CONNECT WITH US

Google cuts trust in Chunghwa Telecom's certificates: What's at stake for internet security chain?

Chong Jing, Taipei; Levi Li, DIGITIMES Asia 0

Google's decision to remove default trust for digital certificates issued by Chunghwa Telecom starting July 31, 2025, has ignited global debate over certificate authority (CA) governance and digital trust mechanisms. The move places Taiwan's CA ecosystem under heightened international scrutiny.

Chunghwa Telecom claims it has "completed procedural adjustments" and that its certificates remain technically sound. However, Google cited "longstanding patterns of compliance failures," "unmet improvement commitments," and "absence of tangible, measurable progress," exposing a fundamental divide between the two parties' interpretation of trust and accountability.

Chunghwa Telecom first came under fire in 2024 when Mozilla Firefox considered delisting it as a trusted CA. With Chrome now officially revoking default trust, the company faces renewed international attention. This article explores how digital certificates function, why browsers can unilaterally delist a CA, and how Chunghwa Telecom's compliance record fits into the broader trust ecosystem.

Digital certificates: The foundation of online trust

Digital certificates are used to verify identity online. They encrypt and bind a public key to the verified identity of a website, person, or organization, and are issued by a trusted CA. When users see a padlock icon in their browser, it signals a valid certificate and a secure, encrypted connection.

CAs like Chunghwa Telecom issue digital certificates that browsers trust by default—but only if the CA complies with the Baseline Requirements (BR) set by the CA/Browser Forum. Meeting these standards allows inclusion in the browser's root certificate store. If removed, all certificates from that CA are distrusted, triggering "Not Secure" warnings in browsers, disrupting website access, and exposing users to potential risks. For businesses, the fallout may include reputational damage, SEO decline, and operational disruption.

Credit: DIGITIMES

Credit: DIGITIMES

Chrome's strict policy: Lessons from fallen certificate authorities

Chrome, the world's most-used browser, maintains strict policies for CAs in its root store. If a CA exhibits recurring issues—like procedural lapses or delayed responses to compliance violations—Chrome may revoke default trust, even in the absence of direct technical vulnerabilities.

Several major CAs have previously been delisted. Symantec lost its certificate business after Chrome revoked trust over widespread misissuance, ultimately selling its CA operations to DigiCert. Chinese CAs like WoSign and StartCom, along with CNNIC, were also removed for repeated violations, demonstrating that even prominent CAs can be excluded if they fail to uphold industry standards.

Chunghwa's damage control efforts

Chunghwa Telecom issued a four-point statement claiming its certificates remain legally valid, technically sound, and certified under WebTrust and ISO standards. However, Chrome's delisting reflects ongoing compliance failures and unmet remediation promises, signaling a deeper breakdown in trust.

TechJury, citing StatCounter, reports Chrome held over 66% global market share in 2025, with Taiwan nearing 60%. Chunghwa noted that only Chrome users are affected, as Edge and Safari still trust its certificates, but this holds little weight given Chrome's market dominance.

Experts warn that inconsistent browser trust undermines user confidence and fragments the certificate ecosystem. Chunghwa's focus on non-Chrome trust offers little reassurance when Chrome remains critical to user experience and web access.

Chunghwa claimed government, finance, and legal sectors are unaffected. Yet many rely on Chrome-based platforms, where repeated warnings could erode trust, harm brand reputation, and disrupt user workflows—issues the company did not address.

On June 3, 2025, Chunghwa further clarified that the delisting was due to missed policy deadlines, not certificate flaws or key leaks. It will suspend TLS certificate issuance from August 1, 2025, with existing certificates remaining valid for one year. The company has promised free renewals and client outreach, moves unlikely to shift perception in the browser ecosystem.

Chunghwa reaffirmed its goal to regain Chrome's default trust for TLS certificates by March 2026 and pledged continued improvements in certificate operations.

Warning fatigue and emerging security risks

Security experts warn that Chrome's distrust may desensitize users to browser alerts. As warning fatigue builds, users could start ignoring genuine security warnings, making them more vulnerable to threats like man-in-the-middle (MITM) attacks, where attackers intercept or manipulate communications.

Inconsistent trust decisions across browsers create confusion for users. When one browser blocks a site while others don't, it undermines clarity around digital safety, per Economic Daily News. This ambiguity weakens the certificate's role as a trust anchor and may inadvertently open the door to more sophisticated attacks.

A pattern of compliance troubles

This is not Chunghwa Telecom's first compliance issue. In 2024, Mozilla considered delisting the company after an incident involving its Government TLS Certification Authority (GTLSCA), which Chunghwa operates. A misconfiguration of Extended Key Usage (EKU) affected more than 6,450 certificates, according to Bugzilla entry 1887096.

The problem stemmed from a misinterpretation of BR v2.0.0. Since the issue involved multiple government agencies, GTLSCA was unable to revoke all affected certificates within the five-day window required by CA/B Forum rules, raising concerns within the Mozilla community. Although remediation was completed by late April 2024, the delay highlighted serious process shortcomings.

Chunghwa now says it aims to regain Chrome's default trust by March 2026. But this incident is not isolated—it highlights deeper trust challenges in the global CA landscape. As cyber threats intensify, browsers are demanding higher accountability from CAs. Chunghwa's path back to trust will hinge on transparency and its ability to regain credibility in the international security community.

Article edited by Jerry Chen