• Welcome to Peterborough Linux User Group (Canada) Forum.
 

Android 7.0 phones may have SSL Certiificate issues starting January 2021

Started by ssfc72, November 08, 2020, 07:56:20 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

ssfc72

Many websites will stop working on older Android versions in 2021
Let's Encrypt will stop signing new SSL certificates with DST Root X1

The Firefox browser uses it's own SSL Cert., so it should continue to work.

https://www.androidpolice.com/2020/11/07/many-websites-will-stop-working-on-older-android-versions-in-2021/
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

ssfc72

So my ZTE Axon 7 mini is only running Android 6 and my older Moto G is also running Android 6.
I may be forced to start using my wife's LG G7 One phone, as my main cell phone.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

Thanks for this info, Bill. Why not just Firefox Mobile on the older devices, not that using unsupported Android OSes doesn't have its own problems?

My wife and I have Huawei tablets which are stuck on 7.x, too. We rarely peruse websites on them, though. For news, I use the apps for the various news websites I would otherwise access directly or I use Google News. I prefer my Brave Browser on all platforms but if I have to use Firefox Mobile, it's not a huge deal for me.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

The article did mention something about the cell phone's built in applications may connect with the internet and these apps may also stop working, due to the Let's Encrypt security certificate no longer supported.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

Quote from: ssfc72 on November 08, 2020, 11:46:41 PM
The article did mention something about the cell phone's built in applications may connect with the internet and these apps may also stop working, due to the Let's Encrypt security certificate no longer supported.

That seems a bit unclear to me. The article at Lets Encrypt says this:

QuoteIf youââ,¬â,,¢re on an older version of Android, we recommend you install Firefox Mobile, which supports Android 5.0 and above as of the time of writing.

Why does installing Firefox help? For an Android phoneââ,¬â,,¢s built-in browser, the list of trusted root certificates comes from the operating system - which is out of date on these older phones. However, Firefox is currently unique among browsers - it ships with its own list of trusted root certificates. So anyone who installs the latest Firefox version gets the benefit of an up-to-date list of trusted certificate authorities, even if their operating system is out of date.

That seems to be suggesting that solution will work. My understanding is that apps don't use these certificates to communicate with the internet, just browsers do. So the browser that comes automatically with the OS won't work, but install Firefox and it will. It shouldn't affect any other apps except if an app uses a built-in web browser that will rely on the OS.

The other point is that this problem only affects those websites using Lets Encrypt which your article says 30% of websites use so the majority don't use it.

I think it also means that the websites will still be accessible but you will probably get a warning that the site isn't secure and may have to tap past it. Remember what SSL is for, it's to encrypt your communications with the webserver. You can still access websites that don't have it. But you won't have that protection so you don't want to use it for banking or passwords for services that may have private information or could be taken over (your password will be sent in the clear) which is why you'll get the warning.

Banking institutions and other financial organizations likely don't use Lets Encrypt as a certificate authority. It's free so its use is mainly for those that can't afford a certificate from other CAs, like with this website. Either way, simply using Firefox should solve 90% of the problems. It'd be just those apps that use the browser library built into Android. And I think (but I'm not sure) that apps can choose to use another web browser for this.

In any case, we'll know by next September. :)
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

From the Android Police article.

"The only workaround for legacy Android devices is to install the Firefox browser, which uses its own certificate store that includes the ISRG root. However, this doesn't prevent applications and other functions outside the browser from breaking."

Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

Quote from: ssfc72 on November 11, 2020, 03:15:24 AM
From the Android Police article.

"The only workaround for legacy Android devices is to install the Firefox browser, which uses its own certificate store that includes the ISRG root. However, this doesn't prevent applications and other functions outside the browser from breaking."

I know what the article said. I acknowledged that possibility when I said:

QuoteIt shouldn't affect any other apps except if an app uses a built-in web browser that will rely on the OS.

From what I understand CA digital signatures (certificates) are used for the web. So I thought originally that it would only affect web applications but I read that it can also affect email. So I'll fix the quote above.

Note that Android develops don't typically create apps entirely from scratch, they use Android libraries to do specified tasks and then built interfaces and extra features on top of that. So any apps that use these libraries with the old certificates will be affected.

You can fix the issue with direct web browsing by just using Firefox. But if an app uses the Android library associated with web browsing then the app that uses it will generate a warning. Same with email.

A workaround for this is that when the warning pops up, you just go ahead and use the app anyway. It'd be like when you visit a website that doesn't have an SSL certificate. You can still skip past it. If you're just reading a website or don't care about someone spying on your password, it won't matter. But if you're using an email app, probably not a good idea.

Google may not want its own apps from not working (e.g. GMail and Chrome) so they may add the newer certificates but who knows? Webservers may be able to get SSL certificates that allow for the older protocol.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

In conclusion, I'm not saying that some apps might not work or lose some functionality. I'm saying that this is probably limited to the few apps that use the web or email. And even then you can skip past the warning, assuming the developer thought of this contingency. I doubt the apps would break entirely but we'll see.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

Oh sheesh, I just found this website. You can import the new certificate if your Android version is <7.0 unless the app developer chooses to not allow user certificates. The webpage tells you how to do it.


Update: I made a typo in a sentence above that changes the meaning of the sentence. I've corrected it by adding the bolded word above.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

Quote from: ssfc72 on November 12, 2020, 01:12:22 AM
Good to know! Thanks Jason.

No problem! I have a device that still uses Android 5 so I'll probably give it a shot although I guess we don't know if the fix works until next September.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13