Envision this: One lovely day, you decide to check something quickly online using your (obviously very ancient) phone, but you quickly discover that almost all websites just refuse to connect, instead displaying security warnings. In2021, when a so-called root certificate would have expired, this same issue nearly occured for phones running Android 7 or older. Android’s peculiar approach of dealing with such lapsed certifications may provide a temporary workaround, but Google is investigating a more permanent one. It’s possible that it will debut in Android 14.
Senior technical editor at Esper.io, Mishaal Rahman, discovered in the Android open source code that Google is developing a new core module that would allow for instantaneous updates to root certificates. Root certificates are currently updated as part of complete system upgrades, however these updates are infrequently sent to older devices where they face the danger of encountering out-of-date root certificates.
Instead than being included into the system package, the new certification module receives updates via Google Play Services. This enables Google to periodically send updates, which in turn keeps devices online and accessible to any and all websites a user would want to check out. It’s very much like how Bluetooth and other parts of Android have been set up for some time.
There is an additional benefit to using this novel strategy. It is the trust between sites that is the primary foundation of root certificates, and it is this trust that allows for the establishment of secure connections between sites. Recently, TrustCor, one of these root certificate authority, was found to have connections to a spyware vendor serving intelligence agencies. Companies are swiftly abandoning TrustCor despite the fact that no problems have been discovered with the company itself. In any case, it would not be desirable if intelligence agencies had access to all communications between servers and users that were encrypted. While Android will eventually stop accepting TrustCor’s certificate as a means of authentication in all-system security upgrades, it would be ideal if Google could disable it immediately.
Android is especially plagued by the issue of invalid root certificates. When it comes to verifying safe connections, the vast majority of programmes and browsers here depend on the system-wide root certificates, but on Windows and macOS, many applications come with their own packaged, updatable root certificates. As a matter of fact, Chrome’s own root store (the term for the location where root certificates are stored) was just recently launched. Firefox is a well-known programme that requires access to its own root store on Android. This ensures that the browser will always function on older Android phones, even if a system root certificate has expired. Thankfully, the next major root certificate doesn’t expire until 2035, so we won’t have to worry about a repeat performance of the Android 7 in 2021 problem for a while.
Read Mishaal Rahman’s article on Esper for further in-depth analysis on the situation. He elaborates on root certificates and their uses.
Subtly charming pop culture geek. Amateur analyst. Freelance tv buff. Coffee lover