Google bans another misbehaving CA from Chrome

Google intends to ban and remove support from Chrome for digital certificates issued by Spanish certificate authority (CA) Camerfirma, the browser maker announced this week.

The ban will come into effect with the launch of Chrome 90, scheduled for release in mid-April 2021.

After the Chrome 90 launch, all websites that use TLS certificates issued by Camerfirma to secure their HTTPS traffic will show an error and will not load in Chrome going forward.

The decision to ban Camerfirma certificates was announced on Monday after the company was given more than six weeks to explain a string of 26 incidents related to its certificate-issuance process.

The incidents, detailed by Mozilla on this page, go back to March 2017.

Two of the most recent have taken place this month, January 2021, even after the company was made aware it was under investigation in December 2020.

The incidents paint a picture of a company that has failed to meet industry-agreed quality and security standards in regards to the process of issuing TLS certificates for website operators, software makers, and enterprise system administrators.

Just Chrome for now

Across the years, browser makers have often banded together to kick out certificate authorities that don’t follow these rules. Other CAs that have been banned from Chrome in the past include Symantec, DigiNotar, and WoSign and its subsidiary StartCom.

This led to companies like DigiNotar filing for bankruptcy and Symantec selling its CA business to DigiCert after their certificates became pariahs inside modern browsers.

At the time of writing, no other browser maker has announced a similar ban on Camerfirma certs but industry experts expect similar decisions from the other three (Apple, Microsoft, and Mozilla) in the coming weeks.

Nevertheless, just the Google ban alone is more than enough to cripple Camerfirma’s business. With a market share of around 60% to 70%, the Chrome ban is a de-facto death blow.

A Camerfirma spokesperson has not returned a request for comment.

Leave comment

Your email address will not be published. Required fields are marked with *.