
Google has announced that Chrome will soon stop trusting new TLS certificates issued by Chunghwa Telecom and Netlock, citing repeated compliance failures and erosion of trust.
This change, rolling out in Chrome 139 and later starting August 1, 2025, aims to safeguard users from the risks posed by certificate authorities (CAs) that no longer meet security and transparency expectations.
The Chrome Root Program, part of Google’s broader efforts to improve internet security, has been closely monitoring Chunghwa Telecom and Netlock over the past year. According to the Chrome Security Team, both CAs have exhibited patterns of concerning behavior, including failure to meet public commitments for improvement, insufficient responses to disclosed incidents, and lack of measurable progress. As a result, Google concluded that the risk of continuing to trust these authorities outweighs any benefit to Chrome users.
Chunghwa Telecom, a major Taiwanese telecom operator, offers a range of communication services, including the ePKI certification service. Netlock, based in Hungary, is a leading regional provider of digital certification services, including the Arany (Gold) Class root CA. Both companies have historically been part of the public key infrastructure (PKI) that secures encrypted web traffic. However, under the Chrome Root Program Policy, trust is conditional, not permanent, and hinges on ongoing compliance with industry standards, particularly the CA/Browser Forum’s Baseline Requirements.
Starting with Chrome 139, TLS certificates chaining to these roots with Signed Certificate Timestamps (SCTs) dated after July 31, 2025, will no longer be accepted by default. This change affects the following root certificates:
- ePKI Root Certification Authority (Chunghwa Telecom)
- HiPKI Root CA – G1 (Chunghwa Telecom)
- NetLock Arany (Class Gold) Főtanúsítvány (Netlock)
Older certificates (with SCTs before August 1) will remain trusted, and enterprises can explicitly override the block by adding local trust anchors, such as via Windows Group Policy. This phased approach mirrors Google’s earlier actions against Entrust and AffirmTrust last year, when it similarly withdrew default trust after persistent CA-level failures.
Chrome’s decision follows a series of tightening measures aimed at shoring up the integrity of HTTPS, including the March 2025 enforcement of Multi-Perspective Issuance Corroboration (MPIC) and mandatory certificate linting, as part of Google’s “Moving Forward, Together” roadmap. These changes are designed to address longstanding weaknesses in certificate issuance processes and prepare the ecosystem for emerging challenges like quantum-era cryptography.
For website operators, the impact is direct and time-sensitive: if your site currently relies on Chunghwa Telecom or Netlock for TLS certificates, you’ll need to migrate to a different, trusted CA before issuing or renewing certificates after July 31, 2025. Chrome provides a certificate viewer tool to check your site’s issuer details; if the “Issued By” organization field lists Chunghwa Telecom or Netlock, action is required.
Operators are strongly discouraged from simply reissuing a new certificate from these CAs before the cutoff date to buy time, as the eventual replacement will be unavoidable. Instead, transitioning early to another Chrome-trusted CA, such as DigiCert, Sectigo, or Let’s Encrypt, is the best course to avoid service disruptions. Administrators can test the upcoming block using command-line flags introduced in Chrome 128 to simulate the SCT-based distrust.
For enterprises running internal services, the Chrome Root Store constraints can be bypassed by installing the relevant root CA certificates locally as trusted roots, ensuring that private networks remain unaffected. This local override is available starting in Chrome 127.
End users, meanwhile, will encounter a full-page security warning if they attempt to access sites using newly issued Chunghwa Telecom or Netlock certificates after the cutoff unless they explicitly override the block, a risky move not recommended for most users.
Leave a Reply