Let's Encrypt comes up with workaround for abandonware Android devices:
Things were touch-and-go for a while, but it looks like Let's Encrypt's transition to a standalone certificate authority (CA) isn't going to break a ton of old Android phones. This was a serious concern earlier due to an expiring root certificate, but Let's Encrypt has come up with a workaround.
[...] Yesterday, Let's Encrypt announced it had found a solution that will let those old Android phones keep ticking, and the solution is to just... keep using the expired certificate from IdenTrust? Let's Encrypt says "IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1 from their DST Root CA X3. The new cross-sign will be somewhat novel because it extends beyond the expiration of DST Root CA X3. This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors. ISRG and IdenTrust reached out to our auditors and root programs to review this plan and ensure there weren't any compliance concerns."
Let's Encrypt goes on to explain, "The self-signed certificate which represents the DST Root CA X3 keypair is expiring. But browser and OS root stores don't contain certificates per se, they contain 'trust anchors,' and the standards for verifying certificates allow implementations to choose whether or not to use fields on trust anchors. Android has intentionally chosen not to use the notAfter field of trust anchors. Just as our ISRG Root X1 hasn't been added to older Android trust stores, DST Root CA X3 hasn't been removed. So it can issue a cross-sign whose validity extends beyond the expiration of its own self-signed certificate without any issues."
Soon Let's Encrypt will start providing subscribers both the ISRG Root X1 and DST Root CA X3 certs, which it says will ensure "uninterrupted service to all users and avoiding the potential breakage we have been concerned about."
Full Disclosure: SoylentNews uses Lets Encrypt certificates.
Previously:
Let's Encrypt Will Stop Working for Older Android Devices
On the Way to Universal Recognition of Let's Encrypt Root Certificate
Let's Encrypt Pushes Back Deadline to Revoke Some TLS Certificates
Related Stories
Arthur T Knackerbracket has found the following story:
Let’s Encrypt said it will give users of its Transport Layer Security (TLS) certificates more time to replace 1 million certificates that are still active and potentially affected by a Certificate Authority Authorization (CAA) bug before it revokes them.
The popular free certificate authority had given users until Wednesday, March 4, 9:00 p.m. EST to replace 3 million certificates because the bug in its Boulder software—discovered and patched this past Sunday–impacted the way its software checked domain ownership before issuing certificates. However, users grumbled that this was not enough time to correct the problem.
Users and major integrators of Let’s Encrypt managed to replace more than 1.7 million of the affected certificates by the original deadline; however, more than 1 million were left that would have been revoked, causing the company to rethink its plan, a Let’s Encrypt spokeswoman told Threatpost late Wednesday.
“Rather than potentially break so many sites and cause concern for their visitors, we have determined that it is in the best interest of the health of the Internet for us to not revoke those certificates by the deadline,” Josh Aas, executive director for Let’s Encrypt said in a blog post updating users of the situation Wednesday.
The company’s plan now is to revoke 1,706,505 certificates that the company is confident were already replaced as well as “445 certificates that we treated as highest priority for revocation because, at the time we found the bug, they had CAA records that forbid issuance by Let’s Encrypt,” Aas wrote in the post.
“We plan to revoke more certificates as we become confident that doing so will not be needlessly disruptive to Web users,” he wrote.
Disclaimer: SoylentNews uses Let's Encrypt certificates.
Previously:
HTTPS for All: Let's Encrypt Reaches One Billion Certificates Issued [Updated]
Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web
Let's Encrypt, the non-profit certificate authority which provides X.509 certificates for Transport Layer Security encryption at no charge, has an update on the progress towards universal acknowledgement of its root certificate in software and firmware. The cross signature which it has purchased will expire next September, so there is a hard deadline for finalization. There are only a few barriers remaining, one of which is the old versions of Android still in use.
Currently, 66.2% of Android devices are running version 7.1 or above. The remaining 33.8% of Android devices will eventually start getting certificate errors when users visit sites that have a Let's Encrypt certificate. In our communications with large integrators, we have found that this represents around 1-5% of traffic to their sites. Hopefully these numbers will be lower by the time DST Root X3 expires next year, but the change may not be very significant.
What can we do about this? Well, while we'd love to improve the Android update situation, there's not much we can do there. We also can't afford to buy the world a new phone. Can we get another cross-signature? We've explored this option and it seems unlikely. It's a big risk for a CA to cross-sign another CA's certificate, since they become responsible for everything that CA does. That also means the recipient of the cross-signature has to follow all the procedures laid out by the cross-signing CA. It's important for us to be able to stand on our own. Also, the Android update problem doesn't seem to be going away. If we commit ourselves to supporting old Android versions, we would commit ourselves to seeking cross-signatures from other CAs indefinitely.
It's quite a bind. We're committed to everybody on the planet having secure and privacy-respecting communications. And we know that the people most affected by the Android update problem are those we most want to help - people who may not be able to buy a new phone every four years. Unfortunately, we don't expect the Android usage numbers to change much prior to ISRG Root X1's expiration. By raising awareness of this change now, we hope to help our community to find the best path forward.
The Internet Archive has retained a copy of the original announcement for Let's Encrypt.
Previously:
(2020) Let's Encrypt Pushes Back Deadline to Revoke Some TLS Certificates
(2020) HTTPS for All: Let's Encrypt Reaches One Billion Certificates Issued [Updated]
(2019) Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web
(2019) Let's Encrypt to Transition to ISRG Root
(2018) Let's Encrypt is Now Officially Trusted by All Major Root Programs
Let's Encrypt Will Stop Working For Older Android Devices:
Let's Encrypt was founded in 2012, going public in 2014, with the aim to improve security on the web. The goal was to be achieved by providing free, automated access to SSL and TLS certificates that would allow websites to make the switch over to HTTPS without having to spend any money.
The project has just announced that, come September 1, 2021, some older software will stop trusting their certificates. Let's look at why this has come to pass, and what it means going forward.
When Let's Encrypt first went public in early 2016, they issued their own root certificate, by the name ISRG Root X1. However, it takes time for companies to include updated root certificates in their software, so until recently, all Let's Encrypt certificates were cross-signed by an IdenTrust certificate, DST Root X3. [...]
The problem looming on the horizon is the expiration of DST Root X3, on September 1, 2021. Of course, for those running up-to-date operating systems and browsers, there's no major issue. But for those on platforms that haven't been updated since 2016 or so, and don't support the ISRG Root X1 certificate, things will break. [...]
Basically it's the same old issue that we see over and over again. Older handsets are not receiving OS updates from the vendors so security issues are not fixed, certificates expire, and newer algorithms are not implemented. As the article mentions, the vendors have little incentive to spend money supporting older handsets that they have already sold. They would rather you jump right back on the merry go round and buy a new one. Lather, rinse and repeat as needed.
(Score: 1, Funny) by Anonymous Coward on Thursday December 24 2020, @11:40AM (1 child)
Wouldn't letting the certs expire be actually a better solution? Hear me out on this one:
If the certs that are expiring, are indeed good ones, then letting them expire and force the error on the user would be a constant reminder to the user that the cert is actually *good*. This would mean that the certificates and trust chain have not been tampered with since the last time you were told "it's 'trustworth'". Sure, it's a bit more 'in-your-face' compared to that little meaningless lock icon in your address bar but whaddayagonnado?
But no... we can't have those monkeys that we trained to be afraid of that scary 'certificate expired' message, to be taught what that message really means and that sometimes it's ok to click through (after inspection).
(Score: 3, Touché) by Zinnia Zirconium on Thursday December 24 2020, @09:39PM
Haha! I get it! You're trolling all the idiots who didn't read past the headline.
(Score: -1, Flamebait) by Anonymous Coward on Thursday December 24 2020, @07:01PM
let us set our certs to expire when we want. stop ruining your otherwise wonderful service with your authoritarian douchebagery..