Picture this: You unlock your (albeit very old) phone one fine day to look something up on the internet, only to realize that most, if not all, websites simply refuse to connect, throwing up security warnings instead . This very situation almost occurred for phones running Android 7 or older in 2021, when a so-called root certificate expired. The problem can be avoided thanks to a strange way Android handles such expired certificates, but Google is looking for a more permanent solution. It may be introduced in Android 14.
As Esper.io’s senior technical editor Mishaal Rahman discovered in the Android open source code, Google is working on a new mainline module that will allow root certificates to be updated on the fly. Right now, root certificates are updated as part of full system updates, which rarely come to older devices that may run the risk of ending up in out-of-date root certificate territory.
Instead of being part of the system package itself, the new certification module can be updated via Google Play Services. This allows Google to push updates as needed, making it possible to keep devices connected to all the sites you might visit on the internet. It’s similar to how many components of Android have been set up for a while, including Bluetooth.
This new approach is also good for another reason. Root certificates are primarily based on trust and are what enable websites to establish secure connections in the first place. One of these root certificate authorities, TrustCor, was recently discovered to have ties to a company that provides spyware intelligence services. Although no problems were found with TrustCor itself, companies are quickly moving away from the business for fear that something fishy might happen. After all, it wouldn’t be good if intelligence services could see all encrypted data exchanged between a server and a user. While Android is removing support for TrustCor’s certificate in full system security updates, it would be preferable if Google could turn off the certificate sooner than that.
The problem of outdated root certificates is especially big on Android. Here, most apps and browsers rely on the built-in root certificates to verify secure connections, while on Windows and macOS many applications have their own updatable root certificates collected. In fact, Chrome recently introduced its own root store , which is the name of the place where the root certificates are stored. On Android, Firefox is a prominent example of an app that relies on its own root store. That means the browser will continue to work on older Android phones no matter what, even if a system root certificate has expired. Fortunately, the next big root certificate is only due to expire in 2035, so we don’t have to expect a problem like that with Android 7 in 2021 anytime soon.
For a deeper dive into the whole topic, definitely check out Mishaal Rahman’s post on Esper. He goes into depth about what root certificates are and what they are important for.
![[Explained] Access keys: What are they, how do they work and can they replace passwords?](https://www.entrebastidors.info/wp-content/uploads/2022/12/passkeys-120x120.jpg "[Explained] Access keys: What are they, how do they work and can they replace passwords?")
