Let's Encrypt warns about a third of Android devices will from next year stumble over sites that use its certs Let's Encrypt, a Certificate Authority (CA) that puts the "S" in "HTTPS" for about 220m domains, has issued a warning to users of older Android devices that their web surfing may get choppy next year. Let's Encrypt launched four years ago to make it easier to set up a secure website. To jumpstart its trust relationship with …
"With more than 2.5bn active Android users, the impact will be noticeable, though not too much so – those aging Android devices account for only about one to five per cent of internet traffic, apparently."
Wow, cell phone users using cell phones for phone calls only. Why, they're still in the Neolithic phone age!
This post has been deleted by its author
My 4-year-old mobile is hardly ever used to access anything on the web, why would I do so? A small screen that is usually overrun by crap adverts if I ever make the mistake of clicking on any sort of link. I use a few apps, but voice calling is subject to two problems, crap reception at home - 'please use my landline' and the difficulty of actually getting it to answer if I am not using a Bluetooth headset. It is OK for a few Google applications and for texts. Interactive voice calling generally defeats its capabilities.
Wow, cell phone users using cell phones for phone calls only. Why, they're still in the Neolithic phone age!
Well, a few things to draw from this, it doesn't mean there are users of older android devices only using them for phone calls; for all we know from this 100% of those in service are still surfing the web. Second, these are smart phones, so it's not "cell phones for phone calls only", if you want to do that then you would be much better off without a smart phone, so it's likely the people on them are using them because they want those features.
Because if they support older devices, people who won't purchase new devices won't purchase any new devices and they might miss out on ten cents of advertising revenue. This is horrifically bad, because that ten cents of revenue might mean that the shareholders would need to spend 10c of their OWN MONEY for the 600 foot power yacht.
And apparently we can't have that.
I've just checked a phone I use from time to time owing to its compact form factor that runs Android 4.0.4. It lets you add a certificate (from internal storage) to the user certificate store. You'd think that would be enough, but obviously Let's Encrypt isn't going to be making a fuss about nothing.
Further investigation suggests that up to and including Android 6.0, certificates from the user store are by default also available to apps, but from that point on, they're not unless the app is built to allow user certificates.
I'd have thought there are lots of cases where people will have custom security configurations that require their own root certificates. Are browsers deliberately preventing use of the user certificate store?
What am I missing in this picture?
This will probably vary by device and Android version, inconsistency being the quintessence of the Android experience. But here's what I did:
1. Using Chrome on the phone, went to the LE certificates page.
2. There I used the appropriate links to download the ISRG X1 and X2 root certs in PEM format. I don't know what formats Android will accept, but PEM is the only sensible format for certificates and no one should ever use anything else, so that's what I always try first.
3. This gave me two checkmark links in the phone's status line. I dropped down the system menu and clicked the checkmark next to the first one. That prompted for authentication (phone password or whatever you have configured); then it prompted me for a name for the certificate - I used "Let's Encrypt ISRG Root X1". Then it was installed.
4. Repeat for the X2 root cert, for future-proofing.
5. Afterward, you can go into Settings, search for "certificate", click on View Security Certificates (or something similar - on my phone it's under Security > Advanced, but you never know with Android). Then look at your User certificates and they should appear there.
Android is far more customized by phone manufacturers than you would think. They literally do a separate fork of Android for every single phone model. Every nifty feature like edge touch or foldable screen or having three separate cameras, the manufacturer needs to modify the code. So Google cannot just send an update; they can only provide a patch to manufacturers, and those need to apply the patch to all of their forks. Which is, as noted, not exactly in their interest, since they make money by selling new phones, not by maintaining older ones.
Google has been trying to regain control by putting more and more features away from Android into the Google Play services; though that inevitably raises the problem of them having a monopoly control over Android phones.
Surely a certificate store update app is a standard part of Android, thus all that is necessary is a certificate update release as part of a Play services update.
Okay some other method will be needed to support non-Play devices, but don't see why this is causing an issue - unless Google cut one too many corners on Android...
> "Mozilla software does not integrate well with the host operating system and duplicates its functionality in parts"
That's why I use it actually. I never trusted Microsoft in Internet things (back when I was still using Windows), and definitely don't trust Android.
Also, the self-contained aspect of Firefox allows faster reaction times when bugs are discovered or certificates need to be changed. Instead of depending on several, not necessarily very motivated entities, you have a single supplier who can react fast.
See the certificate update issue for an example, and note it isn't the first certificate change old Androids missed: IIRC several compromised and now revoked certificates are still deemed valid in older phones and tablets.
(I didn't downvote you BTW)
That was what hindered Firefox adoption in companies when you need to be able to centrally manage things like company wide CA and certificates. And frankly, having to manage certificates in dozens of different certificate stores is a nightmare from a system administration perspective.
Google was more cunning with Chrome and understood it needed it to get a foothold in business settings as well. Mozilla eventually added GPOs and other features to play nicer in business deployments.
But really the Google Play system can't update system certificates? I'm quite sure the day Google needs to update one of its certificate of ad revenues decrease, it will be able to update any certificate it needs.
For Android 4.x you also need a fairly old version of Firefox. (They had breaking changes in the APK file at some point between 4-5).
I am not so sure these older builds of Firefox provide the certificates either.
To be fair, this is why this central certificates architecture is not great. I am very thankful that SSH doesn't use them in this way (it optionally can, but that is rare).
But at the same time I can't even be bothered to rant about phone manufacturers not supporting their devices correctly because... phones bore me too much to even type about them.
It just a shame that the latest Firefox builds for Android are a bit poor, I used Firefox with ublock origin on my cheap Chinese Android streaming box to watch Youtube without the annoying ads, but after Firefox updated it not only made Firefox unstable but when it crashed it would bring down the whole device causing it to reboot. I am going to look for an APK for the older Firefox builds as they worked fine before it updated and its only used for Youtube no other web browsing is done from this device.
I have a 'landfill' Android tablet stuck on Lollipop 5.1. No updates are available.
I have a couple of tablets that were only supported by their manufacturers (Samsung and Asus) up to KitKat (4.4), but one of them (the Samsung) can run LineageOS 14 (aka Android 7), which has extended its useful life considerably.
I object to having to buy new hardware just to get a supported OS, especially when the old hardware still works fine and the selection of new models available contains nothing I desire.
My phone is an Android One model from Motorola running pretty-much stock Android, why can't I get a tablet that does the same?
"We also wonder if Google could update Chrome on older Android devices to include the certs."
Ha ha ha. Good luck with that one.
This is all those new old devices, you can still buy many cheap Android devices with old versions on them. Around 35-40% of Android devices are on Nougat or earlier.So that is around 750 million to -1B billion devices that are affected, that's a a lot of landfill.
Current version of android is 11, been out since october
version 7 was released in 2016, and is no longer supported by Google, can't blame OEMs here.
I wouldnt be running anything below 7.1.1 in a corporate environment anyway (where Android for work started)
TBF if it was an iThingy was still runing iOS 10, it'd as insecure as an insecure thing now too.
Even if you got it on the newest device, the iPhone 7 is on the chopping block on the next round anyway....
Who says the iPhone 7 is "on the chopping block on the next round"? Apple just issued another security update for iOS 12.4.x, so the iPhone 5S introduced back in 2013 is still current on security patches.
Android 7.1.1 was released on December 5, 2016 - the comparison would be if there are no more 12.4.x patches then FOUR YEARS FROM NOW the iPhone 5S & iPhone 6 would be in a similar state.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
