Apocalypse deferred: These Android devices will no longer go offline next fall
Apocalypse deferred: These Android devices will no longer go offline next fall
Exhale deep and relax, everyone. Your older Android devices, as well as some of your smart TV sets, set-height boxes and other cyberspace-continued appliances will (probably) continue to work properly after September 2021.
That's considering Let'southward Encrypt, one of the largest distributors of the digital certificates used to secure internet communications, has come up with a partial workaround to a looming problem that threatens to kick tens of millions of devices offline permanently.
- The best Android phones y'all tin buy
- Smart TVs, fridges and light bulbs may cease working side by side year: Here's why
- New: Hither's the offset phone with the Snapdragon 888 fleck
Ironically, this is possible considering Android is just equally sloppy about enforcing digital certificate expiration dates equally it is virtually enforcing device updates. Without this workaround, Android devices made prior to 2015 or thereabouts would not be able to connect to secure websites and servers.
So on Chrome on Android, you lot'd be able to meet only websites that hadn't switched over to HTTPS secure connections. Apps wouldn't update. (Firefox on Android would still work.)
We had a taste of this in May 2020, when Roku devices and payment-processing systems Stripe and Speedify suddenly had trouble connecting due an expiring root document (not a Allow's Encrypt ane). Those devices eventually got back online with firmware updates.
The Let'due south Encrypt problem is bigger. Its earliest digital certificates are due to elapse Sept. 29, 2021. Devices that accept non replaced those certificates in the past few years will have trouble getting online.
That includes whatsoever Android phone that has non updated to 7.1.1 Nougat (issued December 2016) or earlier, which is estimated to be about one-third of all Android devices currently in apply.
Still, Let's Encrypt said in a blog post Monday (Dec. 21) that information technology had pushed dorsum the problem to early 2024, at least regarding Android devices.
This solution might not piece of work for not-Android devices, withal. Non-Android smart TVs made before 2017 might non exist able to stream Netflix; smart-home devices of that vintage might not be able to connect to manufacturers' servers. We're a little worried about our 2013 Samsung smart TV.
If that's all y'all need to know, end here, because we're about to get a bit technical.
So what the heck is a root document?
To put information technology every bit simply equally possible, secure communications on the internet depend on a "web of trust."
Your browser knows yous're connecting to TomsGuide.com and non CrazyIvan.ru because the Tom's Guide server shows your browser a form of ID, a certificate verifying that it is indeed Tom's Guide. That document was issued by a certificate authority, which yous can call up of as an internet DMV.
The certificate authorization proved to Tom'southward Guide that it was legitimate and authorized to hand out certificates by showing yet another certificate issued past yet another authority.
And that authority lets other certificate issuers know that the certificates information technology issues are skillful, and vice versa, so that holders and issuers of their certificates know they can all trust each other. (Think of how American states have each other's IDs so that y'all can get into a bar in Albuquerque with an Alaska driver's license.)
This transference of trust goes a few more steps up the chain until you accomplish a root certificate, where the cadet stops. Issuers of root certificates, which underpin the entire organization, are implicitly trusted and do not demand to be backed upward past some other dominance.
Vouching for the new child on the block
Let'southward Encrypt is i of the nigh widely used certificate authorities, and like most document government, it issues both "intermediate" certificates that have to exist vouched for past some other authority, and root certificates that stand up on their own merits.
But it's also one of the newest certificate government, issuing its first root document, ISRG Root X1, in merely 2015. And so how did it become people to trust that root certificate?
Let' Encrypt "borrowed" the say-so of another root certificate authority, IdenTrust, in a "cross-signing" agreement. IdenTrust's root certificate, DST Root CA X3, has been vouching for Let's Encrypt'southward ISRG Root X1 and associated intermediate certificates ever since.
Let'southward Encrypt has issued newer certificates since 2015, both intermediate and root, and those certificates have no immediate issues. Simply information technology takes years for each new certificate to exist optimally distributed and accepted, and some older devices volition never become them.
Tick, tock
The IdenTrust DST Root CA X3 root certificate is itself due to expire in September 2021. For devices that still use the older Let's Encrypt certificates, the entire web of trust volition collapse.
This, of course, would not be platonic. At commencement, Let'southward Encrypt was kind of resigned to the situation, throwing up its easily and stating that it couldn't do anything nearly people using Android phones long past their shelf life.
Merely now Allow's Encrypt has come up with a solution, which is kind of baffling to usa simply is supposed to work. It'south extended the cross-signing understanding with IdenTrust until early 2024, which should also extend the life of the oldest Let'southward Encrypt certificates.
The baffling bit is that the IdenTrust root document at the heart of all this volition still expire in September 2021. So in theory, it should no longer work.
If it's good enough for Android...
But, explains the Let's Encrypt blog mail service, "this solution works considering Android intentionally does not enforce the expiration dates of certificates used as trust anchors."
In other words, it turns out Android doesn't really care when a root document expires. All it cares about is that root certificate is valid. So as long as the original IdenTrust root certificate backs upwards the Let's Encrypt certificates, all will be adept for older Android devices until early 2024.
"Nosotros volition exist able to provide subscribers with a chain which contains both ISRG Root X1 and DST Root CA X3, ensuring uninterrupted service to all users and avoiding the potential breakage we have been concerned about," Permit'southward Encrypt says.
Okay. We'll just have to trust Let'southward Encrypt on this 1, and we're having a hard enough time understanding how this all works anyway.
The takeaway
Just glean iii things from all this: One, if in 2024 yous're yet using a pre-2015 Android device, for God's sake get a new one.
Two, your smart-dwelling devices may not be out of the woods if they're older than 2017 and they're not running Android. Other forms of Linux might exist more stringent about enforcing certificate expirations, in which case information technology'due south game over.
Three, there are enough of other root certificates due to expire in the coming few years, and so this overall problem will be with us for some time.
Source: https://www.tomsguide.com/news/android-cert-mess-averted
Posted by: calderaedwasind.blogspot.com
0 Response to "Apocalypse deferred: These Android devices will no longer go offline next fall"
Post a Comment