Control Yuan urges MODA and Chunghwa Telecom to improve after Chrome distrusts certificates
Google Chrome's decision to distrust Chunghwa Telecom's TLS certificates after July 2025 has led the Control Yuan to criticize the Ministry of Digital Affairs and Chunghwa Telecom for poor risk management and oversight.
📋 Article Processing Timeline
- 📰 Published: April 14, 2026 at 19:08
- 🔍 Collected: April 14, 2026 at 19:31 (23 min after Published)
- 🤖 AI Analyzed: April 19, 2026 at 14:28 (114h 56m after Collected)
(Central News Agency reporter Kao Hua-chien, Taipei 14th) Google Chrome stopped defaulting to trust new TLS website certificates issued by Chunghwa Telecom after July 31, 2025, sparking concern. The Control Yuan stated that although the Ministry of Digital Affairs (MODA) took remedial measures afterwards, there is still a need for review regarding risk awareness, regulatory strength, and system design. Chunghwa Telecom also needs to improve its certificate management and compliance operations.
Control Yuan members Lai Ting-ming and Yeh Yi-chin stated through a press release today that in May 2025 (Year 114 of the Republic of China), news broke that certificates from the Government TLS Certificate Authority (GTLSCA) operated by Chunghwa Telecom would be distrusted by Google Chrome. The scope of impact covers government websites, public service portals, and related digital applications, which could block citizens' connections or misidentify sites as unsafe, striking a blow to the foundation of trust in government digital services.
The Control Yuan members said that although MODA subsequently promoted a dual-certificate mechanism for government websites, completed comprehensive certificate replacement, and utilized contractual penalties and manpower adjustments for remediation, there remains a need for review and improvement in risk awareness, regulatory intensity, and system design.
The members pointed out that the cause of this case was that Chunghwa Telecom's GTLSCA experienced multiple successive violations of the international Baseline Requirements (BR) during 2024 (Year 113), including major deficiencies such as certificate formatting errors and failure to revoke certificates within prescribed time limits. This involved thousands to tens of thousands of certificates, indicating that its internal control and compliance mechanisms are still inadequate.
The members emphasized that MODA, as the competent authority for the Government Public Key Infrastructure (GPKI) and bearing the role of coordinating Taiwan's information industry promotion and cybersecurity policies, failed to timely strengthen supervision or demand the establishment of effective inspection and response mechanisms when signs of violations appeared in the first half of 2024, despite managing via external audits, operational reports, and contractual mechanisms. It also lacked full awareness of the severity of violating certificate revocation time limits, leading to an accumulation of risk.
The members added that, furthermore, when MODA explained the situation to the public later, it positioned the relevant responsibilities within the outsourced contractual relationship, which showed a significant gap with its role as the competent authority for information industry promotion and cybersecurity, and this should be reviewed and improved.
The members pointed out that current certificate inspections and external audits are mostly regular or retrospective checks, failing to respond to the international certificate system's trend toward real-time automated verification, nor did they establish a mechanism for large-scale certificate revocation authorization and response in advance. In addition, the government certificate and digital trust system already possess the characteristics of cross-agency critical infrastructure, yet it has not been incorporated into the relevant security protection architecture management for critical information infrastructure. It is still necessary to review and strengthen aspects such as risk identification, system dependencies, and business continuity. (Editor: Yang Lan-hsuan) 1150414
Choose to stand with facts. Every sponsorship of yours is a force to protect press freedom.
Download the Central News Agency "First-hand News" APP to immediately grasp the latest news.
The text, images, and audio/video on this website may not be reproduced, publicly broadcast, publicly transmitted, or utilized without authorization.
Control Yuan members Lai Ting-ming and Yeh Yi-chin stated through a press release today that in May 2025 (Year 114 of the Republic of China), news broke that certificates from the Government TLS Certificate Authority (GTLSCA) operated by Chunghwa Telecom would be distrusted by Google Chrome. The scope of impact covers government websites, public service portals, and related digital applications, which could block citizens' connections or misidentify sites as unsafe, striking a blow to the foundation of trust in government digital services.
The Control Yuan members said that although MODA subsequently promoted a dual-certificate mechanism for government websites, completed comprehensive certificate replacement, and utilized contractual penalties and manpower adjustments for remediation, there remains a need for review and improvement in risk awareness, regulatory intensity, and system design.
The members pointed out that the cause of this case was that Chunghwa Telecom's GTLSCA experienced multiple successive violations of the international Baseline Requirements (BR) during 2024 (Year 113), including major deficiencies such as certificate formatting errors and failure to revoke certificates within prescribed time limits. This involved thousands to tens of thousands of certificates, indicating that its internal control and compliance mechanisms are still inadequate.
The members emphasized that MODA, as the competent authority for the Government Public Key Infrastructure (GPKI) and bearing the role of coordinating Taiwan's information industry promotion and cybersecurity policies, failed to timely strengthen supervision or demand the establishment of effective inspection and response mechanisms when signs of violations appeared in the first half of 2024, despite managing via external audits, operational reports, and contractual mechanisms. It also lacked full awareness of the severity of violating certificate revocation time limits, leading to an accumulation of risk.
The members added that, furthermore, when MODA explained the situation to the public later, it positioned the relevant responsibilities within the outsourced contractual relationship, which showed a significant gap with its role as the competent authority for information industry promotion and cybersecurity, and this should be reviewed and improved.
The members pointed out that current certificate inspections and external audits are mostly regular or retrospective checks, failing to respond to the international certificate system's trend toward real-time automated verification, nor did they establish a mechanism for large-scale certificate revocation authorization and response in advance. In addition, the government certificate and digital trust system already possess the characteristics of cross-agency critical infrastructure, yet it has not been incorporated into the relevant security protection architecture management for critical information infrastructure. It is still necessary to review and strengthen aspects such as risk identification, system dependencies, and business continuity. (Editor: Yang Lan-hsuan) 1150414
Choose to stand with facts. Every sponsorship of yours is a force to protect press freedom.
Download the Central News Agency "First-hand News" APP to immediately grasp the latest news.
The text, images, and audio/video on this website may not be reproduced, publicly broadcast, publicly transmitted, or utilized without authorization.