Google has announced a significant policy change that will impact website security across the internet. Starting August 2025, Chrome will no longer trust root certificates issued by Chunghwa Telecom and Netlock, two major certificate authorities that have failed to meet security standards despite repeated warnings. This decision affects millions of websites and highlights the tech giant’s commitment to maintaining robust web security standards.
Implementation Timeline and Technical Impact
The changes will take effect with the release of Google Chrome version 139, scheduled for August 1, 2025. Once implemented, users attempting to visit websites secured with certificates from these certificate authorities will encounter the familiar “Your connection is not private” warning message that typically indicates potential security risks.
Google’s decision stems from persistent operational failures, unfulfilled modernization commitments, and lack of meaningful progress from both organizations. Despite multiple incident notifications and opportunities for remediation, neither certificate authority has adequately addressed the security concerns raised by Google’s security team.
Understanding the Affected Certificate Authorities
Chunghwa Telecom’s Digital Certificate Operations
As Taiwan’s largest telecommunications provider, Chunghwa Telecom operates two significant public certificate authorities: ePKI and HiPKI. These services have been widely used across Taiwan and the broader Asia-Pacific region for securing web communications and enabling digital transactions. The company’s extensive infrastructure has made it a trusted partner for numerous government and commercial entities in the region.
Netlock’s European Certificate Services
Hungary-based Netlock has established itself as a prominent digital certification provider throughout Europe. The company’s Arany (Gold Class) root certificate authority has gained substantial market presence in Central and Eastern Europe, providing SSL/TLS certificates, digital signatures, and timestamping services to businesses and organizations across the region.
Immediate Actions Required for Website Owners
Organizations currently relying on certificates from these providers face urgent decisions. While Chrome users can still access affected websites by clicking through security warnings, this process creates significant friction that typically results in reduced user trust and lower conversion rates. Studies consistently show that security warnings deter a substantial percentage of visitors from proceeding to websites.
Google strongly recommends immediate migration to certificates issued by trusted certificate authorities included in the Chrome Root Store. For enterprise environments, organizations may temporarily mitigate the issue by installing the relevant root certificates as locally trusted on managed devices, though this approach requires careful consideration of ongoing security implications.
Broader Implications for Digital Certificate Ecosystem
This enforcement action represents Google’s increasingly stringent approach to certificate authority oversight. The company has made it clear that compromised integrity and suspicious behavior from certificate authorities will result in swift removal from trusted root stores, regardless of the provider’s size or market position.
The precedent established by this decision sends a powerful message throughout the digital certificate industry about the importance of maintaining rigorous security standards and responding promptly to identified vulnerabilities. Certificate authorities worldwide are likely reviewing their own practices to ensure compliance with evolving security requirements.
Organizations should proactively audit their current certificate infrastructure and develop migration strategies well before the August 2025 deadline. The transition period provides sufficient time for orderly certificate replacement, but early action will prevent potential service disruptions and maintain user confidence. This situation underscores the critical importance of partnering with certificate authorities that demonstrate consistent commitment to security excellence and regulatory compliance.
