Peterborough Linux User Group (Canada) Forum

Linux & Android => Security and Privacy => Topic started by: ssfc72 on November 08, 2020, 07:56:20 AM

Title: Android 7.0 phones may have SSL Certiificate issues starting January 2021
Post by: ssfc72 on November 08, 2020, 07:56:20 AM
Many websites will stop working on older Android versions in 2021
Let's Encrypt will stop signing new SSL certificates with DST Root X1

The Firefox browser uses it's own SSL Cert., so it should continue to work.

https://www.androidpolice.com/2020/11/07/many-websites-will-stop-working-on-older-android-versions-in-2021/
Title: Re: Android 7.0 phones may have SSL Certiificate issues starting January 2021
Post by: ssfc72 on November 08, 2020, 11:49:09 AM
So my ZTE Axon 7 mini is only running Android 6 and my older Moto G is also running Android 6.
I may be forced to start using my wife's LG G7 One phone, as my main cell phone.
Title: Re: Android 7.0 phones may have SSL Certiificate issues starting January 2021
Post by: Jason on November 08, 2020, 07:21:31 PM
Thanks for this info, Bill. Why not just Firefox Mobile on the older devices, not that using unsupported Android OSes doesn't have its own problems?

My wife and I have Huawei tablets which are stuck on 7.x, too. We rarely peruse websites on them, though. For news, I use the apps for the various news websites I would otherwise access directly or I use Google News. I prefer my Brave Browser on all platforms but if I have to use Firefox Mobile, it's not a huge deal for me.
Title: Re: Android 7.0 phones may have SSL Certiificate issues starting January 2021
Post by: ssfc72 on November 08, 2020, 11:46:41 PM
The article did mention something about the cell phone's built in applications may connect with the internet and these apps may also stop working, due to the Let's Encrypt security certificate no longer supported.
Title: Re: Android 7.0 phones may have SSL Certiificate issues starting January 2021
Post by: Jason on November 09, 2020, 04:01:17 PM
Quote from: ssfc72 on November 08, 2020, 11:46:41 PM
The article did mention something about the cell phone's built in applications may connect with the internet and these apps may also stop working, due to the Let's Encrypt security certificate no longer supported.

That seems a bit unclear to me. The article at Lets Encrypt says this:

QuoteIf youââ,¬â,,¢re on an older version of Android, we recommend you install Firefox Mobile, which supports Android 5.0 and above as of the time of writing.

Why does installing Firefox help? For an Android phoneââ,¬â,,¢s built-in browser, the list of trusted root certificates comes from the operating system - which is out of date on these older phones. However, Firefox is currently unique among browsers - it ships with its own list of trusted root certificates. So anyone who installs the latest Firefox version gets the benefit of an up-to-date list of trusted certificate authorities, even if their operating system is out of date.

That seems to be suggesting that solution will work. My understanding is that apps don't use these certificates to communicate with the internet, just browsers do. So the browser that comes automatically with the OS won't work, but install Firefox and it will. It shouldn't affect any other apps except if an app uses a built-in web browser that will rely on the OS.

The other point is that this problem only affects those websites using Lets Encrypt which your article says 30% of websites use so the majority don't use it.

I think it also means that the websites will still be accessible but you will probably get a warning that the site isn't secure and may have to tap past it. Remember what SSL is for, it's to encrypt your communications with the webserver. You can still access websites that don't have it. But you won't have that protection so you don't want to use it for banking or passwords for services that may have private information or could be taken over (your password will be sent in the clear) which is why you'll get the warning.

Banking institutions and other financial organizations likely don't use Lets Encrypt as a certificate authority. It's free so its use is mainly for those that can't afford a certificate from other CAs, like with this website. Either way, simply using Firefox should solve 90% of the problems. It'd be just those apps that use the browser library built into Android. And I think (but I'm not sure) that apps can choose to use another web browser for this.

In any case, we'll know by next September. :)
Title: Re: Android 7.0 phones may have SSL Certiificate issues starting January 2021
Post by: ssfc72 on November 11, 2020, 03:15:24 AM
From the Android Police article.

"The only workaround for legacy Android devices is to install the Firefox browser, which uses its own certificate store that includes the ISRG root. However, this doesn't prevent applications and other functions outside the browser from breaking."

Title: Re: Android 7.0 phones may have SSL Certiificate issues starting January 2021
Post by: Jason on November 11, 2020, 10:58:51 AM
Quote from: ssfc72 on November 11, 2020, 03:15:24 AM
From the Android Police article.

"The only workaround for legacy Android devices is to install the Firefox browser, which uses its own certificate store that includes the ISRG root. However, this doesn't prevent applications and other functions outside the browser from breaking."

I know what the article said. I acknowledged that possibility when I said:

QuoteIt shouldn't affect any other apps except if an app uses a built-in web browser that will rely on the OS.

From what I understand CA digital signatures (certificates) are used for the web. So I thought originally that it would only affect web applications but I read that it can also affect email. So I'll fix the quote above.

Note that Android develops don't typically create apps entirely from scratch, they use Android libraries to do specified tasks and then built interfaces and extra features on top of that. So any apps that use these libraries with the old certificates will be affected.

You can fix the issue with direct web browsing by just using Firefox. But if an app uses the Android library associated with web browsing then the app that uses it will generate a warning. Same with email.

A workaround for this is that when the warning pops up, you just go ahead and use the app anyway. It'd be like when you visit a website that doesn't have an SSL certificate. You can still skip past it. If you're just reading a website or don't care about someone spying on your password, it won't matter. But if you're using an email app, probably not a good idea.

Google may not want its own apps from not working (e.g. GMail and Chrome) so they may add the newer certificates but who knows? Webservers may be able to get SSL certificates that allow for the older protocol.
Title: Re: Android 7.0 phones may have SSL Certiificate issues starting January 2021
Post by: Jason on November 11, 2020, 11:01:05 AM
In conclusion, I'm not saying that some apps might not work or lose some functionality. I'm saying that this is probably limited to the few apps that use the web or email. And even then you can skip past the warning, assuming the developer thought of this contingency. I doubt the apps would break entirely but we'll see.
Title: Re: Android 7.0 phones may have SSL Certiificate issues starting January 2021
Post by: Jason on November 11, 2020, 11:05:58 AM
Oh sheesh, I just found this website (https://www.stoutner.com/lets-encrypt-isrg-root-x1-and-privacy-browser/). You can import the new certificate if your Android version is <7.0 unless the app developer chooses to not allow user certificates. The webpage tells you how to do it.


Update: I made a typo in a sentence above that changes the meaning of the sentence. I've corrected it by adding the bolded word above.
Title: Re: Android 7.0 phones may have SSL Certiificate issues starting January 2021
Post by: ssfc72 on November 12, 2020, 01:12:22 AM
Good to know! Thanks Jason.
Title: Re: Android 7.0 phones may have SSL Certiificate issues starting January 2021
Post by: Jason on November 13, 2020, 01:55:26 AM
Quote from: ssfc72 on November 12, 2020, 01:12:22 AM
Good to know! Thanks Jason.

No problem! I have a device that still uses Android 5 so I'll probably give it a shot although I guess we don't know if the fix works until next September.