Full Report
Google says it will no longer trust root CA certificates signed by Chunghwa Telecom and Netlock in the Chrome Root Store due to a pattern of compliance failures and failure to make improvements. [...]
Analysis Summary
# Vulnerability: Distrust of Chunghwa Telecom and Netlock Certificates in Google Chrome
## CVE Details
- CVE ID: N/A (This is a policy/trust anchor change, not a specific software vulnerability with a CVE)
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- Products: Google Chrome (and potentially other Chromium-based browsers relying on the affected root certificate stores)
- Versions: All versions of Chrome that rely on the default trust store containing the certificates from Chunghwa Telecom and Netlock. (The distrust action applies to actively issued certificates, but the enforcement starts in August.)
- Configurations: Systems where users rely on websites secured by certificates issued by the distrusted Certificate Authorities (CAs).
## Vulnerability Description
Google is enforcing stricter security requirements for Certificate Authorities (CAs) by announcing the distrust of certificates issued by Chunghwa Telecom and Netlock (which is tied to Chunghwa Telecom). This decision follows previous failures by the CAs to meet industry compliance and security standards, similar to a recent action against Entrust. Certificates issued by these CAs that are currently active and signed up to July 31, 2025, will cease to be trusted by Google Chrome starting in August. This action stems from the CAs' failure to meet new mandatory security requirements announced by Google in March 2025.
## Exploitation
- Status: Not applicable (This is a preventive measure against future potential compromise via fraudulent certificates or CA compromise, not an active exploit against Chrome itself).
- Complexity: N/A
- Attack Vector: N/A
## Impact
- Confidentiality: **Medium/High** (If currently trusted, users could be susceptible to MitM attacks via compromised or improperly issued certificates from these CAs during the transition period).
- Integrity: **Medium/High** (Similar to confidentiality, loss of trust undermines the integrity of secure connections).
- Availability: **Low/Medium** (Websites relying on these certificates will become inaccessible via Chrome until users or administrators switch to other valid certificates or utilize workarounds).
## Remediation
### Patches
- Google Chrome will implement the distrust mechanism in an upcoming update scheduled for August. Users should ensure Chrome is updated to the latest version after August to reflect the new trust policy automatically.
- Certificates signed up to July 31, 2025, are currently trusted but are scheduled for distrust. Replacement of these certificates is strongly recommended prior to the August enforcement date.
### Workarounds
- Impacted enterprises can override the browser's distrust decision by installing the affected root certificates as **locally trusted roots** on their managed systems.
- Users can switch to alternative browsers like Microsoft Edge, Mozilla Firefox, or Apple Safari, as they utilize different trust stores and are reportedly unaffected by this specific change.
## Detection
- Detection focuses on identifying active connections or infrastructure relying on certificates issued by Chunghwa Telecom or Netlock.
- **Indicators of Compromise:** Browsers (Chrome) throwing certificate warnings/errors for sites previously considered secure.
- **Detection Methods and Tools:** Auditing existing TLS/SSL certificate inventories for issuers matching Chunghwa Telecom or Netlock. Monitoring network traffic for connections attempting to validate against these roots post-August.
## References
- Vendor advisory (Google Blog): hxxps://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html
- Vendor advisory (Google Blog on CA requirements): hxxps://security.googleblog.com/2025/03/new-security-requirements-adopted-by.html
- News Summary: hxxps://www.bleepingcomputer.com/news/security/google-chrome-to-distrust-chunghwa-telecom-netlock-certificates-in-august/