[ad_1]
There are many people who, for various reasons, own an old Android smartphone. From users with minimal needs to seniors who are not seen with the courage or the ability to learn, once again, to use their phone. How many? Well about 20% if we count all devices with versions prior to 7.1.1 and 15% more if we add Android 8 to the list. In the following graph you can see its evolution over the last twelve months:
Source: StatCounter Global Stats – Android version market share
In some cases, continuing to use an older Android is the result of a lack of desire, interest, or the knowledge needed to do so. And yes it’s true that both Google and the manufacturers have perfected this process to make it easier every day, but still, there is an important niche of users who show no interest in this possibility.
And then, of course, there are the ones that are stored on an old Android because your device can’t go any further. Phones and tablets that are already a few years old and that were excluded from the update rounds a few years ago and that due to this are gradually disconnecting from the evolution of software and other elements. This will be the case, and that’s why I mentioned before Android 7.1.1, of devices with versions earlier than this with the change of year.
As you already know, Google has promoted the adoption of secure standards and protocols on the network, and one of the points he has focused on for a long time, and which has long been standardized, is on secure connections to the web via HTTPS connections supported by SSL certificates. An element that ensures that the communications between the user and the web server remain encrypted in transit, thus preventing an observer (be it malicious or simply curious) from spying on them.
In order for the whole system to work, there are some recognized entities, called certification authority or certification authorityand who are those who can issue such certificates. This list is not only public, but must be configured in the software responsible for ensuring the authenticity of the certificates. If the entity that issued a certificate is not on the trusted principals list, the connection will be identified as insecure, which may even prevent the user from accessing that website or service.
And what does this have to do with older versions of Android? For you to understand it, you have to keep this in mind certification bodies are not a constant, i.e. none of them necessarily exist since the internet was created, nor will they necessarily exist until it disappears, they are organizations that are created, modified, disappeared, etc., causing changes in the list of certification bodies. Some changes that reach users through updates to the software and operating system of their devices.
Changes in Certificate Authorities
One such change happened five years ago when the nonprofit Let’s Encrypt became a certification authority. The problem is that when an entity begins to operate as such, it may take months or even years for operating systems and browsers to accept the root certificate of that entity. Therefore, to speed up the process, a new CA will often ask an existing trusted CA for a cross signature, so that many devices quickly trust it.
This was, of course, the case with Let’s Encrypt, which has reached a cross-signing agreement with IdenTrust, an agreement that has been very profitable for Let’s Encrypt but, as always happens in these collaborations, has an expiration date, which is associated … exactly, as I mentioned before, the new CA already has global recognition and therefore, it is identified by operating systems and browsers as being trusted. In 2021 the cross-signing between Let’s Encrypt and IdenTrust will end.
Does Let’s Encrypt identify an old Android?
This is the million dollar question. Chromium-based browsers (i.e. the vast majority) do not independently manage certificates (something that was more common in ancient times), instead they entrust this task to the operating system. And, therefore, the updates in this list depend, in general, on those of the operating system. And if the operating system hasn’t been updated in years, if it’s an old Android, then it won’t have received the relevant updates regarding the certification authorities and, therefore, won’t identify the new ones as safe.
Android 7.1.1 was the first Android version to have Let’s Encrypt on its CA roster.In other words, it was the first version of the operation that no longer needed cross-signing between this entity and IdenTrust to trust its certificates. In other words, all previous versions of Android depend on this collaboration and, at the end, when the certificates issued by Let’s Encrypt are no longer “approved” by IdenTrust, they will no longer be considered sure what this implies.
The problem is that we are not talking about a few websites and certificates, as we read in Little Short Bulletins, about 30% of secure connections point to services certified by Let’s Encrypt, nearly a third of the secure Web relies on its own certificates. Some certificates that will not be valid for devices with an old Android from next January, when the organization will consider the end of the cross signature, as we can read on its blog.
From that point on, any old Android smartphone, with a system prior to 7.1.1, it will stop recognizing all those certificates as trustworthy and, therefore, login problems will occur that can range from a simple warning message that the connection is not secure, to the inability to access these pages and services. A limitation that in many cases will be insurmountable, and that will undoubtedly act as a stimulus to update the operating system where possible, and the device when there is no other possibility.
However, there is an alternative. As mentioned above, Chromium-based browsers delegate certificate management to the operating system, but as you already know, Firefox is not based on Chromium. And yes, indeed, he maintains something he inherits from his grandfather Netscape, certificate management. Therefore, users who can download and install Firefox on their old Android will be able to access these websites and services, as the browser recognizes Let’s Encrypt as a secure CA.
Even so, and given the degree of integration of browsers with operating systems, it is possible that Errors start to occur, especially in apps that have elements of the Android browseras they will continue to use the OS certificate list, and in those cases, the situation will be much more complicated. Something that, added to the time these versions of Android have been without receiving security updates, makes updating more advisable than ever.
Source link
