"Standing on Our Own Two Feet" - Let's Encrypt CA + older Android versions

In your blog post "Standing on Our Own Two Feet" there is not mentioned that app developers can also support the new CA by explicitly adding it in it's app as trusted root CA certificate (works for Android 6.0 and 7.0/7.1):

https://developer.android.com/training/articles/security-config#ConfigCustom

Please provide a details tutorial how to make Android apps that support Android 6.x/7.x versions.

And for devices 5.x and older the root CA certificate can be manually added to the user root ca store by importing it. May be for this purpose an Android app by Let's Encrypt would be helpful. This app could provide the correct root-CA certificate and initiates the import process.

5 Likes

I don't think this is a reasonable request from a certificate authority that has (I assume) no expertise in mobile development. If someone else were to write these tutorials, I'm sure they would be happy to link to them though.

Also, see this thread.

8 Likes

If you don't have the expertise then you should search for someone who has it - the whole post does not even contain a request for help.

At least they should have contacted Google and ask for ways how to deal with this situation.
I am sure Google would have provided a real solution (a manual for app developers and a way to handle this in Chromium/Chrome - and therefore in apps that make use of the system WebView), especially considering that we are talking about millions of people and millions of web sites. Because if people can not surf to web sites they also can not view the Google ads embedded into the web page (even if the Google services and ads would sill work normal as they don't use Let's Encrypt)...

Just pointing to Firefox (which is not a full solution) is showing that nobody at Let's Encrypt has put some real effort in handling this problem. Just to keep in mind: Let's Encrypt knows about this problem for years.

2 Likes

Just to be clear, I don't work for Let's Encrypt. I'm just a client developer, happy user, and occasionally try to lend a hand here on the community forums.

The tone of your posts seem angry at Let's Encrypt. But I think that anger is misplaced. The nature of the publicly trusted CA ecosystem is that root certificates change and expire over time. If some subset of potential client devices can't or won't update their trust store, blame the device or OS maker. Here's a great blog post on the subject.

The Impending Doom of Expiring Root CAs and Legacy Clients

As you said, Let's Encrypt has known about this issue for years and they've been bending over backwards to try and delay the inevitable and get the word out so that developers aren't scrambling at the last minute. But ultimately, there's nothing they can directly do about it. Folks in the Android ecosystem appear to already be working on solutions and workarounds as evidenced by the post I linked previously. Why not contribute instead of demanding things from a company providing a service to you for free who likely can't help even if they wanted to? We're all in this together working towards a more secure internet.

8 Likes

Hi @certrob! Welcome to the forum. We actually had a very similar request over the weekend on Mobile client workarounds for ISRG issue, and discussed some good solutions. I agree we should provide a bit more guidance. I plan to update the blog with "If you are an app developer" section outlining the general approach to work around the issue. A detailed guide is a little beyond what we can offer in a blog post, but if someone writes up detailed guides for various HTTP libraries and frameworks, I'd be happy to link to them.

9 Likes

That sound good, but please also make a new blog post, so that the press also notices it. A modified post may be overseen easily.

The first blog entry has made it even into the non-tech press here in Germany, I am not sure if a second post can get the same audience so that all app developers are aware of this issue.

2 Likes