Shorting the chain of trust

I just read the post about the decision of Let's Encrypt to drop backward compatibility with older Android systems. Shortening the Let's Encrypt Chain of Trust - Let's Encrypt

What happens is you start getting certificate errors when surfing pages in Google Chrome, the most used browser in the universe (whether that's good, or bad, another story . . .)

Sometimes the web page will load a vanilla http version if you manage to click thru all the security warning messages. Sometimes, you won't be able to view the page at all!

But the bottom line is it's a huge inconvenience and I'm sorry to see the only solution suggested by Let's Encypt is to use Firefox.

That's not a viable solution for most users, nor those locked into the Google Chrome eco system.

Hello @Letsenc_pack, welcome to the Let's Encrypt community. :slightly_smiling_face:

Upgrade to the latest version and upgrade to the latest underlying Operating System;
so do not use old versions of Android nor Chrome.

2 Likes

Easy to say Bruce, but this Google Nexus 7 tablet, and many Android systems don't have the ability to upgrade to the latest whiz-bang-gee-whiz Android. :confused:

Thanks for the welcome tho. :smiling_face:

1 Like

Yeah, Android (Google and Android suppliers) leave the users with little choices aside from buying new hardware again. :frowning:

3 Likes

Just an aside, accepting an invalid certificate does not mean your communication is unencrypted or falling back to http, it means it's not trusted (because the presented certificate failed to validate). If the browser still says https your communication (with someone) is still encrypted.

Regarding your point, your operating system is now unfortunately obsolete, which is certainly a shame - Android neglected to make their trust store easily updateable in older versions. If you control the website in question you can change to a different CA or you may technically still be able to add a CA certificate to the OS trust store with the right tools. You could investigate updating your operating system via something like https://lineageos.org/ but that may be unlikely for an 11yr old tablet.

4 Likes

Here is a ACME CA Comparison

3 Likes

I’m sorry for the inconvenience. We do not make this decision lightly, but as a small nonprofit, we can only do so much. Maintaining a cross-sign from another CA is quite a lot of work and expense, and ultimately it only benefits a relatively small number of users on outdated devices not updated by their manufacturer.

It is possible to install our root CA into your device, but we don’t provide instructions because that’s outside the scope of what we as a CA are going to help with.

We suggest installing Firefox because we think it is a likely workaround for many users, and installing applications is usually easy.

7 Likes

While I can understand it's sometimes rather difficult to upgrade some (expensive) devices, you must also understand that those Android 7 devices are probably filled with exploitable vulnerabilities. Therefore it's NOT recommended to keep using these old devices, or at least these old operating systems.

As @webprofusion already mentioned you might be able to install an Open Source Android OS like LineageOS. If you go to that linked site and use the filter to uncheck to hide discontinued devices, you'd see 3 different versions of the Nexus 7. You'd need to build it yourself though.

But the bottom line is: one way or another, it's not recommended to keep using these ancient Android versions for a multiple of reasons, where for me security would be the main one.

3 Likes

Instead of blaming LetsEncrypt, consider these two bits of information:

1- The core issue is that Google - a multi-billion dollar company that sold these commercial devices - dropped support and stopped releasing updates for their devices; and coordinating updates with manufacturers they have partnerships with. The easiest and most correct channel to address this issue – and fix the entire ecosystem – would be for Google and their corporate partners to continue maintenance for the customers who paid them money. Google's planned obsolescence to drive hardware sales is not a problem that people should demand independent non-profits to fix. Complain to Google.

2- The workaround that LetsEncrypt utilized is essentially an abuse of a security flaw in Google's software. The alternate chain worked because Android ignores certificate expiration dates on the root certificates. Whoops. Pretty much the entire commercial and non-profit SSL industry changed code and loosened security measures to support legacy users through this security flaw.

6 Likes

As a final ditch attempt to breathe more life into those old products...
You could setup a proxy with a private, and very long-lived, cert.
And then have all those devices connect to the Internet via that private proxy.
[just make sure that they are all setup to trust the private cert of that proxy]

1 Like

Wouldn't it just as easy (i.e.: hard) to add ISRG Root X1? Sounds like this proxy idea doesn't really solve anything, but only adds a MitM possibility.

2 Likes

As per @Osiris here is an example guide installing ISRG Root X1 for Android 6: How-to install a root certificate on Android 6.0 devices? – Geolantis.360 Knowledgebase - this process varies by Android version but is generally found under Security.

4 Likes

Maybe...
But Ciphers/Protocols will also become a problem too.
The only way to fix all of them is to use your own proxy.
[which controls the cert/cipher/protocol]

2 Likes

I tried the Lineage upgrade for this Nexus 7 tablet last year. (Can't remember which flavor). But, it was painful with super slow performance, so i reverted back to the original Android os which conveniently updated itself to version 6.0.1, where it then stops cold turkey (the updates, that is).

I will explore some of the other options given about updating and/or messing around with the certificate chains when i get enough free nerd time to work thru these things

Thanks for the advice and suggestions.

2 Likes

If you'd run your own proxy then a MitM wouldn't be an issue indeed.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.