back to article An Internet of Trouble lies ahead as root certificates begin to expire en masse, warns security researcher

Expiring root certificates will cause devices like smart TVs and refrigerators to fail in the next few years, security researcher Scott Helme has warned. Secure internet connections depend on the server presenting a valid certificate to the client, the most common problem being that the server certificate is out of date, …

  1. Flywheel
    FAIL

    hopefully a response from the industry to start fixing stuff

    hopefully a response from the industry to start fixing stuff = BUY NEW STUFF.

    Unfortunately...

    1. Christopher Reeve's Horse

      Re: hopefully a response from the industry to start fixing stuff

      Yeah, likely to be way I suspect, but hopefully some good may come of it in the shape of consumer awareness and pressure?

      From a 'dumb' consumer perspective, the lack of software updates to things like Android phones and tablets is typically blind - the increased risk to un-patched vulnerabilities does not manifest itself in an meaningful way to most users. However, when services just stop working despite the hardware being perfectly ok, this is likely to cause anger and resentment. Enough anger to change manufacturer's behaviour?

      What this could represent is a longer term shift in how consumers think about warranties. Traditionally, once a warranty expires, the lifespan of the product comes down to a mix of how well you look after it and pure luck. Is there a future where products themselves purposely stop working once the warranty expires? Will price differentiation carry Apple indefinitely as their estate of supported models continues to increase? How long do we have until updates as a paid for subscription service become the norm?

      1. ThatOne Silver badge

        Re: hopefully a response from the industry to start fixing stuff

        > Enough anger to change manufacturer's behaviour?

        I'd say "not a chance".

        Already some manufacturers (as reported by El Reg) don't hesitate to kill perfectly working kit to force the users to update, and if they aren't afraid to do something as obviously malignant as that, why would they bother about some highly abstract problem which isn't even entirely their own fault? "Sorry, the root certificate has expired" is a perfectly valid explanation, which puts the fault to a faceless, abstract entity which for the end user is as intangible as fate.

        1. JimboSmith Silver badge

          Re: hopefully a response from the industry to start fixing stuff

          I'd say "not a chance".

          Already some manufacturers (as reported by El Reg) don't hesitate to kill perfectly working kit to force the users to update, and if they aren't afraid to do something as obviously malignant as that, why would they bother about some highly abstract problem which isn't even entirely their own fault?

          Belkin are doing just that with their Wemo NetCams at the end of this month.

          https://www.belkin.com/us/support-article?articleNum=316642

          There's no use for them after that except maybe as parts. Belkin killed off viewing via other means in a previous firmware update. The original end date was the end of last month which was pretty shitty timing. Given people might be in lockdown and using them for security at workplaces etc that sucks even more. Probably done it now to try and keep the news buried under Covid 19 related news.

          1. 1752
            Unhappy

            Re: hopefully a response from the industry to start fixing stuff

            Looking at the linked article;

            "Although the Wemo NetCam may still connect to your Wi-Fi, direct IP access to the video feed of the camera will not be available"

            Sad, so cloud or nothing.

            1. JimboSmith Silver badge

              Re: hopefully a response from the industry to start fixing stuff

              My friend who has a few of them asked me if I'd like to have a brick or two. He said that's what they'll be next month.

          2. Jamie Jones Silver badge

            Re: hopefully a response from the industry to start fixing stuff

            Thanks for that link - I've bookmarked it, and every time someone I know expresses interest in some "IoT" cloud product, I'll send it to them.

            There is no way that all use of this device should depend on some third party server.. I'm guessing the device connects to their server and you connect to the same server, to avoid NAT/firewall restrictions, but that shouldn't have anything to do with local use - local recording / local control over wifi from the app.

            Even the outgoing bit should be configurable in cases like this, so a third party, or somone who knows what they are doing could keep it working. I find it hard to believe that they can justify the hard coding of this, and the intentional bricking of a device.

            Belkin have been added to my shit list.

            1. John Smith 19 Gold badge
              Unhappy

              "Belkin have been added to my shit list."

              They've earned it.

              WTF is this "Oh you must connect to our remote server to enable this. BTW the certificate is expired so you can't, and you can't update it"

              F**k right off.

              Do not need, do not want.

        2. Peter X

          Re: hopefully a response from the industry to start fixing stuff

          There should be legislation that says if they stopping supporting a device, they are required to open-source the design and software so that the consumer can fix the problem themselves. Yeah, I know in practise most won't but it means that, say, a webcam that has been manufacturer obsoleted will at least have eBay value to someone who can manage to update it. Plus, the threat of having to do this might encourage manufacturers to actually update stuff.

      2. BenDwire Silver badge

        Re: hopefully a response from the industry to start fixing stuff

        How long do we have until updates as a paid for subscription service become the norm?

        This. IIRC BMW have already tried it for their infotainment systems, and Tesla seem to be doing something sinister when cars are sold on.

        1. Kane

          Re: hopefully a response from the industry to start fixing stuff

          "...and Tesla seem to be doing something sinister when cars are sold on."

          I'm not sure if that's a spelling mistake or not...

        2. whitepines

          Re: hopefully a response from the industry to start fixing stuff

          This. IIRC BMW have already tried it for their infotainment systems, and Tesla seem to be doing something sinister when cars are sold on.

          Which is why I will never even consider a Tesla, and if BMW really does that they'll be on my shit list too.

          So far VW seems to be somewhat reasonable, but I wonder how long that will hold out.

  2. john.jones.name
    Go

    start using DANE and CA if you must

    honestly yes many systems use a certification authority and its time to move on to a DNS based system where you can choose your CA (self signed or with a CA) it also nicely describes what legal system ( jurisdiction ) applies, .uk or .de

    https://tools.ietf.org/html/rfc7671

    easy to deploy today with your existing certificate with usefulness for SMTP and in the future HTTPS

    1. This post has been deleted by its author

    2. really_adf

      Re: start using DANE and CA if you must

      https://tools.ietf.org/html/rfc7671

      Doesn't this either just move the problem to DNSSEC, so you get the same issue due to https://www.icann.org/resources/pages/ksk-rollover, or (more likely) avoid it only because of absolute trust of wherever you get your DNS answers from? (Genuine question.)

      1. hoola Silver badge

        Re: start using DANE and CA if you must

        This doesn't change the situation that if a certificate, ticket of key is needed to connect to a central server the item is subject to the whims of the manufacturer in withdrawing support.

        All this does is further highlight the utter stupidity of all this "SMART" crap that is being churned out in the name of progress.

    3. Jamie Jones Silver badge

      Re: start using DANE and CA if you must

      For obvious reason, the CA's have been against DANE. Hopefully now we have "Let's Encrypt" giving free cerfiticates, their hostility will be reduced.

    4. Mike007 Bronze badge
      Boffin

      Whilst I would love to be able to use DANE, browser support is missing not because they haven't added support yet but because browser vendors have independently and for different reasons actively chosen not to support it.

      Without going in to all of the discussions on the issues with DANE in browsers, the problem we're meant to be talking about is the process of replacing root signing keys. DNSSEC has done this exactly once, which was delayed by 12 months due to the need to update client software. The amount of manual effort that went in means the theoretical automated key roll process is still pretty much untested and confidence that next time will work flawlessly is not great.

      The procedure for rolling the DNSSEC root key involves signing a new key with the old one and publishing in advance so clients can install the new key before it goes live. Once the new key is in production and everything is running smoothly they will then use the new key to sign a revocation of the old key, which again is published for a short period to let clients know to remove it. Once the rollover period is complete the root zone returns to being simply a normal zone signed with a normal key with no record that the old key ever even existed.

      The problem with rolling DNSSEC keys in this way is that even if everything works as smoothly and perfectly as it is theoretically designed to, those devices that were on a warehouse shelf during the rollover are now being shipped to customers with old keys and no way of securely updating them...

      Any attempt to get around this problem will likely either involve a new set of keys to sign the current root key (which needs all of the same problems to be solved for it!) or devices going and automatically installing completely unsigned keys sourced from the very network it doesn't trust in the first place... Might as well just disable validation, or save yourself the bulky TLS library and stick to plain old HTTP!

      1. zuckzuckgo Silver badge

        > "... devices that were on a warehouse shelf during the rollover are now being shipped to customers with old keys and no way of securely updating them..."

        But in that case the failure should be detected within the product warranty period so a full refund should be obtainable. In most cases, the burden of keeping warehouse products up to date would fall to the suppliers rather than the end user. There would still be a problem if the end user for some reason kept the product off-line for a year and missed the rollover.

  3. b0llchit Silver badge
    Facepalm

    Planned or accident

    One could argue that this problem is purely accidental because products are pushed out in the name of consumerism. On the other hand, consumerism has the dark side of planned obsolescence. The cynic may argue that the problem of "not updated" or "non updateable" gadgets is a long term plan to get sales up and going.

    We'll have to see if this all is stupidity or malice. Significant amounts of stupidity do look a lot like malice. Maybe I'm too much of a cynic to trust the gadget pushers...

    1. Bucky 2

      Re: Planned or accident

      My understanding is that the test is "known or should have known."

      When stupidity is indistinguishable from malice, it is malice.

    2. Tomato42

      Re: Planned or accident

      manufacturer doesn't care about device after 2 years, tops (and that only because EU forced them to care for so much)

      couple that with humans being very bad at handling future threats (just look at our handling of global warming—a civilisation as we know it ending event) and you have this result

      1. gnasher729 Silver badge

        Re: Planned or accident

        I think manufacturers may be in for a surprise. It’s one thing if a device breaks, it’s another thing if the manufacturer breaks it.

      2. ovation1357

        Re: Planned or accident

        That's often true but not completely fair. I've certainly had products where the manufacturer has continued to provide updates for a lot longer than 2 years.

        In the case of a friend of mine, he's got a fairly antique TomTom sat nav (yes! An actual, real sat nav device and not a smart phone like the rest of the world), which stopped working last year (or was it the year before? In forget!) when there was a GPS patch required. They provided and for free as well which was a pretty decent on a very old unit.

        With consumer goods I think a lot of the UK based offices keep a veritable museum of old devices because 'manufacturing defect' type clams coming in under the UK sale of goods act which allows consumers to claim for repair or replacement within 6 years of purchase. A 5 year old TV which dies due to an expired root CA could be argued to have a defect by not being shipped with trust in a suitably long CA and that could lead them to either release an update to fix or even to provide a replacement device.

        1. Missing Semicolon Silver badge
          Mushroom

          Re: Planned or accident

          Tom-Tom, another evil company.

          The older satnavs did indeed get a fix for the GPS week-rollover bug. However, that was delivered as part of the "sayonara, no more updates for you" message in the PC application.

          If you have an old copy of TomTom Home, it forcibly updates itself to the latest version, that removes all of the features except the firmware updater.

          No more map updates for your "lifetime" subscription.

          All this, allegedly, is because the SD card the device comes with (2Gb) is not big enough for the latest maps. Bigger ones are, of course, cheap as chips nowadays, but no. They have used it as an excuse to dump their old products.

          So, no more TomTom products for me!

        2. cipnt

          Re: Planned or accident

          Indeed, an expired CA authority certificate should fall under the UK and EU warranty laws for at least 5 years from date of purchase.

          But will breaking iPlayer or Prime Video on a smart tv amount to a defect?

          It sure would be nice to have laws that stipulate a minimum period of security updates too.

          Or open-source the firmware after x years so people can update it themselves.

        3. John Brown (no body) Silver badge

          Re: Planned or accident

          "yes! An actual, real sat nav device and not a smart phone like the rest of the world"

          Lots of people have proper satnavs. Having a single device trying to do multiple critical functions at the same time usually ends up with one of the functions taking over at the wrong time and can be far more distracting on the road than having separate things doing separate jobs. One device to rule all the apps is ok for occasional use, but not on a day to day, constant use pattern.

          1. ovation1357

            Re: Planned or accident

            I'm sure that's true but this friend is the only person I know who still uses a dedicated device in a car which doesn't already have a built-in sat nav (which is becoming increasingly common and probably yet another load of proprietary devices to become bricks when the manufacturer can't be bothered any more).

            I totally get the idea of a single device sometimes being better than a multifunction one but then I'm a bit of a cheap skate so I'm not going to buy a dedicated nav device when I've already got a smart phone which does incredibly good navigation worldwide with live traffic/hazard and roadworks updates on accurate maps (although I must say I'm very impressed with TomTom's lane diagrams at junctions, which Waze/Google Maps don't do).

            In the early days of having a smartphone all kinds of things went wrong when using it for navigation but these days it will happily play my music/podcasts whilst navigating and integrates well with my aftermarket Bluetooth kit for road alerts and phone calls

            So for me to buy another device for maybe £200 (which is more than my phone cost) plus extra costs for updates and international maps just isn't an attractive option. Especially as it's another thing I'll need to hide or take with me at the end of each journey in case some little weasel decides to smash a window and pinch it.. I generally don't forget the phone - it's either in my pocket or it's mounted in the car.

            So to each their own for now but I think the massive increase in smart phone use combined with all the new built-in solutions will eventually mean that dedicated units cease to exist

            1. Nick Ryan Silver badge

              Re: Planned or accident

              Most of the in-car sat nav devices built into cars are obsolete and out of date by the time the car leaves the production line. These are rarely, if ever, even given map updates leading to the almost humorour situation of being told to take the 2rd exit at the next roundabout in 50 yards while driving down a dual carriageway at 70 mph.

              1. John Brown (no body) Silver badge
                Thumb Up

                Re: Planned or accident

                This guy got that alert and didn't believe it either!

              2. MarkTriumphant

                Re: Planned or accident

                Absolutely true. Land Rover want £260 to update the maps on my Freelander.

    3. Anonymous Coward
      Anonymous Coward

      Re: Planned or accident

      One could argue that this problem is purely accidental because products are pushed out in the name of consumerism.

      That's not accidental, that's intentional.

  4. Warm Braw

    What problem are the certificates solving?

    I can see you might need encryption to preserve the privacy of the user's choice of viewing, but you can do that without a certificate.

    The domain name the iPlayer app connects to must be hardwired into the app itself, so presumably the certificate is acting as some form of identity check that the domain name hasn't been redirected somewhere else. But given that the iPlayer app has been provided by the BBC itself (or under its licence), you could perform the same check within the app without resorting to an external PKI service.

    So is the PKI there to perform some other function, or is it just being used because the code is there already so it's easier than finding a domain-specific solution?

    1. Rich 2 Silver badge

      Re: What problem are the certificates solving?

      I used to work on this stuff (TV streaming) and my overriding opinion of it was (and still is) that the majority of the complexity in this regard stems from broadcasters having an inflated opinion of the value of the content the produce. ITV player is probably the best example of this - the complexity involved in streaming an advert, breaking off to show a bit of a program (eg emerdale or corri) and then going back to an advert (sarcastic? Me!?) is bonkers complicated. I can’t remember now, but it involves something like 2 or 4 certificate servers, plus the actual content streaming servers (one for the adverts and one for the program) and the chain of stuff that has to happen for it all to work is nuts!

      And all this complexity is mostly because ITV don’t realise (or don’t want to admit) that todays emerdale/corri is tomorrow’s virtual chip paper (when did you last see a thriving black market in corri episodes? Nope. Me neither).

      There are other issues too, of course. Maybe some of it stems from the idea that people would use their “smart” TVs to do their shopping etc etc. Of course nobody does because it doesn’t work very well compared to using a laptop, or even a phone.

      And being able to download updates needs the device to trust the source (oh the irony!)

      Oh, and Of course there is the matter of a lack of forward thinking :-)

      1. Warm Braw

        Re: What problem are the certificates solving?

        the complexity involved in streaming an advert

        Ironically, the need to insert ad breaks and overlay region specific (STV or ITV) DOGs actually makes is easier to grab stuff: once you intercept the RTMP stream you get the full uninterrupted programme - no ad breaks and no branding. Or rather, you could if you were so inclined...

    2. Tom7

      Re: What problem are the certificates solving?

      The most pressing reason for using certificates from the end user's perspective is that many of the services accessed from the connected kit require logins and if you don't verify that the service you're sending credentials to is the right one, someone steals your login. For an example of what goes wrong when the certificates aren't validated, see this 2015 story.

      Samsung made an internet-connected fridge. Yes, it's one of the dumber ideas ever, but apparently some people want email notifications while they're cooking. The fridge didn't bother to validate server SSL certificates, which made it possible to mount a man-in-the-middle attack. Since the fridge had access to email accounts to give email notifications, this allowed stealing of email credentials.

      As someone has pointed out, once the certificate expires, you are in a hard place. If you don't verify the server certificate when you download a new firmware package, you have to assume that you've just installed malware on your customer's LAN. If the certificate fails verification, you really really ought to refuse to install the firmware update. In the case where your root certificate has expired, this leaves you in a place where you can't install the update that would fix the problem. In some cases, it will be possible for end-users to download and install an update. In other cases, the bit of kit is effectively bricked because either there is no feasible way for an end-user to install an update or because the average end-user is as likely to figure out the process as they are to grow antennae on their foreheads.

      1. Warm Braw

        Re: What problem are the certificates solving?

        In the case of a browser, it doesn't know, a priori, what it is likely to be connecting to and a third party attestation is useful.

        However, iPlayer (or whatever) knows exactly what it should be connecting to and the third party attestation offers nothing over what iPlayer could check for itself. At its most trivial, the app could contain the necessary certificate chain rather than rely on the one provided by the underlying system and an update to the app could update the necessary certificates.

        Of course you have the slightly circular problem that if the app store certificates expire, you can't update the apps, but that's a problem the third party service provider doesn't have to work around itself.

        I'm assuming the issue is that the APIs for some of these "smart" TV systems are in fact pretty minimal and don't offer you much beyond "render this URL as an H.264 video stream".

        1. Anonymous Coward
          Anonymous Coward

          Re: What problem are the certificates solving?

          "However, iPlayer (or whatever) knows exactly what it should be connecting to and the third party attestation offers nothing over what iPlayer could check for itself. At its most trivial, the app could contain the necessary certificate chain rather than rely on the one provided by the underlying system and an update to the app could update the necessary certificates."

          Not necessarily. What if the IP attached to the DNS entry changes? Or the DNS entry itself changes for whatever reason? Suppose the device has to jump through a proxy or two such that the entry it sees isn't the actual entry? And as long as we're in this department, consider Men-In-The-Middle (including sanctioned ones like secure proxies). It's the classic error: never assume what you think is permanent is actually permanent.

        2. Tom7

          Re: What problem are the certificates solving?

          But the problem is fundamental: in some way or other, the client needs to verify that the server it's sending credentials to is actually the server it meant to send those credentials to and not some other server that's stealing those credentials.

          There are all sorts of ways that that verification could be done and PKI certificates are only one of them; but they are a good choice for it precisely because they have a chain of trust with differing expiry intervals. The root certificate, which allows you to verify servers, expires rarely and the security precautions around it are extreme; the server certificate expires often but that doesn't matter because the client doesn't need to be updated when the server certificate is updated.

          Anything you can suggest to replace that is almost certain to be worse.

        3. Anonymous Coward
          Anonymous Coward

          Re: What problem are the certificates solving?

          Wrong. Learn how PKI and the internet in general works before trying to make us think you know what you're talking about.

          1. Warm Braw

            Re: What problem are the certificates solving?

            The difference between how something works and why it is used is the difference between mere knowledge and actual understanding.

    3. really_adf

      Re: What problem are the certificates solving?

      So is the PKI there to perform some other function, or is it just being used because the code is there already so it's easier than finding a domain-specific solution?

      Just because it's easier doesn't mean it's a bad thing: as with encryption, using existing code is generally a good thing for authenticating a server.

      To answer your question in the title: I think the obvious answer is that certificates are intentionally providing a time limit to the trust, because eventually, the private key matching the public key in the root certificate will be discovered.

      Say you wish to avoid PKI. On the face of it, embedding (say) an RSA public key in the client and validating signatures would work fine. But there would need to be some mechanism to periodically change the key, because eventually the private key will be discovered.

      I think this could work safely through a chain (key0 used to sign key1, key1 used to sign key2 etc), but only if that chain is unbroken, which can't be guaranteed unless you trust key0 forever, which is a bad idea because eventually the private key will be discovered.

      I can't see a way out of this...

      1. Richard 12 Silver badge

        Re: What problem are the certificates solving?

        I believe the OP is suggesting that there is no need for the iPlayer (or similar) chain of trust to go outside the BBC.

        iPlayer can ship with Public Key A. It connects to Auntie, does the usual handshake using that key, all is well.

        At intervals, Auntie gives iPlayer a new public key B, which it checks and installs locally, replacing the old key. It's safe, because the client has already decided to trust that server and has a well-encrypted link. Repeat until bored.

        The only difference is that there's no root cert. So it works as long as the first connection is within the expiry date of the initial download or pre-installation, and it's run often enough.

        For bonus points you could do things having like multiple valid keys, expiring each a year or two apart so a given client can't expire two keys at once.

        The exact validity periods needed will depend on how long TVs spend on warehouse shelves or otherwise disconnected, but I'm sure there's good stats for that.

        1. really_adf

          Re: What problem are the certificates solving?

          iPlayer can ship with Public Key A

          I think you're describing the same thing as I was trying to. I called it key0.

          So it works as long as the first connection is within the expiry date of the initial download or pre-installation, and it's run often enough.

          The same is true if you use certificates from a public CA, and embed the roots in the client with a way to update them (provided that's done in time).

          It's the expiry that makes it functionally similar, even though the detail is different. The benefit you describe comes down to having control over expiry. You could equally get this with certificates by using a private CA, without the wheel reinvention: you just need to be able to specify which CA certificate you trust and have a way to update that certificate.

          1. Tom7

            Re: What problem are the certificates solving?

            ...and trust the BBC to manage the certificate at the root of a chain of trust. It is better for a few specialist organisations to the do this than for every media streaming service to manage its own rarely-expiring root of trust.

          2. Richard 12 Silver badge

            Re: What problem are the certificates solving?

            The point is that there is no actual need for a chain, because the only key that matters is the one actually used today.

            There is a need to ensure the local copy isn't replaced by $bad_actor, however that problem exists for a "root cert" in a chain of trust too and so the solution for one is the solution for both.

  5. Steve Davies 3 Silver badge
    Pirate

    Lawyers... start your engines

    There will be a lot of people with some very expensive kit that has borked itself because of this issue. They will sue, sue and sue until they get a solution.

    A lot of companies are walking blind into this mess. Some really don't give a F**k. They have your money and good luck trying to get any support.

    If this gets bad enough the Politicians (who it seems are mostly Lawyers or PPE grads these days) will get involved which will only make things worse.

    An awful lot of this kit is never connected to the interwebs so I'd like someone to explain why it needs security certificates in the first place.

    OTOH, this is a disaster by design and as other comments have said this is all to get you to buy more stuff which will more than likely have even an even shorter lifespan before the same thing happens again.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lawyers... start your engines

      Any kit which isn't connected to the interwebs will presumably just carry on working as it is already, so there shouldn't be an issue in that situation?

      1. Roland6 Silver badge

        Re: Lawyers... start your engines

        >Any kit which isn't connected to the interwebs will presumably just carry on working as it is already, so there shouldn't be an issue in that situation?

        Depends, Windows for example doesn't like running code with an expired certificate or running signed code that doesn't have a relevant root certificate in its store; so suspect much depends on what the kit does with certificates.

        Personally, as use my TV in monitor/dumb-mode, with the Xbox handling all the smart functions, I'm hoping this won't be a problem. However, given services like Amazon Prime actually check and use HDCP, it would not surprise me if this has some form of certificate dependency and so people suddenly find their large 4K screens can only display stuff at SD (ie. DVD quality, not HD/Blueray quality) or worse get an HDCP error preventing content being displayed...

        1. Richard 12 Silver badge

          Re: Lawyers... start your engines

          Not quite.

          Windows will only complain if the software's signing date is after the cert expiry.

          If the cert used expired in 2019 but the software was signed in 2018, it's still considered fine to install in 2020.

          I'm not sure whether that applies to the root certs though, as I've not seen docs about that or had an opportunity to try it.

      2. Anonymous Coward
        Anonymous Coward

        Re: Lawyers... start your engines

        Wow, enlightening....and what "kit" do you buy today that doesn't rely on root certificates?

    2. SImon Hobson Bronze badge

      Re: Lawyers... start your engines

      They will sue, sue and sue until they get a solution

      Sale of Goods and Services Act (or whatever it's replacement is called this week) is your friend here. There is an automatic assumed warranty of "reasonable durability" - where "reasonable" is not defined in law, but would be considered on a case by case basis in court. Taking something simple to understand such as a pan for the kitchen - if you buy a pan for 50p off the market, then you can't reasonably expect a lot of durability from it; but if you splash out on something expensive (such as those heavy and expensive cast iron things from Le Creuset) then you could reasonably expect the handle not to drop off after a few months.

      The key things is that in law there is no time limit to claim for faults which could reasonably be assumed to exist at time of manufacturer - though the statute of limitations constrains you to 6 years (5 years in Scotland). A certificate expiring and bricking a device is a built in fault - absolutely no wiggle room out of that one.

      The claim is against the retailer, not the manufacturer - so as long as the retailer is still in business there is someone to claim against. I would imagine that if the likes of Dixons Group (owners of Currys & PC World) or Asda or Tesco, or ... turns round to manufacturers and basically said "you're carp has cost us £XM in claims - compensate us or never sell another product though us ever again" then there's enough clout to get the attention of the beancounters in even the biggest manufacturers.

      But that relies on consumers realising what's gone on and actually claiming rather than just adding to landfill and buying more tat.

      1. ThatOne Silver badge
        Devil

        Re: Lawyers... start your engines

        > But that relies on consumers realising what's gone on and actually claiming rather than just adding to landfill and buying more tat.

        Indeed, and History has shown most people will just grumble a little, then go buy a replacement, of the same brand. Some will even be happy for the opportunity to get the newest and shiniest...

        1. batfink

          Re: Lawyers... start your engines

          Grumbling and replacements for cheap crap, maybe. Grumbling and replacements for that expensive television, maybe not.

      2. Anonymous Coward
        Anonymous Coward

        Re: Lawyers... start your engines

        ...."you're carp has cost us £XM in claims - compensate us or never sell another product though us ever again"....

        Nope. Doesn't work like that. Not in todays upside down world of retail, it's more like ...

        "Do as we say or we'll never let you sell another one of our products again"...

        1. Anonymous Coward
          Anonymous Coward

          Re: Lawyers... start your engines

          And if they reply, "The Competition is just outside waiting to come in. Do I tell them I have an opening for an extended sales agreement, then?" It's not like consumers are utterly brand-loyal to TVs, are they?

        2. John Brown (no body) Silver badge

          Re: Lawyers... start your engines

          "Do as we say or we'll never let you sell another one of our products again"...

          FYI, few manufactures have that kind of clout these days. The big retailers are the ones calling the shots in many cases.

      3. Anonymous Coward
        Anonymous Coward

        Re: Lawyers... start your engines

        "[...] so as long as the retailer is still in business there is someone to claim against."

        In the UK if you bought it on your credit card (over GBP100) and the supplier goes bust - then the credit card company is liable. It worked for me many years ago when an early CD writer didn't meet the published spec. The supplier folded during the dispute - and Barclaycard refunded the purchase price.

        Section 75 of the Consumer Credit Act

        1. Richard 12 Silver badge

          Re: Lawyers... start your engines

          In many cases it's better to just ask the CC company to refund you.

          They have bigger and more lawyers than most retail.

      4. hoola Silver badge

        Re: Lawyers... start your engines

        I suspect that would work to a degree but how about Amazon?

        This needs to be across the board otherwise all that will happen is that those retailers with more interest in customer service will end up with nothing to sell.

        Just sending a replacement does not necessarily help if it has the same certificates.

      5. Mike 137 Silver badge

        Re: Lawyers... start your engines

        Unfortunately, a service being terminated is not the same thing in law as lack of durability. If the buttons fall off or the glued in battery dies ahead of time that's actionable, but there's no warranty relating to continued provision of support services or even "spare parts" beyond the statutory minimum consumer guarantee period (which includes the option of replacement with an "equivalent" in lieu of repair).

        1. SImon Hobson Bronze badge

          Re: Lawyers... start your engines

          But this is about the equipment "failing" because a part of it has stopped working. IN this case I think it's a "slam dunk" case as our US friends might call it.

          Has the equipment ceased to function - either in whole or part ? Yes

          Is that due to a fault ? Yes, it's because a certificate has expired and so the equipment can't make secure connections.

          Was that fault present, or could it reasonably be believed to be present, at the time of sale ? Yes, the certificate was part of the software, and it would have been obvious to anyone that it would expire on [some date].

          So unless the retailer can that at least one of those statements is not true then they are liable and will lose in court. But since all three of those would be a given for the issue being described, they don't stand a chance. It's a completely different situation to the likes of Revolv where the equipment still "functions", but can't do something because an external service has stopped.

          But that's a different (though related) debate - there needs to be some guarantee over provision of such services for at least a set time.

  6. Lunatic Looking For Asylum

    Of course if they weren't so greedy ....

    Why do we need encrypted/ssl connections to stream media ? I can turn a TV on and get it down an aerial and it is not encrypted, indeed everybody can snoop and see the traffic if they want.

    What's the difference with streaming media, none. They could stream it over port 80 and it would still be more secure than the airwaves.

    It's all down to DRM and them wanting to monetise the pap they produce.

    Conveniently disguised planned obsolesence.

    1. Christopher Reeve's Horse

      Re: Of course if they weren't so greedy ....

      There is an important difference in steaming media, in that the choice of media explicitly defines a datum of customer behaviour and preference.

      1. David 132 Silver badge
        Thumb Up

        Re: Of course if they weren't so greedy ....

        steaming media

        Best (intentional?) typo ever.

    2. Test Man

      Re: Of course if they weren't so greedy ....

      "I can turn a TV on and get it down an aerial and it is not encrypted, indeed everybody can snoop and see the traffic if they want."

      That's not true. HD broadcasts (broadcast via DVB-T2) are encrypted and have been since the beginning.

      1. Anonymous Coward
        Anonymous Coward

        Re: Of course if they weren't so greedy ....

        You might be thinking of the EPG data, which has some compression applied and the huffman tables needed to "decode" it are protected by the BBC. They use this to strong arm the equipment manufacturers into implementing their desired DRM methods

        It doesn't stop someone with a generic DVB-T2 receiver from capturing the video/audio transport streams - these are not encrypted

    3. richardcox13

      Re: Of course if they weren't so greedy ....

      TV on and get it down an aerial and it is not encrypted, indeed everybody can snoop and see the traffic if they want.

      Third parties cannot see what you are watching in that case. Or see traffic from you back to the source.

      Both of which happen when using a streaming service.

      1. Anonymous Coward
        Anonymous Coward

        Re: Of course if they weren't so greedy ....

        "Third parties cannot see what you are watching in that case. Or see traffic from you back to the source.

        Both of which happen when using a streaming service."

        Isn't a common "feature" of "Smart TVs" their ability to capture partial image data of whatever broadcast you're watching, so it can be phoned home and analysed in minute detail...

    4. Steve K

      Re: Of course if they weren't so greedy ....

      FreeView HD (for example) is encrypted, and gets into/out of your TV via an HDMI connection

      1. Steve Graham

        Re: Of course if they weren't so greedy ....

        No it's not. The EPG is scrambled, but the programmes are not.

        I can use a generic decoder and save any programme to USB in MPEG stream format.

        1. SuperGeek

          Re: Of course if they weren't so greedy ....

          So, then, can you explain why when I take the HDD out of my YouView box, I can view the SD programmes TS files with VLC just fine, but HD ones won't play?

          Encryption is my first guess, so the guy above you WAS right.

          1. tellytart

            Re: Of course if they weren't so greedy ....

            That'll be the STB recognising there's a copy protect flag in the MPEG stream, and encrypting the recording on the disk.

            However, if you use a PC DVB-T2 tuner card, you can view, and record, the HD streams without any encryption.

          2. Steve Graham

            Re: Of course if they weren't so greedy ....

            I believe it's a condition for using the Freeview HD (or Freesat) branding that recorded programmes are encrypted on disk. However, as I said, off air they're in clear.

  7. Wim Ton
    Go

    Simple solution

    That is why my companies' IoT products' certificates are valid to 31-12-9999. Our customers would be very upset if communication would suddenly cease.

    Oh, and they are valid from 1-1-1970 to handle the case of the clock not set due to an empty battery.

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple solution

      That won't avoid the issue mentioned in the article - it's not the expiry date of _your_ cert that's the problem - it's the expiry date of the Certificate Authority's root cert, which your cert relies on.

      1. Alan J. Wylie

        Re: Simple solution

        > it's the expiry date of the Certificate Authority's root cert

        Except that no CA these days will issue a cert valid for more than 2 years. His must be self-signed.

        1. Wim Ton

          Re: Simple solution

          For this reason we operate an own PKI. With the browsers restrictions on end certificates, customers have the risk of devices bricking themselves when stored too long.

    2. Anonymous Coward
      Anonymous Coward

      Re: Simple solution

      My companies' baby monitor, babiNyteMare©®, communicates with our servers without any encryption so this is not something we need to worry about. And it comes in a pink box with a picture of a lamb on it.

      1. Mast1

        Re: Simple solution

        Surely, if it has a "Mare" in the title, it should have a picture of a pink horse on the box ?

        1. Anonymous Coward
          Anonymous Coward

          Re: Simple solution

          You're hired!

  8. heyrick Silver badge

    Um...?

    I can understand closed devices like IPcams and such, but can't you install certificates in Android? Wouldn't that be a potential way to work around the issue of certificate expiry?

    Hmm, yes. Never used it but "Lock screen and security" -> "Other security settings" -> "Credential storage" looks to be the place.

    1. SImon Hobson Bronze badge

      Re: Um...?

      I vaguely recall that yes, you can add certificates yourself - but there's a restriction in that you have to have lock screen security turned on.

      1. Ben Tasker

        Re: Um...?

        > but there's a restriction in that you have to have lock screen security turned on.

        And will get a permanent notification in your notification bar saying something along the lines of "network communications may be being monitored".

        A long standing issue that Google, frankly, couldn't give two short fucks about - https://issuetracker.google.com/issues/36984301

        If you're going to install additional certs on Android, the only real solution is to root the device

  9. Gonzo wizard
    Boffin

    Much of it will be down to the heavily used ESP8266 (ESP12)

    A lot of IoT devices are built around the ESP8266 which, while having libraries that support HTTPS, doesn't have enough RAM to be cast iron reliable in every situation. It's been one of the things that's stopped me attempting to build any serious prototypical hardware that could be turned into a production run - you've got to ensure your software uses the bare minimum of RAM and that your encrypted HTTP requests and responses don't exceed a certain size, or the stack and the heap collide. So you're left with the difficult choice of not supporting HTTPS comms at all (not good PR), or spending a huge amount of time optimising to death and validating the reliability of your code.

    I'm certain a lot of IoT devices will simply cease working if they rely on an embedded copy of a root certificate for HTTPS support.

    This makes Zigbee look more and more like a smart choice for IoT devices because expiring root certs isn't an issue in the end device (I'm coming more and more to the conclusion that all IoT devices should be as simple as humanly possible). Mind you reducing price of the ESP32, which has considerably more memory, will encourage manufacturers to switch. The Pi Zero is a better bet for hobbyists though.

  10. Barry Rueger

    House of Cards

    More and more I feel that we're heading for the day when the entire Internet comes crashing down. It really is a disaster waiting to happen.

    1. Anonymous Coward
      Anonymous Coward

      Re: House of Cards

      as a person working behind the scenes, let me tell you, house of cards is a paragon of stability compared to IT infrastructure in general

  11. Doctor Syntax Silver badge

    If this knocks off-line a lot of botnets running from vulnerable webcams and the like it might be a Good Thing.

  12. Pascal Monett Silver badge

    "I would be perfectly happy with a five-year update cycle for my refrigerator"

    And I am perfectly happy with the no-year update cycle on my very dumb and perfectly functional fridge, thank you.

    As much as I can eventually understand the interest of a "smart" TV, I'm sorry but a fridge is never going to have the capability of automatically checking what is stored in it, so I fail to see the point.

    And RFID is not going to tell me if the milk jug is half empty or almost full.

    It's all a bloody waste of time and money.

    1. Anonymous Coward
      Anonymous Coward

      Re: "I would be perfectly happy with a five-year update cycle for my refrigerator"

      "[...] a fridge is never going to have the capability of automatically checking what is stored in it, [...]"

      I remember the days when supermarkets had to put a sticky price label on every packet and tin - to be transcribed by the checkout assistant on the till keys. Then came standardised bar codes on every product so they could be scanned. The cheap RFID tag idea is not quite universal yet - but potentially offers instant scanning of your full trolley.

      IIRC there are now packages that contain "freshness" indicators for perishable items.

      The intelligent fridge needs packaging innovations and standardisation - at a low cost per item. It will come.

      1. hoola Silver badge

        Re: "I would be perfectly happy with a five-year update cycle for my refrigerator"

        Or just open the door and see what is in the fridge

        This obsession with tech is the cause of so much of the waste we produce. Food waste is simply horrific because of a date, best before, sell by, display until etc.

        Millions of tons of perfectly good food are binned because people are seemingly unable to assess that it is still okay. Some things are more susceptible or dangerous than others, meats and fish for instance but for heavens sake, just give it s sniff.

        Millions of bits of tech are binned, mostly because there is a new, better, faster flashier model out, not because they are physically worn out.

        Rant over.

      2. John Brown (no body) Silver badge

        Re: "I would be perfectly happy with a five-year update cycle for my refrigerator"

        "The intelligent fridge needs packaging innovations and standardisation - at a low cost per item. It will come."

        It also needs to have built in scales on each shelf and door space otherwise it only knows you took a milk bottle out then put the same/another one back in. It won't know whether you had a splash of milk in your tea or just made a 1/2pt milk shake. Or how many slices of bacon you took out of the pack. And I'm not sure every local butchers or farm shop is going to be putting those tags onto each manually weighed out package. What you are suggesting could only work if every food item comes in a standardised, sealed supermarket package.

        1. Anonymous Coward
          Anonymous Coward

          Re: "I would be perfectly happy with a five-year update cycle for my refrigerator"

          OR each package has some way to determine how full it is. Take the milk jug. Suppose the RFID tag includes a means to detect how full it is (say by using a conductive strip to detect the fluid level, there ARE ways to electrically detect fluid levels, and they don't necessarily require a lot of power to do given unplugged coffee urns and such).

          I suspect with enough motivation, they can find some ways...

  13. Kevin Johnston

    Ha..I say unto you

    And people called me a luddite for buying a decent large-ish screen monitor with built-in speakers rather than a smart-TV. I don't even connect it to a 'smart-box' as I have a Freesat box for the live TV and if it is not available there then I can watch on my laptop. I have yet to hear a good reason to connect my white goods to the internet (or connect my lightbulbs/doorbell/thermostat/toilet)

    OK...maybe the toilet was not a real option.....yet

    1. Anonymous Coward
      Anonymous Coward

      Re: Ha..I say unto you

      It has long been recognised that the toilet has health diagnostics potential. IIRC the German toilet bowl had/has a little shelf for inspection before flushing.

      Faecal matter is a diagnostic for various cancers etc. Currently a home test is merely a manual collection of a smear onto a doped window that can be "read" later in a lab. Dogs have been trained to sniff out characteristic scents of some conditions. The electronic artificial nose is the Holy Grail of many industries.

      My diabetes flash glucose monitor is a "patch" on my upper arm. It can be read with a smartphone NFC and the results stored in the cloud for my doctor to look at when needed.

      It is not just Covid-19 that is pushing the health services to remote diagnostics.

    2. Anonymous Coward
      Anonymous Coward

      Re: Ha..I say unto you

      doorbell

      When a visitor approaches my closed door they trigger an infrared beam. An Arduino box of tricks sends a chime signal to bell units throughout the house and garden. It repeats twice - just in case the first one didn't register on your consciousness "Is that the post?".

      If the wired doorbell is pressed - then the Arduino sends a different chime signal to all the bell units - and repeats it five times or until you open the door.

      Those units are currently on 433mHz.

      There is another beam on the drive entrance that is only used to activate Halloween and Xmas decorations - the Arduino unit also governing diurnal curfews. The signals used for this were originally 433mHz - but it is now transitioning to wifi to control AC power points. The devices' intranet is a dedicated router isolated from the house PC intranet/internet.

      1. Mark #255
        Coat

        milli-Hertz?

        433 milli-Hertz is around 26 bpm, or one cycle every 2.31 seconds.

        Yes, people confusing m and M in SI units is the hill I've chosen to die on.

    3. John Brown (no body) Silver badge

      Re: Ha..I say unto you

      "OK...maybe the toilet was not a real option.....yet"

      I bet you can already buy one in Japan!

  14. chivo243 Silver badge
    Facepalm

    I saw one today!

    Too bad we can't post pix (yet??) here on El Reg, I read this story earlier in the afternoon, and after that I had to help a user with a different issue, but there it was plain as day a microsoft domain complaining of a cert gone out of style! Gladly it was on a citrix session to some other poor sap's network, and not my worry!

  15. Bitsminer Silver badge

    What time is it, please?

    Yes, I know it is 2020, and it's madness to expect things to work correctly for more than a year or three.

    But, can I lie to the refrigerator and say "it's 1999"?

    1. David 132 Silver badge
      Coat

      Re: What time is it, please?

      Yes, provided you're prepared for your smart fridge to make a few assumptions thereafter for your safety...

      ERROR41: This pork chop is from a pig whose grandmother hasn't been born yet. Temporal violation on bottom shelf. Discarding.

      ERROR42: Waitrose Lemon & Herb Chicken on middle shelf may not be safe to eat due to thyme dilation effect.

      NOTIFICATION: The carton of milk buried out of sight at the far back of top shelf was purchased last week and is fresh. Enjoy your Millennium Eve party!

      1. Woza
        Coat

        Re: What time is it, please?

        If you're feeling hungry, you can partake like it's 1999.

      2. Chris 239
        Thumb Up

        Re: What time is it, please?

        Thyme dilation ! love it! :-)))

  16. Anonymous Coward
    Anonymous Coward

    Expired but still valid

    I know, I know, it's "expired". But the public key hasn't changed and the cert is still useful for its purpose. Expirations are a made-up problem, sadly used to solve a real problem - non-functional CRLs. Can they please just fix the underlying issue so a cert can live until someone "expires" it??? Oh wait - then GoDaddy, DigiCert, Verisign, et al won't be able to keep reducing cert validity periods and keep charging outrageous sums for zero-effort renewals. Never mind.

    1. Tomato42

      Re: Expired but still valid

      if certs didn't expire we'd still have to deal with intermediates signed with MD5

    2. brotherelf

      Re: Expired but still valid

      Last spin of the cycle, It's not the commercial CAs that want to reduce validity, it's the browser vendors (Apple and Google), presumably because they don't want to put more thought into their OCSP implementations.

      1. Tomato42

        Re: Expired but still valid

        more like they noticed that CAs treat OCSP as afterthought and as a result it has like 99% uptime?

    3. Nick Ryan Silver badge

      Re: Expired but still valid

      Unfortunately if the only solution is CRLs and not certificate expiry dates then as time goes by the CRL will become so large that it will cease to be viable. Therefore expiry dates are a fair solution to things.

      As for the cert providers "valuable" service in doing not very much other than processing invoices... yep. It's infuriating the price gouging that went on and is still largely going on.

  17. Dan 55 Silver badge

    I'm surprised that the majority of Internet of Trash actually checks root certificates enough to stop working when they expire.

    1. Nick Ryan Silver badge

      The code written on them won't, as it's usually written by the typical modern developer who has no clue about security, accessibility or anything long term let alone error handling. However the devices themselves, and the libraries built into them, do try to apply the correct checks. Of course, baking an HTTPS stack into firmware has disadvantages if done badly or when standards change, therefore there will always be churn for this reason if nothing else.

  18. richalt2

    It seems pretty reasonable to me to discard and replace smart devices after 5 years. By that age, it is likely riddled with malware.

  19. Charles Smith

    Y2K

    We'll soon be at the point where some of the developers were born after Year 2000. History repeating?

  20. Anonymous Coward
    Anonymous Coward

    I have an iMac...

    I'll be fine.

  21. Lee D Silver badge

    At one point, a certificate inside a Java .JAR file, associated with APC UPS software expired.

    Except, we didn't know that. All we knew was that every server suddenly went to 100% CPU, couldn't log in, couldn't do safe mode, couldn't do anything in terms of diagnosis on the machine itself. And when you looked at the data, everything matched recent backups, including the software JAR file that hadn't changed in years. Even if you restored from a known-good backup, same problem as soon as the clock updated (but, again, you wouldn't know that, it would just work for a minute and then go mad). Literally took down a network without any visible signature and no way to diagnose a live system.

    It was only by one of those word-of-mouth fixes that it was determined that if you kill off the APC UPS software by deleting the entire folder, and then restart, the machines would operate as normal.

    Eventually APC pushed an update, but it literally took out several networks that I was working on, and many colleague's networks. Obviously one of them noticed that the ones not on an APC UPS or using its monitoring agents to shut themselves down were unaffected, and spread the word.

    Then the root cause analysis was a certificate inside a JAR expiring, causing the APC software to throw a paddy and bring the servers to their knees (for whatever reason). APC issued an update with the new certificate and a reinstall of it worked, but first you had to take down every affected machine, manually delete the APC software, then boot and reinstall.

    I expect much the same problem in dozens, if not hundreds, of pieces of software when old root certificates start to expire, and they'll be the embedded ones as well as the server.

  22. Anonymous Coward
    Anonymous Coward

    What Me Worry?

    With our current What Me Worry? POTUS who prefers to ignore facts and any thing bad happening under his watch other than race hate, this will surely come to pass while our government will pretend it is not or at the most marginalize it and do everything they can to obscure the facts. He and his Citizens United backers could give a crap about any problems other than how much money they can wring out of the system.

  23. Wayland

    Dune policy on electronics

    In Frank Herbert's Dune complex electronics are outlawed. You can have a simple electric device but the sorts of problems we are having with certificates and hackers would be impossible. Why does your fridge need to connect to the Internet? Why does the video player need to encrypt video?

  24. osxtra

    Just when you thought it was safe...

    ... to forget all about Y2K. In the words of the (so far) immortal David Byrne: "Same as it ever was."

  25. hammarbtyp

    I would love a 25 year certificate

    When we explained to our parent company that we wanted a root certificate valid for 25 years, they laughed at us. They were used to generating IT cerificates, and the idea that a piece of OT equipment may be around for longer than 3 years and maybe only connected to every 5 or 6 years were totally alien to them.

    n the end we became our own CA, which may of been less secure, was acceptable for our use cases (and also got around the issue that our devices do not have DNS names so browsers tended to hate them )

  26. EnviableOne

    the lets encrypt root shouldnt be an issue as their certs are just 90 days and they are already issued by a root safe till 04 June 2035

  27. Anonymous Coward
    Anonymous Coward

    Issue was caused by stupidity

    Sectigo AddTrust External CA Root certificate expired on May 30, 2020. They sort of assumed that only 'modern' browsers visited web sites and forgot about everything else that may use SSL.

    Sectigo was established as a seperate operating company from Commodo in 2017 at which time they added an ADD TRUST certificate to their certificate chain at this time with a 3 year expiry.

    It doesn't appear to have been communicated that it would be best to reissue your certificates before the 30th May to ensure full compatibility nor (more obviously) ensure the root expired after customers certificates. Ours still had 3 or 4 months left.

    It just meant reissuing and reinstalling SSL certificates. Obviously there was quite a lot of head scratching, getting certs and bouncing services to fix everything.

    Surprised it took the reg so long to notice.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like