back to article Let's Encrypt warns about a third of Android devices will from next year stumble over sites that use its certs

Let's Encrypt, a Certificate Authority (CA) that puts the "S" in "HTTPS" for about 220m domains, has issued a warning to users of older Android devices that their web surfing may get choppy next year. Let's Encrypt launched four years ago to make it easier to set up a secure website. To jumpstart its trust relationship with …

  1. Anonymous Coward
    Anonymous Coward

    Counter intuitive?

    "With more than 2.5bn active Android users, the impact will be noticeable, though not too much so – those aging Android devices account for only about one to five per cent of internet traffic, apparently."

    Wow, cell phone users using cell phones for phone calls only. Why, they're still in the Neolithic phone age!

    1. Maelstorm Bronze badge

      Re: Counter intuitive?

      Don't forget text messaging. I like to play games on mine. I use the Google Voice Assistant quite a bit to look things up.

    2. This post has been deleted by its author

    3. Claverhouse

      Re: Counter intuitive?

      I have desktop computers: I don't need to look at a tiny screen...

    4. Anonymous Tribble

      Re: Counter intuitive?

      I've got one I don't even use for phone calls or text messages.

    5. Richard Jones 1
      WTF?

      Re: Counter intuitive?

      My 4-year-old mobile is hardly ever used to access anything on the web, why would I do so? A small screen that is usually overrun by crap adverts if I ever make the mistake of clicking on any sort of link. I use a few apps, but voice calling is subject to two problems, crap reception at home - 'please use my landline' and the difficulty of actually getting it to answer if I am not using a Bluetooth headset. It is OK for a few Google applications and for texts. Interactive voice calling generally defeats its capabilities.

    6. ibmalone

      Re: Counter intuitive?

      Wow, cell phone users using cell phones for phone calls only. Why, they're still in the Neolithic phone age!

      Well, a few things to draw from this, it doesn't mean there are users of older android devices only using them for phone calls; for all we know from this 100% of those in service are still surfing the web. Second, these are smart phones, so it's not "cell phones for phone calls only", if you want to do that then you would be much better off without a smart phone, so it's likely the people on them are using them because they want those features.

  2. Anonymous South African Coward Silver badge

    I do watch the odd youtube clip, use whatsapp and telegram, play the odd game and use firefox the most on mine.

    It is not feasible for world+dog to buy new androids just to renew their certs.

    Why can't Google do an OTA for most devices?

    1. DavidRa
      Devil

      Support old devices? What are you, a socialist or something?

      Because if they support older devices, people who won't purchase new devices won't purchase any new devices and they might miss out on ten cents of advertising revenue. This is horrifically bad, because that ten cents of revenue might mean that the shareholders would need to spend 10c of their OWN MONEY for the 600 foot power yacht.

      And apparently we can't have that.

    2. AlanB

      Many of them will have been customised by phone manufacturers and/or network providers, rather than using stock Google versions, so a Google provided update wouldn't necessarily apply.

      1. Warm Braw

        You would have thought that adding a certificate should do it.

        I've just checked a phone I use from time to time owing to its compact form factor that runs Android 4.0.4. It lets you add a certificate (from internal storage) to the user certificate store. You'd think that would be enough, but obviously Let's Encrypt isn't going to be making a fuss about nothing.

        Further investigation suggests that up to and including Android 6.0, certificates from the user store are by default also available to apps, but from that point on, they're not unless the app is built to allow user certificates.

        I'd have thought there are lots of cases where people will have custom security configurations that require their own root certificates. Are browsers deliberately preventing use of the user certificate store?

        What am I missing in this picture?

        1. Milamber

          Re: You would have thought that adding a certificate should do it.

          Yeah, you can just download and manually install the cert. Did it on my Android 6 device after reading this article.

          https://letsencrypt.org/certificates/

          1. diodesign (Written by Reg staff) Silver badge

            Manual install

            Thanks -- added that to the piece. We'll also see if it's possible for Chrome to include the necessary certs, too.

            C.

          2. eionmac

            Re: You would have thought that adding a certificate should do it.

            How to do this manual install? Explain please to the non technical.

            1. Michael Wojcik Silver badge

              Re: You would have thought that adding a certificate should do it.

              This will probably vary by device and Android version, inconsistency being the quintessence of the Android experience. But here's what I did:

              1. Using Chrome on the phone, went to the LE certificates page.

              2. There I used the appropriate links to download the ISRG X1 and X2 root certs in PEM format. I don't know what formats Android will accept, but PEM is the only sensible format for certificates and no one should ever use anything else, so that's what I always try first.

              3. This gave me two checkmark links in the phone's status line. I dropped down the system menu and clicked the checkmark next to the first one. That prompted for authentication (phone password or whatever you have configured); then it prompted me for a name for the certificate - I used "Let's Encrypt ISRG Root X1". Then it was installed.

              4. Repeat for the X2 root cert, for future-proofing.

              5. Afterward, you can go into Settings, search for "certificate", click on View Security Certificates (or something similar - on my phone it's under Security > Advanced, but you never know with Android). Then look at your User certificates and they should appear there.

      2. Brewster's Angle Grinder Silver badge

        But Google are still supplying the latest version of Chrome to my Android 6 device. Can't they at least include the certificate with Chrome?

    3. Dinanziame Silver badge
      Boffin

      Android is far more customized by phone manufacturers than you would think. They literally do a separate fork of Android for every single phone model. Every nifty feature like edge touch or foldable screen or having three separate cameras, the manufacturer needs to modify the code. So Google cannot just send an update; they can only provide a patch to manufacturers, and those need to apply the patch to all of their forks. Which is, as noted, not exactly in their interest, since they make money by selling new phones, not by maintaining older ones.

      Google has been trying to regain control by putting more and more features away from Android into the Google Play services; though that inevitably raises the problem of them having a monopoly control over Android phones.

      1. bigtimehustler

        What does any of this have to do with installing a certificate? You can just do that on any a droid device. Problem solved, the information of how just needs to be made clearer

  3. "Dead Eye"

    Mitiations?

    Should LetsEncrypt issue an Android app that will install the current CA certificate into the Android devices certificate store? The app would be authenticated by being in the official Play store and could be run either before or after the expiry o the old CA certificate.

    1. Ken Hagan Gold badge

      Re: Mitiations?

      Could websites detect the user-agent and suggest that the user upgrades to Firefox?

      1. MOH

        Re: Mitiations?

        "Best viewed in Internet Explorer 1.3"

      2. Disgusted Of Tunbridge Wells Silver badge

        Re: Mitiations?

        The SSL negotiation happens first, so the certificate would be rejected before the web server could do anything.

        The solution is for Google to push an update of Chrome for these devices containing this certificate.

      3. IGotOut Silver badge

        Re: Mitiations?

        "suggest that the user upgrades to Firefox?"

        Don't inflict the "New" Firefox on those poor souls.

    2. Roland6 Silver badge

      Re: Mitiations?

      Surely a certificate store update app is a standard part of Android, thus all that is necessary is a certificate update release as part of a Play services update.

      Okay some other method will be needed to support non-Play devices, but don't see why this is causing an issue - unless Google cut one too many corners on Android...

  4. Anonymous Coward
    Anonymous Coward

    What a fancy way of saying

    "Mozilla software does not integrate well with the host operating system and duplicates its functionality in parts".

    1. ThatOne Silver badge

      Re: What a fancy way of saying

      > "Mozilla software does not integrate well with the host operating system and duplicates its functionality in parts"

      That's why I use it actually. I never trusted Microsoft in Internet things (back when I was still using Windows), and definitely don't trust Android.

      Also, the self-contained aspect of Firefox allows faster reaction times when bugs are discovered or certificates need to be changed. Instead of depending on several, not necessarily very motivated entities, you have a single supplier who can react fast.

      See the certificate update issue for an example, and note it isn't the first certificate change old Androids missed: IIRC several compromised and now revoked certificates are still deemed valid in older phones and tablets.

      (I didn't downvote you BTW)

      1. Anonymous Coward
        Anonymous Coward

        Re: What a fancy way of saying

        That was what hindered Firefox adoption in companies when you need to be able to centrally manage things like company wide CA and certificates. And frankly, having to manage certificates in dozens of different certificate stores is a nightmare from a system administration perspective.

        Google was more cunning with Chrome and understood it needed it to get a foothold in business settings as well. Mozilla eventually added GPOs and other features to play nicer in business deployments.

        But really the Google Play system can't update system certificates? I'm quite sure the day Google needs to update one of its certificate of ad revenues decrease, it will be able to update any certificate it needs.

  5. karlkarl Silver badge

    For Android 4.x you also need a fairly old version of Firefox. (They had breaking changes in the APK file at some point between 4-5).

    I am not so sure these older builds of Firefox provide the certificates either.

    To be fair, this is why this central certificates architecture is not great. I am very thankful that SSH doesn't use them in this way (it optionally can, but that is rare).

    But at the same time I can't even be bothered to rant about phone manufacturers not supporting their devices correctly because... phones bore me too much to even type about them.

    1. ThatOne Silver badge

      > For Android 4.x you also need a fairly old version of Firefox.

      On Android 4.4 the last version of Firefox is IIRC v.68. Which is actually not too old (2019 IIRC), and also the last version before the "Second Big Extensions Fiasco"... *sigh*

      They sure make it difficult to love them.

  6. mark l 2 Silver badge

    It just a shame that the latest Firefox builds for Android are a bit poor, I used Firefox with ublock origin on my cheap Chinese Android streaming box to watch Youtube without the annoying ads, but after Firefox updated it not only made Firefox unstable but when it crashed it would bring down the whole device causing it to reboot. I am going to look for an APK for the older Firefox builds as they worked fine before it updated and its only used for Youtube no other web browsing is done from this device.

  7. Norman Nescio

    Sigh,

    I have a 'landfill' Android tablet stuck on Lollipop 5.1. No updates are available.

    I really wish generic Linux tablets had become a thing, but I guess there' s no easy money to be made in such things.

    I should have got a PINE64 PINETAB when it was available.

    1. dajames

      I have a 'landfill' Android tablet stuck on Lollipop 5.1. No updates are available.

      I have a couple of tablets that were only supported by their manufacturers (Samsung and Asus) up to KitKat (4.4), but one of them (the Samsung) can run LineageOS 14 (aka Android 7), which has extended its useful life considerably.

      I object to having to buy new hardware just to get a supported OS, especially when the old hardware still works fine and the selection of new models available contains nothing I desire.

      My phone is an Android One model from Motorola running pretty-much stock Android, why can't I get a tablet that does the same?

      1. John 110

        darnit

        I just ran my monthly updates on my collection of ageing-but-still-useful tablets and I have a Hudl 1 and a lenovo yoga thingy both on 4.4.2 with no update route (I've not investigated custom roms yet). I'll be watching this...

    2. Claverhouse

      Actually, that PINETAB looks nice...

  8. Lorribot

    "We also wonder if Google could update Chrome on older Android devices to include the certs."

    Ha ha ha. Good luck with that one.

    This is all those new old devices, you can still buy many cheap Android devices with old versions on them. Around 35-40% of Android devices are on Nougat or earlier.So that is around 750 million to -1B billion devices that are affected, that's a a lot of landfill.

  9. big_D

    No updates for 4 years...

    If they haven't had any updates in the last 4 years, they shouldn't be going anywhere near a network, let alone the Internet!

    1. EnviableOne

      Re: No updates for 4 years...

      Current version of android is 11, been out since october

      version 7 was released in 2016, and is no longer supported by Google, can't blame OEMs here.

      I wouldnt be running anything below 7.1.1 in a corporate environment anyway (where Android for work started)

      TBF if it was an iThingy was still runing iOS 10, it'd as insecure as an insecure thing now too.

      Even if you got it on the newest device, the iPhone 7 is on the chopping block on the next round anyway....

      1. DS999 Silver badge

        Re: No updates for 4 years...

        Who says the iPhone 7 is "on the chopping block on the next round"? Apple just issued another security update for iOS 12.4.x, so the iPhone 5S introduced back in 2013 is still current on security patches.

        Android 7.1.1 was released on December 5, 2016 - the comparison would be if there are no more 12.4.x patches then FOUR YEARS FROM NOW the iPhone 5S & iPhone 6 would be in a similar state.

      2. big_D

        Re: No updates for 4 years...

        Yes, this has nothing to do with Android explicitly, any device that hasn't received the current security updates is a danger to its owner and anything else on the same network.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like