Google has announced it has removed default trust of two certificate authorities (CAs), citing a pattern of compliance problems as well as repeated failures to improve upon these issues. Google Chrome version 139 will introduce this change, scheduled for release on August 1, 2025. 

The CAs in question are Chunghwa Telecom and Netlock. 

The announcement states, “Chrome’s confidence in the reliability of Chunghwa Telecom and Netlock as CA Owners included in the Chrome Root Store has diminished due to patterns of concerning behavior observed over the past year. These patterns represent a loss of integrity and fall short of expectations, eroding trust in these CA Owners as publicly-trusted certificate issuers trusted by default in Chrome.” 

Below, security leaders share their thoughts on the importance of compliance and trust for CAs. 

Security Leaders Weigh In

Jason Soroko, Senior Fellow at Sectigo:

The CA/Browser Forum’s Baseline Requirements set the minimum global rules for publicly-trusted CAs how identities are vetted, how certificates are logged and audited, and, crucially, how quickly mis-issued certificates must be revoked (24 hours for high-risk problems and no more than five days for most others). 

Chunghwa Telecom was out of compliance and mis-issued certificates and took longer than required to revoke them. NetLock committed similar out of compliance activities. 

Both CAs repeatedly went past the Baseline-Requirement revocation deadlines, leaving invalid certificates active beyond the allowed window, prompting Chrome to withdraw their default trust.

Trey Ford, Chief Information Security Officer at Bugcrowd:

The Internet has a number of foundational trust mechanisms, and they all radiate from our confidence in Domain Name Services (DNS), which answers the question “how do I find this site or service?”, and Certificate Authorities (CAs) which answers “how can I be sure this site or service is who they claim to be? can I trust this app?”.

There is a high cost for vigilance and accountability for these foundational services, and enterprises and consumers have widely entrusted those monitoring efforts to the major browser providers. Divergent from Mozilla’s recent decision to deprecate Entrust with a detailed explanation, Google’s Chrome team has announced the removal of China’s Chunghwa Telecom, and the Hungarian Netlock CA from their root certificate store — without an explanation of why.

There will be a lot of speculation around why the decision was made — both to deprecate the CAs, and to do so without a thorough and public explanation. As one of the super-scaler cloud providers, supporting enterprises, consumers, and public sector customers, Google’s decision to do so does not come as a surprise, and I trust they will ultimately be found acting in the general public’s best interest in this decision.

Thomas Richards, Infrastructure Security Practice Director at Black Duck:

Removing Chunghwa Telecom and NetLock root CA certificates from Chrome can disrupt the secure TLS communications with any host that uses certificates issued by those authorities. The certificates used to secure communications with websites are built on trust; if an organization breaks that trust they should be removed as a trusted issuing authority. Their customers will be impacted with broken security and some users may not be able to reach their websites, however, accountability and compliance are core requirements of doing business, so the issuing authorities need to maintain a level of compliance and security to remain a trusted certificate issuer.