based constraints, allowing certificates to function as they do today.
The change will affect Chrome on Windows, macOS, ChromeOS, Android, and Linux platforms, but not Chrome for iOS due to Apple’s policies regarding certificate verification.
Recommended Actions for Website Admins
Website operators can determine if they’re affected by using the Chrome Certificate Viewer.
If the “Organization (O)” field under “Issued By” contains “Chunghwa Telecom,” “行政院,” “NETLOCK Ltd.,” or “NETLOCK Kft.,” action is required.
Google recommends that affected website operators transition to a new publicly-trusted CA as soon as possible.
While operators could delay the impact by obtaining new certificates from these CAs before August 1, 2025, they will eventually need to switch to another CA included in the Chrome Root Store.
For testing purposes, Chrome 128 introduced a command-line flag to simulate the effect of an SCTNotAfter distrust constraint:
Enterprise users who utilize affected certificates for internal networks can override these constraints starting in Chrome 127 by installing the corresponding root CA certificate as a locally trusted root on the platform Chrome is running on, or by using enterprise policies.
When users navigate to websites serving affected certificates after the cutoff date, they will encounter a full-page security warning interstitial, effectively blocking access to the site.
As the digital landscape evolves, maintaining user trust will depend on relentless vigilance, rapid response to emerging threats, and a unified commitment to upholding the highest standards of cryptographic integrity.
Live Credential Theft Attack Unmask & Instant Defense – Free Webinar
The post Google to Remove Two Certificate Authorities from Chrome Root Store appeared first on Cyber Security News.
