Question on SN-792 LetsEncrypt's new root certificate and old Androids

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Announcing “BootAble” – GRC's New Boot-Testing Freeware
    Please see the BootAble page at GRC for the whole story.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)


Dror Harari

Member
Sep 26, 2020
6
0
Does anyone know why can't user manually add the LetsEncrypt new "ISRG Root X1" root CA certificate?

Otherwise can't Google use one of its system apps that are still maintained to install that certificate in old Android devices?

Otherwise, given that old <=v7.1 Android devices have not been patched for years and have an endless selection of rooting options, can't the same be done by a 3rd party - even LetsEncrypt themselves can produce this app and offer it on their site for sideloading (assuming Google does not cooperate) like 0Patch does for Windows.

Since none of those options was discussed by Steve, I am assuming that there's some big problem I am missing. Any idea?
 
1) Most (if not all) people running these old versions are NOT able to root their devices for one reason or another, which I lean toward them not being tech savvy so the concept of root is something that IT would do if they heard about it. Those that do know how to root, may not have a need to go down the rabbit hole (assuming the device is still supported enough by the rooting community to bother with that effort). I got annoyed with an old phone that I rooted that I basically had to reinstall the whole OS for every update. Can you imagine Patch Tuesday on Windows if you needed the OS disk to reinstall Windows every month? That's what it felt like using that phone somehow.

2) I think Android might be designed in a way an app can't just add certs to the device at all. If they want to support the new cert, they might be able to run their own CA store (like Firefox...). It's also possible that 7.1 Google added a way to keep the system certs up to date VIA the Play Store, hence why older versions can't be easily updated
 
It's never easy to add a root certificate in any device, and for good reason. Users can be "talked through" doing things that are very bad for them by persuasive mal-doers... and if you trust the wrong root certificate, you're completely and utterly toast.
 
I would look at this problem in another way. The people with these old devices, if they are shopping or banking (shudder) on their devices, those establishments are not using ACME certs from Let's Encrypt. So the world will spin.

Also these people are not security aware so when a scammer gets them to a site with such a cert, it won't work. Or rather they will chase the whatever-it-is-to-continue button around the screen to get to the site.

We don't know the demographic of these people but like old versions of iPhones, stuck on iOS 6 like my 3gs, the Internet isn't a good place to be anyway.....
 
Thanks for your replies @miquelfire, @PHolder and @Lob - I am fully aware of the risk of folks adding root CA certs without fully understanding what they are doing.

The main thing that bothered me is the notion that Google is not able to install a root CA using its Playstore or other system apps that do not require the phone vendor's cooperation.