Entrust's Cautionary Tale

AI written, human edited.

In a recent episode of Security Now, hosts Steve Gibson and Leo Laporte dug into the shocking decline of Entrust, one of the oldest certificate authorities (CAs) in the industry. The discussion painted a picture of a once-respected company brought low by what appears to be a toxic mix of arrogance, mismanagement, and the influence of private equity ownership.

Gibson walked listeners through the events leading up to Google's announcement that Chrome would no longer trust Entrust's certificates after October 31, 2024. This decision effectively signals the end of Entrust's certificate business, as Chrome's market dominance means other browsers are likely to follow suit.

The hosts emphasized several key points:

1. A Pattern of Non-Compliance: Entrust had repeatedly failed to adhere to industry standards and best practices over several years. This included missing required fields in certificates, failing to revoke misissued certificates in a timely manner, and ignoring community concerns.

2. Arrogance in the Face of Scrutiny: When confronted by the CA/Browser Forum community about these issues, Entrust's responses were described as dismissive and evasive. The company seemed to believe it was above the rules that govern the industry.

3. The Role of Private Equity: Both hosts speculated on whether Entrust's 2009 acquisition by private equity firm Thoma Bravo might have contributed to the decline in standards. Laporte drew parallels to other companies that have suffered after private equity takeovers.

4. The Importance of Public Trust: Gibson and Laporte stressed that being a CA is not just a business, but a public trust. Entrust's apparent prioritization of profits over security responsibilities was seen as a fundamental breach of this trust.

5. Industry Self-Regulation: The episode highlighted the CA/Browser Forum's role in setting and enforcing standards. The community's patience and multiple attempts to bring Entrust into compliance were noted, as was the ultimate necessity of Google's action.

6. Technical Specifics: Gibson detailed some of the technical violations, such as missing CPS URIs in EV certificates and failures to meet the 120-hour revocation deadline for misissued certificates.

The hosts concluded that Entrust's downfall serves as a stark warning to other CAs and tech companies holding positions of trust. Laporte summed it up succinctly: "This is what happens when people who only run businesses don't understand the difference between a business, a profit-seeking enterprise, and a public trust."

As the industry moves forward, the Entrust case will likely serve as a cautionary tale about the critical importance of maintaining trust, following agreed-upon standards, and understanding the unique responsibilities that come with being a cornerstone of internet security infrastructure.

For those relying on Entrust certificates, the message is clear: start planning to switch providers before the October 31, 2024 deadline. The wider tech community will be watching closely to see how this shakeup affects the CA landscape and whether it leads to improved practices across the industry.

Subscribe to Club TWiT for even more tech news!