Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Android Security

On Older Versions of Android, Many Let's Encrypt-Secured Sites May Stop Working in 2021 (letsencrypt.org) 45

This year Let's Encrypt announced that it's issued a billion certificates, and it's been estimated they've made certs for almost 30% of web domains. But Friday they posted that "The DST Root X3 root certificate that we relied on to get us off the ground is going to expire — on September 1, 2021. Fortunately, we're ready to stand on our own, and rely solely on our own root certificate."

"However, this does introduce some compatibility woes." Some software that hasn't been updated since 2016 (approximately when our root was accepted to many root programs) still doesn't trust our root certificate, ISRG Root X1. Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let's Encrypt.

Android has a long-standing and well known issue with operating system updates. There are lots of Android devices in the world running out-of-date operating systems. The causes are complex and hard to fix: for each phone, the core Android operating system is commonly modified by both the manufacturer and a mobile carrier before an end-user receives it. When there's an update to Android, both the manufacturer and the mobile carrier have to incorporate those changes into their customized version before sending it out. Often manufacturers decide that's not worth the effort. The result is bad for the people who buy these devices: many are stuck on operating systems that are years out of date.

Currently, 66.2% of Android devices are running version 7.1 or above. The remaining 33.8% of Android devices will eventually start getting certificate errors when users visit sites that have a Let's Encrypt certificate. In our communications with large integrators, we have found that this represents around 1-5% of traffic to their sites. Hopefully these numbers will be lower by the time DST Root X3 expires next year, but the change may not be very significant.

Let's Encrypt engineer Jacob Hoffman-Andrews explains that "In the time between now and September 29 we plan to start serving certificates with the 'alternate' link relation 186 to allow Automatic Certificate Management Environment (ACME) clients to programmatically select a chain they prefer." But Friday's blog post explains that won't solve everything: There will be site owners that receive complaints from users and we are empathetic to that being not ideal. We're working hard to alert site owners so you can plan and prepare. We encourage site owners to deploy a temporary fix (switching to the alternate certificate chain) to keep your site working while you evaluate what you need for a long-term solution: whether you need to run a banner asking your Android users on older OSes to install Firefox, stop supporting older Android versions, drop back to HTTP for older Android versions, or switch to a CA that is installed on those older versions.
Gizmodo notes that Firefox will be unaffected "since it relies on its own certificate store that includes Let's Encrypt's root, though that wouldn't keep applications from breaking or ensure functionality beyond your browser." They describe Let's Encrypt as "the Mozilla-partnered nonprofit," and offers this succinct summary of the problem.

"One of the world's top certificate authorities warns that phones running versions of Android prior to 7.1.1 Nougat will be cut off from large portions of the secure web starting in 2021."
This discussion has been archived. No new comments can be posted.

On Older Versions of Android, Many Let's Encrypt-Secured Sites May Stop Working in 2021

Comments Filter:
  • The security upgrades forces you to have a new phone about every 2 years to stay on track.

    It's the cost of living and it renders old working phones less useful over time.

    The other factor that kills old working phones are the batteries that can't be replaced.

    • And that's actually a crime, even if nobody sues.

      It is illegal to design a device so that it has pre-determined failure points.
      Or is that different in the US?

      (Ok, as I said below, on phones, you just add the new certs in there, and be done with it. I's crazy that on /., apparently nobody has ever seen that, let alone maintains their own CA...)

    • by Dutch Gun ( 899105 ) on Sunday November 08, 2020 @01:25PM (#60699824)

      Two years is ridiculously short, especially for mid to high-end phones. We should really be demanding better than that.

      You could buy an iPhone, which typically has support for least 4 years, and likely more than that for newer phones. Google promises at least 3 for their Pixel (I just bought a 4a to replace my old phone). And unless you are a *very* heavy user, a typical battery won't be that bad even after two years. There's also the option of cases with supplemental battery packs.

      I'm hopeful my new phone will last at least 4 years. My last phone lasted over six years, although most people wouldn't have put up with such short battery life. It didn't bother me because I typically have a place to keep it topped off, and because I'm a fairly light user.

    • Still getting OS updates for my iPhone 6 plus which was manufactured in 2014. Why can't Android manage that?

      • by luvirini ( 753157 ) on Sunday November 08, 2020 @02:09PM (#60699964)

        Because the money for the manufacturer comes in a different way for Android than iOS

        Basically on Android the manufacturer gets only money when you buy a phone. There are no continued money coming to them. This is a big reason why the bigger such(like Samsung) try hard to get you to use their services hoping you will give some continued money to them.

        Thus the Android manufactures have an incentive to make the life as short as they can get away with so they can sell you a new phone.

        On iOS, Apple gets the start money as Android manufacturers (though larger % as they make more of the parts themselves). But then many users also pay them for services, things like iCloud storage, music, downloads from app store and so on. These things have generally even better margins.

        Thus Apple has an incentive to keep as many as possible of the devices in use to have more customers use their services.

        • Thus the Android manufactures have an incentive to make the life as short as they can get away with so they can sell you a new phone.

          That's very short-sighted, if customers are happy about their phones, it's more likely their acquaintances will get one, and the inverse is true as well. Crap phones that need to be replaced quickly don't make money in the long run.

          • Except that most people do not seem to care. As Apple fell to third worldwide at some point.

            Most people seem to care more about what they get for what price today and not the long term.

            Yes, there is a market for what Apple provides in terms of longevity, but it does not seem to resonate with many people overall.

            • Most people seem to care more about what they get for what price today and not the long term.

              What's "long term" in the smartphone market. Right now the hardware is still evolving at an exponential rate, a five year old phone is hopelessly out of date WRT CPU, memory, etc.

              • Out of date yes, but still useful.

                My iPhone 6s plus is still working fine and fully functional, it came out in 2015.

                Sure, it cannot play the most fancy games, but it still works fine as a phone, for browsing the net, for instant messaging, most games and so on. So as I do not need to play 3d games on my phone there is very little that I miss from a newer phone.

                Sp definitely not hopelessly out of date for usability.

                Also it supports the newest version of iOS. Thus it has all the usability updates and securit

      • by Anonymous Coward

        Still getting OS updates for my iPhone 6 plus which was manufactured in 2014. Why can't Android manage that?

        Apples and Oranges.

        A) Apple makes updates to iOS
        B) Apple controls the auto-update process
        C) Apple chooses what updates to push to what devices.

        For Android those are

        A) Google makes updates to Android
        B) One of a large number of different companies control the auto-update process
        C) Based on B, only that one company chooses to push updates or not.

        iPhones get updates because Apple owns iOS in all situations.
        Android is licensed and sold. Google is no longer in control.

        Ever get pissed off when Microsoft overrides

      • The hardware can manage it. I'm still running my Oneplus 3T with an Android 10 custom ROM after having tested (and immediately returned) a few modern phones (including the Pixel 5 and Oneplus Nord) and decided that the difference in performance and features isn't worth the cost of the upgrade yet.

        The problem is that the manufacturers don't have any incentive to make this happen with long-term software updates. Basically, if you wanted to do this without playing with custom ROMs, you'd be stuck on Android 9

    • One of the many problems with this model is that it destroys the used phone market. One, for sellers, as they can no longer sell their now-crippled used phone, and two, for consumers, for whom a new phone every two years is as difficult to budget as a new car every two years would be.

  • Spend all of this time designing your system to prevent HTTP downgrade with HSTS config and preload list. Then someone says potentially 30% of your customers might not be able to access your site if you don't enable HTTP.... The industry really need to fix abandonware both in the sense of not supporting reasonably recent systems, but also not supporting reasonably older hardware. If the hardware is good enough for someone to keep using, it should be supported in a way that the typical end user can easily up
    • Yeah, guess what happens when the cert expires? "Some of our clients complain that our site is broken - they get an error when they try to open it". At least there is a somewhat-OK solution for this - buy a proper certificate.

      Because there is no way I'll be able to say "tell them to buy new phones".

      The "security"" argument may fly for a site that handles personal data and such. If the site is just to advertise the company (contact information, products etc - all accessible without a password), then the argu

      • Uum a proper certificate is one that expires too. If only to put a limit to how long somebody can exploit a leaked key or something.

        And it's ridiculous anyway. Any Android phone allows you to add you own certificates. I've made my own CA, and treat any other CAs as untrusted, because they de-facto are. (Have I ever met any of their employees? No! I don't even know where they sit, let alone their views on my views!)
        Android happily accepts my site-altering proxy for Google, MS & co. (I'm my own MITM. Get

        • Sure, you can do that. I could do that. Probably most of /. readers could do that.

          Random people who just want to visit some site to know that products a company sells or what the business address is would not be able to do that. They would not care if this was http or https, but if they see a huge "security warning, people may see your data" message, they will just go to the site of some other company.

          By "proper certificate" I meant one that you have to pay for. Usually the root certificates for those last

          • Yeah, you aren't quite understanding whats going on here...

            The root certificate that LetsEncrypts own issuing certificate was originally signed by, DST Root X3 owned by IdenTrust, is expiring - this root certificate has been around for ages and is now up for renewal (LetsEncrypt have been using it since 2015, as a bootstrap until they got their own root cert trusted). This also affects any other "proper certificates" that IdentTrust signed with DST Root X3.

            LetsEncrypt has its own root certificate these day

  • In 2021, users of old Android devices will need to install Firefox or more websites will stop working.

    This isn't really out of the ordinary. I have an old Android tablet and half the internet doesn't load on it because of certificate issues. Frankly it's the best argument against HTTPS everywhere: HTTP works forever on anything, HTTPS effectively rots.

    • Uuum, not everything is the web, kids!

      What do you think your apps use in the background? You think WhatsApp uses HTTPs and Firefox?
      (OK, given the current plague of WhatWG insanity, it might... I haven't checked lately.)

    • Comment removed based on user account deletion
  • And they have been for years. Marshmallow is also still very popular. Murdering millions of phones over a certificate issue is highly environmentally irresponsible, it also affects older and poorer users, who are more likely to use older versions. This is in addition to phones being disabled due to not supporting 4g and TLS 1.2.
    • by xack ( 5304745 )
      Hopefully Google can at least update Chrome for this issue but Chrome only supports Android 5 and up now so older versions including kitkat are out in the cold.
  • Finally, I have a reason to upgrade my phone.
  • Every Android I know of allows you to add your own certificates. Add any missing ones and be done with it.
    It may warn you, but it works.

    Besides, don't browsers have their own certificate stores? At least for Firefox it might be even easier to fix.

    • That's only a solution for people that both run outdated software and know what they are doing. The vast majority of people have no idea what a certificate even is, and when they see websites not working all over the place, as well as whatever breaks (email, apps) will decide they need a new phone.
    • don't browsers have their own certificate stores

      This isn't just about browsers. It's about apps.

    • I was going to say this. The system certificate store is modifyable (as it should be).
      It's not ideal because certainly users shouldn't need to install root certificates manually (because they might install a cert from a bad actor)...But at least, contrary to what the headline seems to imply, the problem can be fixed.
      I don't know if any other browsers have their own certificate stores. For most apps It'd make sense to just use the system one. Firefox doesn't (or maybe they do now but didn't use to) use th
      • You mentioned, but glossed over, the glaring problem with this approach.

        We have enough people who get tripped up by social engineering already. I would argue we don't want to start telling people it's okay to start manually adding certificates to their devices. It's not like the average person has the wherewithal to determine Let's Encrypt is "good" while Bob's Trustable CertStore is "bad".

        • Yeah, you're right. Is not a good solution for the majority of the public. My point was that the problem is actually fixable but yeah, the solution is not a very good one
  • by nuckfuts ( 690967 ) on Sunday November 08, 2020 @01:52PM (#60699918)
    that Google hasn't come out with their own provider for free SSL certificates to compete with Let's Encrypt, since they seem to want to be in charge of everything we do the web.
    • since they seem to want to be in charge of everything we do the web

      What's that tell you about your perception of them?

      See they don't want to be in charge of everything you do on the web. They want to be in charge of anything they can directly monetise. There's a big difference. There is precisely zero reason for them to do this because their goal is far more refined than you give them credit for.

    • There's supposed to be an apostrophe. It's a contraction of 'let us'.

      • Yeah, you're right, I realized that later, but there's just something funny about how that headline is written that mislead me. I think it's because "Let's Encrypt" is a title/name, but if you break it out, "Let Us Encrypt" seems a bit clumsy. So the apostrophe just makes it look weird. To me, at least.
  • by Munchr ( 786041 ) on Sunday November 08, 2020 @02:41PM (#60700076)
    I suspect Chrome will have finished transitioning to the Chrome Root Program by Sept. of 2021. I don't think this will have as large of an impact as Let's Encrypt seem to think it will. Certainly anything left relying on the Android certificate store will be affected, but anyone using Chrome or any app using the embedded chrome browser should continue to operate normally.
    • I came here to say the same thing. This is the solution.

      If you have an app that uses the Android kit to talk to your own servers you should probably have your own CA anyway.

  • Why is a browser relying on the OS certificate store? Can't the Android 7 users just install Firefox? If Firefox is looking at the OS certificate store I think something is wrong.

    • by Munchr ( 786041 )
      That's the point in the articles linked - Firefox won't be affected, since it uses it's own store. Current versions of Chrome are/will be affected, since they use the OS store. Future versions of Chrome will NOT be affected, since Google is changing Chrome to use it's own internal store in a future build on all OS's except for iOS. (Possibly due to Apples restrictions 3rd party web browsers?).
      • That's not accurate. The actual point is that Let's Encrypt's own root certificate - ISRG Root X1 - has been included in Android's "trusted" list since 7.1.1. Older versions of Android rely on the cross-signed certificate Let's Encrypt set up with another provider (IdenTrust), and that certificate expires next September and it's not going to be renewed.

    • by nyet ( 19118 )

      How does that help for TLS connections that aren't initiated by the browser?

  • by couchslug ( 175151 ) on Sunday November 08, 2020 @06:41PM (#60700846)

    The ARM hardware ecosystem is the root problem. It promotes fragmentation and interferes with security. Since the US cannot do anything about that perhaps the EU should consider regulations for ubiquitous systems in the name of security and reducing e-waste.
    It should be as easy to flash a phone with a replacement FOSS OS as it is to load a PC with Linux.
    Businesses cannot be trusted to care for public good because while being immensely productive capitalism is inherently amoral. Morality can only be "added" to capitalist systems by law.

Algebraic symbols are used when you do not know what you are talking about. -- Philippe Schnoebelen

Working...