On Thursday, September 30, will Android smartphones that are four or five years old lose their Internet connection? In any case, it is the disturbing information which, from a blog post by UK security researcher Scott Helme, has progressed in recent days to certain French and foreign media.
The person responsible for this cut, a digital security certificate with the convoluted name: “DST Root CA X3”. A digital security certificate is a kind of computer passport that allows browsers and other applications on our smartphones, when they try to connect to the Internet, to verify that the connection is secure and encrypted, in order to authorize it. or block it. This security certificate is not the only one used on smartphones, but it is one of the most popular.
One of the versions of “DST Root CA X3”, provided by the free certification authority Lets Encrypt, will expire at the end of September. However, many old smartphones do not have the recent certificate supposed to replace it; the fault of the phone makers, who often stop offering security updates after two or three years. Without a valid certificate, these smartphones might not be able to access certain websites, and some applications would have trouble functioning.
An effective parade
Fortunately, the consequences will be less embarrassing than one might fear. A parade has been found by Lets Encrypt: at the key moment when the smartphone verifies the encrypted connection, an old certificate is attached to the newer one. As the old one is known to old smartphones, it serves as a sort of “co-sign” of the connection permission.
” This trick works well in most cases », Assures Kevin Bocek, vice-president at Venafi, a service company specializing in certificates. Only smartphones over nine years old and equipped with a version of Android prior to Honeycomb (3.0) do not benefit from it: they are the ones who will experience frequent connection problems. But these smartphones represent less than 0.2% of Android mobiles in circulation.
For the latter, a workaround exists: download a recent version of Firefox, a browser which is rare, “Has its own set of security certificates”, according to Nicolas Greneche, computer science research engineer at Paris-13, joined by The world.
The fact remains that, despite the bypass strategy put in place by Lets Encrypt, smartphones released between 2012 and 2018 could still encounter some connection problems as well, even if this happens much more occasionally. “The fault of the website managers”, points out Kevin Bocek:
“They’re the ones who are supposed to schedule the computers that host their websites to regularly connect to Lets Encrypt in order to retrieve the most recent authentication rules. If they don’t, the Lets Encrypt bypass trick doesn’t work, the connection is blocked. “
It’s unclear how many sites and apps will suffer from overly lax managers and be inaccessible to phones released between 2012 and 2018, but the issues will be “Probably quite rare”, says Kevin Bocek. If the expert is worried, it is not for individuals but rather for companies, which still sometimes work on computers of a certain age.
Because the problem of the expired certificate does not only affect smartphones, but a whole series other old devices, including PCs with a version of Windows dating back to 2004 or earlier, such as Windows XP SP2. “This could seriously disrupt some businesses, he fears. It is important that the IT departments of these companies deal with the matter quickly. “