Google bans another misbehaving CA from Chrome

Digital certificates issued by Spanish certificate authority Camerfirma will stop working in Chrome 90, in April.

Web browser closeup on LCD screen with shallow focus on https padlock

Getty Images/iStockphoto

Google intends to ban and remove support from Chrome for digital certificates issued by Spanish certificate authority (CA) Camerfirma, the browser maker announced this week.

ZDNet Recommends

The best accounting software for business or personal use

Our pick of the very best SMB accounting software.

Read More

The ban will come into effect with the launch of Chrome 90, scheduled for release in mid-April 2021.

After the Chrome 90 launch, all websites that use TLS certificates issued by Camerfirma to secure their HTTPS traffic will show an error and will not load in Chrome going forward.

The decision to ban Camerfirma certificates was announced on Monday after the company was given more than six weeks to explain a string of 26 incidents related to its certificate-issuance process.

The incidents, detailed by Mozilla on this page, go back to March 2017.

Two of the most recent have taken place this month, January 2021, even after the company was made aware it was under investigation in December 2020.

The incidents paint a picture of a company that has failed to meet industry-agreed quality and security standards in regards to the process of issuing TLS certificates for website operators, software makers, and enterprise system administrators.

Just Chrome for now

Across the years, browser makers have often banded together to kick out certificate authorities that don't follow these rules. Other CAs that have been banned from Chrome in the past include SymantecDigiNotar, and WoSign and its subsidiary StartCom.

This led to companies like DigiNotar filing for bankruptcy and Symantec selling its CA business to DigiCert after their certificates became pariahs inside modern browsers.

At the time of writing, no other browser maker has announced a similar ban on Camerfirma certs but industry experts expect similar decisions from the other three (Apple, Microsoft, and Mozilla) in the coming weeks.

Nevertheless, just the Google ban alone is more than enough to cripple Camerfirma's business. With a market share of around 60% to 70%, the Chrome ban is a de-facto death blow to the company's TLS cert business.

As a Camerfirma spokesperson pointed out to ZDNet in an email, the ban does not impact the company's other type of certificates, such as those used for signatures and non-browser related cryptographic operations.

"Google's decision does not affect, in any case, all client authentication certificates (citizen, proxy, legal representative, corporate, representative before Public Administration agencies, etc.), which will continue to be valid, recognized and accepted in all browsers," Camerfirma told ZDNet.

"Camerfirma certificates will have their current authentication uses guaranteed before Public Administration agencies in order to continue carrying out the usual procedures with them, as well as the uses of digital signature in the private sphere and in the sphere of Public Administration," it said.

"This will have no impact on the Tax Return campaign this year, as citizens will be able to continue to gain access using their Camerfirma digital certificate both for authentication before the Tax Agency and to file their annual tax returns and sign it digitally from any browser," said Camerfirma, which provides digital authentication certificates in Spain and other Spanish-speaking countries.

Article updated on February 4 with comment from Camerfirma.