Full Report
Google has revealed that it will no longer trust digital certificates issued by Chunghwa Telecom and Netlock citing "patterns of concerning behavior observed over the past year." The changes are expected to be introduced in Chrome 139, which is scheduled for public release in early August 2025. The current major version is 137. The update will affect all Transport Layer Security (TLS)
Analysis Summary
# Industry News: Google Chrome Distrusts Two CAs Over Compliance Failures
## Summary
Google has announced it will distrust digital certificates issued by two Certificate Authorities (CAs), Chunghwa Telecom and Netlock, starting with Chrome version 139 in August 2025, citing sustained patterns of compliance failures and concerning conduct. This action forces website operators using these CAs to immediately migrate their TLS/SSL certificates to maintain browser trust and avoid presenting users with full-screen security warnings.
## Key Details
- **Date:** Announced leading up to the expected Chrome 139 release (Early August 2025); Distrust effective for certificates issued after July 31, 2025, 11:59:59 p.m. UTC.
- **Companies Involved:** Google (Chrome), Chunghwa Telecom (Taiwanese telecom CA), Netlock (Hungarian digital identity CA).
- **Category:** Ecosystem Integrity / Certificate Authority Policy Enforcement.
## The Story
Google's Chrome Security Team has determined that Chunghwa Telecom and Netlock have demonstrated persistent and unaddressed compliance failures related to their operations as publicly-trusted CAs. Following months of observation, Google concluded that continued trust from the Chrome Root Program is unwarranted. Certificates issued by these two CAs after the cutoff date of July 31, 2025, will cause Chrome users (across desktop and mobile platforms) to encounter severe security warnings. While enterprises have an override mechanism via local root trust settings, general public web users will be blocked. This move continues a pattern of strict enforcement within the CA/Browser Forum Baseline Requirements ecosystem, following prior negative actions against other CAs like Entrust.
## Business Impact
### For the Companies Involved
- **Chunghwa Telecom & Netlock:** Face significant business disruption as their certificate issuance revenue from public-facing websites reliant on Chrome trust will cease for new or renewed certificates after the deadline. They must rapidly address underlying issues or pivot their business to non-publicly-trusted services (e.g., internal enterprise CAs).
- **Website Operators:** Any organization whose website relies on a certificate issued by these two CAs must undergo an immediate, unplanned migration to a different, currently trusted CA to ensure uninterrupted access for Chrome users.
### For Competitors
- **Trusted CAs (e.g., Sectigo, DigiCert, Let's Encrypt):** Will likely see an immediate increase in demand for new certificate issuance services from entities scrambling to replace the now-distrusted certificates. This presents a short-term revenue opportunity.
### For Customers
- **End Users:** Benefit from enhanced security, as browser vendors are proactively removing entities that fail to meet standards, reducing the risk of relying on potentially compromised or poorly managed CAs. They may temporarily experience site access issues if website operators fail to remediate quickly.
### For the Market
- **Digital Trust Ecosystem:** Reinforces the high-stakes environment for CAs. It signals that Google is willing to maintain a strict stance on the integrity of the public key infrastructure (PKI), emphasizing compliance and measurable progress over warnings.
## Technical Implications
The change will be implemented in Chrome 139, signifying a core update to the browser's internal trust anchor list (Chrome Root Store). Websites must ensure they retire certificates issued after the prescribed date and obtain new ones from an unbroken chain of trust recognized by Chrome. Enterprises relying on these CAs internally can mitigate immediate user disruption by deploying the original root CA certificate as a locally-trusted root within their managed endpoints.
## Strategic Analysis
- **Market Positioning:** Google solidifies its role as the ultimate arbiter of trust in the web ecosystem, especially concerning TLS/SSL security, independent of formal CA/Browser Forum audits if required corrective action is not taken.
- **Competitive Advantage:** For Google, this enhances Chrome's reputation for security by demonstrating rigorous oversight. For compliant CAs, this cleans up the competitive field.
- **Challenges:** The primary challenge is ensuring widespread adoption of the change by website operators before the rollout date to prevent mass browser-to-website connection errors.
## Industry Reactions
- **Analyst Opinions:** Analysts likely view this as a necessary, albeit disruptive, enforcement action demonstrating that ecosystem governance requires teeth. The focus on "patterns of concerning behavior" suggests the issues were long-standing and potentially systemic within the targeted CAs.
- **Expert Commentary:** PKI experts will emphasize the critical need for organizations to regularly audit their certificate supply chains and be prepared for rapid vendor transposition, echoing previous events like the Entrust situation.
- **Market Response:** Short-term volatility is expected for the affected CAs' client bases, while established, highly compliant CAs will likely see business uplift.
## Future Outlook
- We can expect other browser vendors (Mozilla Firefox, Microsoft Edge) to eventually align their trust stores regarding these specific CAs, although the immediate trigger is Chrome-specific.
- Watch for Google to continue tightening requirements, potentially putting more pressure on CAs regarding emerging standards like Multi-Perspective Issuance Corroboration (MPIC), mentioned in the article snippet regarding recent CA/Browser Forum adoptions.
## For Security Professionals
Security teams relying on TLS certificates for their public or internal infrastructure must immediately inventory all externally facing certificates to confirm they were not issued by Chunghwa Telecom or Netlock *after* July 31, 2025. If they were, a remediation plan to switch to an approved CA must be executed promptly to avoid service outages for users on Chrome devices. Endpoint security managers should also review policies regarding locally-trusted roots, understanding that enterprise overrides exist but public web trust will be immediately severed for non-compliant certificates.