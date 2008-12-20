from the disposable-technology dept.
Let's Encrypt Will Stop Working For Older Android Devices:
Let's Encrypt was founded in 2012, going public in 2014, with the aim to improve security on the web. The goal was to be achieved by providing free, automated access to SSL and TLS certificates that would allow websites to make the switch over to HTTPS without having to spend any money.
The project has just announced that, come September 1, 2021, some older software will stop trusting their certificates. Let's look at why this has come to pass, and what it means going forward.
When Let's Encrypt first went public in early 2016, they issued their own root certificate, by the name ISRG Root X1. However, it takes time for companies to include updated root certificates in their software, so until recently, all Let's Encrypt certificates were cross-signed by an IdenTrust certificate, DST Root X3. [...]
The problem looming on the horizon is the expiration of DST Root X3, on September 1, 2021. Of course, for those running up-to-date operating systems and browsers, there's no major issue. But for those on platforms that haven't been updated since 2016 or so, and don't support the ISRG Root X1 certificate, things will break. [...]
Basically it's the same old issue that we see over and over again. Older handsets are not receiving OS updates from the vendors so security issues are not fixed, certificates expire, and newer algorithms are not implemented. As the article mentions, the vendors have little incentive to spend money supporting older handsets that they have already sold. They would rather you jump right back on the merry go round and buy a new one. Lather, rinse and repeat as needed.
(Score: 2) by driverless on Wednesday December 09, @11:24AM
So who needs an external attacker performing a DoS when your security infrastructure will do it for you?
(Score: 2) by TheRaven on Wednesday December 09, @11:44AM
I have an old Android 2.3 handset that I was considering setting up as a Music Player Demon device a couple of years back. Android 2.3 has an old set of root certs and there's no update available. The format of the bundle changed some time around 3.x or 4.x and so back-porting it was non-trivial. Even after that, a bunch of things (including the F-Droid repository) mandated a newer version of the TLS stack than these things provided.
That said, these versions of Android also contain known kernel vulnerabilities and vulnerabilities in network-connected privileged services, so it's a really bad idea to connect them to the Internet at all. They're just contributing to the e-waste problem at this point.
