Linux & Android > Security News, breaches and patches

Android 7.0 phones may have SSL Certiificate issues starting January 2021

(1/3) > >>

ssfc72:
Many websites will stop working on older Android versions in 2021
Let's Encrypt will stop signing new SSL certificates with DST Root X1

The Firefox browser uses it's own SSL Cert., so it should continue to work.

https://www.androidpolice.com/2020/11/07/many-websites-will-stop-working-on-older-android-versions-in-2021/

ssfc72:
So my ZTE Axon 7 mini is only running Android 6 and my older Moto G is also running Android 6.
I may be forced to start using my wife's LG G7 One phone, as my main cell phone.

Jason:
Thanks for this info, Bill. Why not just Firefox Mobile on the older devices, not that using unsupported Android OSes doesn't have its own problems?

My wife and I have Huawei tablets which are stuck on 7.x, too. We rarely peruse websites on them, though. For news, I use the apps for the various news websites I would otherwise access directly or I use Google News. I prefer my Brave Browser on all platforms but if I have to use Firefox Mobile, it's not a huge deal for me.

ssfc72:
The article did mention something about the cell phone's built in applications may connect with the internet and these apps may also stop working, due to the Let's Encrypt security certificate no longer supported.

Jason:

--- Quote from: ssfc72 on November 08, 2020, 11:46:41 pm ---The article did mention something about the cell phone's built in applications may connect with the internet and these apps may also stop working, due to the Let's Encrypt security certificate no longer supported.

--- End quote ---

That seems a bit unclear to me. The article at Lets Encrypt says this:


--- Quote ---If you’re on an older version of Android, we recommend you install Firefox Mobile, which supports Android 5.0 and above as of the time of writing.

Why does installing Firefox help? For an Android phone’s built-in browser, the list of trusted root certificates comes from the operating system - which is out of date on these older phones. However, Firefox is currently unique among browsers - it ships with its own list of trusted root certificates. So anyone who installs the latest Firefox version gets the benefit of an up-to-date list of trusted certificate authorities, even if their operating system is out of date.
--- End quote ---

That seems to be suggesting that solution will work. My understanding is that apps don't use these certificates to communicate with the internet, just browsers do. So the browser that comes automatically with the OS won't work, but install Firefox and it will. It shouldn't affect any other apps except if an app uses a built-in web browser that will rely on the OS.

The other point is that this problem only affects those websites using Lets Encrypt which your article says 30% of websites use so the majority don't use it.

I think it also means that the websites will still be accessible but you will probably get a warning that the site isn't secure and may have to tap past it. Remember what SSL is for, it's to encrypt your communications with the webserver. You can still access websites that don't have it. But you won't have that protection so you don't want to use it for banking or passwords for services that may have private information or could be taken over (your password will be sent in the clear) which is why you'll get the warning.

Banking institutions and other financial organizations likely don't use Lets Encrypt as a certificate authority. It's free so its use is mainly for those that can't afford a certificate from other CAs, like with this website. Either way, simply using Firefox should solve 90% of the problems. It'd be just those apps that use the browser library built into Android. And I think (but I'm not sure) that apps can choose to use another web browser for this.

In any case, we'll know by next September. :)

Navigation

[0] Message Index

[#] Next page

Go to full version