Google announced it will remove default trust for certificates issued by Chunghwa Telecom and Netlock from the Chrome Root Store, citing patterns of concerning behavior and compliance failures.
The decision affects millions of Chrome users worldwide and reflects Google’s commitment to maintaining security standards for encrypted web connections.
Starting with Chrome 139, new certificates from these authorities will no longer be trusted by default, though existing certificates issued before the deadline remain unaffected.
The distrust action will take effect on approximately August 1, 2025, impacting Chrome versions 139 and higher across Windows, macOS, ChromeOS, Android, and Linux platforms.
The implementation uses Signed Certificate Timestamps (SCT) as the determining factor—TLS server authentication certificates with SCT dates after July 31, 2025, 11:59:59 PM UTC will trigger security warnings.
Google’s approach attempts to minimize disruption by grandfathering existing certificates. Those with SCT dates on or before the July 31 deadline will continue functioning normally until their natural expiration.
The company has also provided enterprise override mechanisms, allowing organizations to maintain internal trust relationships through Group Policy Objects on Windows or platform-specific certificate stores.
Chrome users encountering affected certificates after the deadline will see a full-page security interstitial warning, similar to those displayed for other certificate validation failures.
Website operators can test their vulnerability using Chrome’s Certificate Viewer by checking if the “Organization” field under “Issued By” contains “Chunghwa Telecom,” “行政院,” “NETLOCK Ltd.,” or “NETLOCK Kft.”
Chrome Root Store
The decision stems from accumulated compliance failures and unmet improvement commitments observed over several months.
Google emphasized that Certificate Authorities hold a privileged position in internet security infrastructure, underpinning encrypted connections between browsers and websites.
This responsibility requires adherence to CA/Browser Forum TLS Baseline Requirements and consensus-driven security standards.
Chrome’s Root Program Policy mandates that included Certificate Authorities provide value exceeding the risk of their continued inclusion.
Google’s confidence in both Chunghwa Telecom and Netlock has diminished due to what the company describes as “patterns of concerning behavior” representing a loss of integrity.
The absence of tangible, measurable progress following publicly disclosed incident reports further justified the distrust action.
Recommendations
Website operators using affected certificates should transition to alternative publicly-trusted Certificate Authorities as soon as possible.
Google recommends completing this migration before existing certificates expire, particularly if expiration occurs after July 31, 2025.
While operators could temporarily avoid disruption by obtaining new certificates from these CAs before August 1, eventual migration remains inevitable.
Enterprise users have additional flexibility through local trust mechanisms. Beginning with Chrome 127, organizations can override Chrome Root Store constraints by installing corresponding root certificates as locally-trusted on their platforms.
Microsoft Certificate Store integration provides this capability for Windows environments.
Chrome 128 introduced a command-line flag allowing administrators to simulate the SCTNotAfter distrust constraint before implementation, enabling proactive testing.
The flag accepts comma-separated SHA256 hashes of trust anchor certificates and epoch timestamps for evaluation purposes.
Google indicated that updates for other Google products may follow, though no specific timeline was provided.
The action represents part of Chrome’s broader effort to maintain ecosystem integrity while safeguarding user security through rigorous Certificate Authority oversight.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
