Google's Strategic Move to Enhance Web Security by Distrusting Chunghwa Telecom and Netlock Certificates

Google’s decision to distrust certificates from Chunghwa Telecom and Netlock marks a significant move in the ongoing effort to enhance web security. This decision is rooted in repeated compliance failures by these Certificate Authorities (CAs), which have not met the stringent security and transparency standards set by the Chrome Root Program Policy. These standards are crucial for maintaining the integrity of digital certificates, which are essential for secure web communications. The compliance issues have persisted despite warnings, leading to a loss of trust in their ability to issue reliable certificates, as noted by Cyber Insider. This move is part of Google’s broader strategy to protect users from potential security threats by ensuring only trustworthy certificates are used to authenticate websites.

Reasons for Distrust

Compliance Failures

Google’s decision to distrust Chunghwa Telecom and Netlock certificates is primarily driven by repeated compliance failures. Both Chunghwa Telecom and Netlock have been unable to meet the stringent security and transparency standards expected of Certificate Authorities (CAs) under the Chrome Root Program Policy. The policy mandates that CAs must adhere to industry standards, particularly the CA/Browser Forum’s Baseline Requirements. These requirements are designed to ensure the security and reliability of digital certificates, which are crucial for maintaining secure web communications.

The compliance issues with Chunghwa Telecom and Netlock have been ongoing, with both entities failing to address the concerns raised by Google and other stakeholders in the cybersecurity community. This pattern of non-compliance has eroded trust in their ability to issue secure and reliable certificates, prompting Google to take action by removing their certificates from the trusted list in Chrome 139 and later versions.

Erosion of Trust

The erosion of trust in Chunghwa Telecom and Netlock stems from a series of incidents and behaviors that have raised concerns about their integrity as publicly-trusted certificate issuers. According to Cyber Insider, both companies have been part of the public key infrastructure (PKI) that secures encrypted web traffic. However, their failure to maintain compliance with industry standards has led to a loss of confidence in their ability to fulfill this role effectively.

The decision to remove trust in their certificates is part of a broader effort by Google to enhance the security of the Chrome Root Store and protect users from potential security threats. By withdrawing trust from CAs that fail to meet expectations, Google aims to preserve the integrity of the Chrome Root Store and ensure that only reliable and secure certificates are used to authenticate websites.

Patterns of Concerning Behavior

Over the past year, Google has observed patterns of concerning behavior from Chunghwa Telecom and Netlock that have contributed to the decision to distrust their certificates. These patterns include a lack of transparency in their certificate issuance processes and a failure to implement necessary security measures to protect against vulnerabilities. As highlighted by Sechub, these behaviors represent a significant deviation from the standards expected of CAs and have raised red flags about their ability to operate securely and transparently.

The concerning behavior observed by Google is not limited to technical failures but also includes issues related to governance and oversight. Both Chunghwa Telecom and Netlock have been criticized for their lack of responsiveness to incidents and their failure to demonstrate meaningful improvements in their operations. This lack of accountability has further undermined trust in their certificates and contributed to Google’s decision to remove them from the trusted list.

Impact on Website Operators

The decision to distrust Chunghwa Telecom and Netlock certificates has significant implications for website operators who rely on these CAs for their TLS certificates. As noted by Cyber Insider, website operators must transition to a different, trusted CA before issuing or renewing certificates after July 31, 2025. Failure to do so will result in security warnings for users accessing their websites, potentially leading to a loss of trust and credibility.

To mitigate the impact of this change, Google has provided tools and guidance for website operators to check their certificate issuer details and transition to a new CA. The Chrome Certificate Viewer tool allows operators to verify if their certificates are issued by Chunghwa Telecom or Netlock and take appropriate action to replace them before the deadline. This proactive approach is essential to avoid service disruptions and maintain the security and integrity of web communications.

Broader Security Measures

The distrust of Chunghwa Telecom and Netlock certificates is part of a broader effort by Google to enhance the security of HTTPS and address longstanding weaknesses in certificate issuance processes. As part of the “Moving Forward, Together” roadmap, Google has implemented several measures to strengthen the security of digital certificates, including the enforcement of Multi-Perspective Issuance Corroboration (MPIC) and mandatory certificate linting. These measures are designed to ensure that CAs adhere to the highest standards of security and transparency, and to prepare the ecosystem for emerging challenges like quantum-era cryptography.

The decision to remove trust from Chunghwa Telecom and Netlock is consistent with Google’s previous actions against other CAs that have failed to meet compliance standards. By taking a firm stance against non-compliant CAs, Google aims to create a more secure and reliable web environment for users and maintain the integrity of the Chrome Root Store.

Final Thoughts

The removal of trust in Chunghwa Telecom and Netlock certificates underscores Google’s commitment to maintaining a secure web environment. By enforcing strict compliance with industry standards, Google aims to preserve the integrity of the Chrome Root Store and protect users from potential threats. This decision also highlights the importance of transparency and accountability among Certificate Authorities, as emphasized by Sechub. Website operators affected by this change must transition to trusted CAs to avoid disruptions and maintain user trust. Google’s proactive measures, including tools and guidance for transitioning, demonstrate a commitment to supporting the web community in adapting to these changes.

References

• Hendry, A. (2025). Chrome to distrust Chunghwa Telecom and Netlock certificates. Retrieved from https://www.hendryadrian.com/chrome-to-distrust-chunghwa-telecom-and-netlock-certificates/
• Cyber Insider. (2025). Google to drop trust for Chunghwa Telecom and Netlock certificates in Chrome. Retrieved from https://cyberinsider.com/google-to-drop-trust-for-chunghwa-telecom-and-netlock-certificates-in-chrome/
• Sechub. (2025). View on Chunghwa Telecom and Netlock certificate issues. Retrieved from https://sechub.in/view/3063352