Google to drop trust of Chunghwa and NetLock certificates from Chrome

Google said its Chrome browser will drop trust for certificates issued by two organizations it says have been lapsing in security.

As of August, the web and search giant said it will no longer trust certificates issued by certificate authorities Chunghwa Telecom and NetLock for failing to meet security and trust standards.

“Chrome's confidence in the reliability of Chunghwa Telecom and Netlock as CA Owners included in the Chrome Root Store has diminished due to patterns of concerning behavior observed over the past year,” Google said in announcing the move.

“These patterns represent a loss of integrity and fall short of expectations, eroding trust in these CA Owners as publicly-trusted certificate issuers trusted by default in Chrome.”

The move means that users will no longer be able to establish secured TLS connections on sites certified by both CA organizations by default. Users will have the option to continue to establish connections via an opt-in.

Google noted that administrators will also have the option to maintain trust for certificates via a Windows Group Policy Object setting.

The move is set to take effect on certificates with a timestamp dated after July 31, 2025, 11:59:59 PM UTC and will be in effect for Chrome versions 139 and later.

According to Google, the move comes after repeated failures by both organizations to meet Google’s requirements for trusted status, including public incidents and failures to meet compliance requirements. Google saidnetn that the China-based Chunghwa and the Hungary-based Netlock failed to perform basic measures such as revoking certificates that were being abused by known bad actors.

“Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports,” Google said in announcing the move.

“When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the internet, continued public trust is no longer justified.”

According to industry experts, the decision by Google is entirely justified in its decision, and the move could help underscore to other CA providers the importance of maintaining compliance and careful management of trusted certificates.

“Chunghwa Telecom and NetLock had multiple opportunities and plenty of time to address their compliance failures. Removing their root CA certificates from Chrome can disrupt the secure TLS communications with any host that uses certificates issued by those authorities,” said Thomas Richards, infrastructure security practice director at security provider Black Duck.

“The certificates used to secure communications with websites are built on trust; if an organization breaks that trust they should be removed as a trusted issuing authority.”