In a significant move to bolster online security, Google has announced that its Chrome browser will no longer trust digital certificates issued by Chunghwa Telecom and Netlock, citing patterns of concerning behavior observed over the past year. This change is slated to take effect with the release of Chrome version 139, scheduled for early August 2025.
Background on Certificate Authorities
Certificate Authorities (CAs) are pivotal in the digital ecosystem, issuing certificates that authenticate the identity of websites and enable secure, encrypted connections between users and web services. The trustworthiness of these CAs is fundamental to maintaining the integrity and security of online communications.
Details of the Distrust Decision
The forthcoming update will impact all Transport Layer Security (TLS) server authentication certificates issued by Chunghwa Telecom and Netlock after July 31, 2025, at 11:59:59 p.m. UTC. Certificates issued prior to this date will remain unaffected.
Chunghwa Telecom, headquartered in Taiwan, is the nation’s largest integrated telecom service provider. Netlock, based in Hungary, offers a range of digital identity solutions, including electronic signatures, time stamping, and authentication services.
Google’s Chrome Root Program and Security Team have observed a pattern of compliance failures and unmet improvement commitments from these CAs. Despite previous incident reports and opportunities to rectify these issues, both Chunghwa Telecom and Netlock have demonstrated insufficient progress. Consequently, Google has determined that continued public trust in these entities is no longer justified.
Implications for Users and Website Operators
Starting in August 2025, Chrome users on platforms including Windows, macOS, ChromeOS, Android, and Linux who visit websites utilizing certificates from Chunghwa Telecom or Netlock issued after the specified cutoff date will encounter full-screen security warnings. These alerts will inform users that their connection is not secure, potentially deterring them from proceeding to the site.
Website operators currently relying on certificates from these CAs are advised to proactively assess their certificate inventories. Utilizing Chrome’s Certificate Viewer can help identify affected certificates. To prevent user disruption and maintain trust, transitioning to a different publicly trusted CA before the end of July 2025 is strongly recommended.
Enterprise Considerations
Organizations managing internal networks have the option to override Chrome’s default settings by installing the affected root CA certificates as locally trusted roots on their systems. This approach can mitigate disruptions within controlled environments. However, for public-facing services, adhering to Google’s recommendations and migrating to a trusted CA is the preferred course of action to ensure compliance and security.
Context and Precedents
This decision follows similar actions by major tech companies to uphold stringent security standards. In November 2024, Google Chrome, along with Apple and Mozilla, ceased trusting root CA certificates signed by Entrust due to compliance and conduct issues. Entrust subsequently sold its certificate business to Sectigo.
Additionally, in March 2025, Google announced the adoption of Multi-Perspective Issuance Corroboration (MPIC) and Linting as required practices in the CA/Browser Forum’s Baseline Requirements. These measures aim to enhance domain control validation and identify insecure practices in X.509 certificates, further emphasizing the industry’s commitment to robust security protocols.
Conclusion
Google’s decision to distrust certificates from Chunghwa Telecom and Netlock underscores the critical importance of compliance and reliability among Certificate Authorities. Website operators and enterprises must take immediate action to assess their current certificates and transition to trusted CAs to maintain secure and uninterrupted user experiences. Staying informed about such developments is essential for safeguarding online communications and upholding user trust in the digital landscape.
