from Hacker News

Entrust Certificate Distrust

by iancarroll on 6/27/24, 5:22 PM with 111 comments

• by bpfrh on 6/28/24, 6:09 PM

  There is a more detailed statement in the chrome CCADB Public group:

  https://groups.google.com/a/ccadb.org/g/public/c/29CRLOPM6OM...

• by xeeeeeeeeeeenu on 6/28/24, 2:35 PM

  It always fascinates me when this happens. Don't the CAs understand that the browser vendors can and will kill their business if they don't comply with the rules? It's not like a fine that can be ignored.

  How dysfunctional does a company have to be to let this happen?

• by mikeiz404 on 6/28/24, 6:22 PM

  > This approach attempts to minimize disruption to existing subscribers using a recently announced Chrome feature to remove default trust based on the SCTs (signed certificate timestamps) in certificates.

  I was wondering how Chrome was able to revoke a certificate based on time without trusting the CA to not back date certificates and it looks like this is due to being able to trust certificate transparency logs instead. This is where they get the signed certificate timestamps (SCT) from.

  See also https://certificate.transparency.dev/howctworks/

• by aaomidi on 6/28/24, 4:01 PM

  I’m one of the people who really went in depth with Entrust (Amir on Bugzilla).

  I’m also an author on https://webpki.substack.com. I will be writing my thoughts on the distrust soon.

  I can try to answer any questions folks may have. I can also help folks find ways they can also be involved!

  Root programs can only do so much and need surveillance of the CAs from the community.

• by zX41ZdbW on 6/28/24, 8:57 PM

  The list of affected websites, just in case: https://pastila.nl/?000882d6/bed25fdc842914abbc89e528012a961...

• by 1oooqooq on 6/28/24, 9:48 PM

  All the google root security team's due diligence email are just a list of links to firefox's bugzilla who documented and followed up on all the issues.

  https://groups.google.com/a/ccadb.org/g/public/c/29CRLOPM6OM...

• by dextercd on 6/27/24, 6:56 PM

  I wonder if Entrust can survive this. Even if Web-PKI doesn't account for the majority of their income (which it might, I genuinely don't know) this is a huge blow to their credibility.

  And for a CA, credibility is everything

• by amluto on 6/28/24, 9:38 PM

  > Additionally, should a Chrome user or enterprise explicitly trust any of the above certificates on a platform and version of Chrome relying on the Chrome Root Store (e.g., explicit trust is conveyed through a Group Policy Object on Windows), the SCT-based constraints described above will be overridden and certificates will function as they do today.

  This continues to annoy me. Chrome (and other browsers) have detailed trust constraints, e.g. SCTNotAfter, in their own root stores. Why can’t administrators do the same thing?

• by nahikoa on 6/27/24, 6:22 PM

  The issues identified really show a dumpster fire: https://bugzilla.mozilla.org/buglist.cgi?o2=greaterthaneq&sh...

  Directly from Entrust: "Yes, there has been ongoing internal discussion and reflection on the issues found in this and other incidents, which has led to the action items described previously and ongoing changes, including the decision to revoke the certificates affected by this bug. Exceptional circumstances would need to be provided and justified by the Subscribers. Given the nature of the feedback we have received to date, we doubt that the community has any real interest in anything that Entrust could suggest, except to use against Entrust in a destructive, not constructive, way. We therefore would like more explicit and clear guidelines or a definition of “exceptional circumstances” to be adopted and applied equally to all CAs, perhaps through updates in the CA/B Forum requirements."

  https://bugzilla.mozilla.org/show_bug.cgi?id=1888714

• by kseifried on 6/28/24, 3:48 PM

  Entrust has BIMI certs which use a different root (CN = Entrust Verified Mark Root Certification Authority - VMCR1) and for which your choices of a BIMI certificate are: Entrust or Digicert. I doubt it makes as much money as their web certs (BIMI certs are not super common, and they are expensive to issue since there's an actual validation process that typically involves a public notary validating the ID of a corporate officer). If you believe https://bimiradar.com/glob

  it looks like Entrust is selling on the order of a few dozen certs a week to maybe upwards of 100-200.

  EDIT: I've asked Google if Gmail will be discontinuing support for Entrusts VMC certificate (and thus BIMI logos), I would guess not since BIMI has some actual requirements, but assumptions are not the best way to make decisions about risk (like our BIMI logo not working later this fall).

• by lambdaone on 6/29/24, 11:25 AM

  I've always thought that company names like "Entrust" are hostages to fortune, daring the Fates to intervene. In this case the Fates are the browser vendors.

  There's now also the problem of competing with a free alternative that increasingly almost everyone knows about.

• by rxu on 6/28/24, 2:32 PM

  Can someone ELI5 what the violations linked in the first line are? They seem pretty minor to me but I don't understand certs

• by Animats on 6/29/24, 12:43 AM

  "Entrust encrypts and secures more than 24 million Swift messages daily."

  Wonder how secure that is? That has real potential for extracting value.

• by crazysim on 6/27/24, 5:57 PM

  Some popular users:

  chase.com aa.com

• by noname120 on 6/28/24, 2:25 PM

  The real question is: why didn't they get booted out earlier?

• by Tfoote01 on 7/8/24, 1:01 AM

  I worked there. It doesn't surprise me at all!

• by ranger_danger on 6/29/24, 8:11 PM

  I wonder what the chances are that some government has compromised one of the many "trusted" CA certs used by all browsers on earth?

• by dextercd on 6/28/24, 11:48 PM

  Has there been any public comment about this from Entrust yet?

• by cedws on 6/28/24, 4:30 PM

  I wonder which root CA the intelligence agencies use to selectively MITM TLS traffic a la Crypto AG.