Posted by smartypants | in technology (edited )

coding defects in SSL chain logic make these 2001 "almost immortal" root certs very problematic after sept 30 2021

https://scotthelme.co.uk/lets-encrypt-old-root-expiration/

https://news.ycombinator.com/item?id=28596317

if you read all the info you will see how this is a huge problem, especially for devices and os images that have been turned off dormant for 2 years, or incapable of kernel level OS updates.

Arrrrrrrrgh!!!! Idiocy.

Solution in never mentioned EVER, by any of these low IQ IT writers, but the trick I use is to disable all external clock updates, force time to BEFORE Sept 2021, and then connect to internet and patch or install signed patches... with clock set invalid.

Android 7 ? fucked
Android 6 ? fucked
Android 5 ? fucked
Older iOS? fucked
everything in your house with little WiFi chips? fucked.

10% of earths devices are fucked, especially for remote updates.

THESE are all fucked, deep in OS :

  • Windows XP SP2
  • Windows XP SP1
  • Windows XP SP3 if Automatic Root Certificate Update is manually disabled
  • macOS 10.12.0 (2016) and older macOS
  • Mac OSX 10.11.0 (September 30, 2015) and older Mac OSX
  • iOS 9 on iPads
  • iOS 8 or older on iPads
  • iPhone 4 or older Millions of old Apple Devices used as Wifi browsers and Phones
  • (iPhone 5 and above can upgrade to iOS 10 and can thus trust ISRG Root X)
  • Android 7.1.0 or older for SOME fucntions.
  • (Android >= 2.3.6 will work by default for some web sites, but SSL is not just for web sites)
  • Mozilla Firefox 49.X or older
  • Ubuntu < xenial (< 16.04 even with updates applied)
  • Debian < jessie "8" (even with updates applied)
  • Java 8 ? if hacked to 8u141 is OK, else Java 8 is fucked
  • Java 7 ? if hacked to 7u151 is OK, else Java 7 is fucked
  • NSS < 3.26 is fucked

This mainly affects poor people and Pajeets and Africans, but a year ago affected Roku and Stripe internet devices, so who knows what spy devices in your house all fail october 1st.

7

Comments

You must log in or register to comment.

dontvisitmyintentions said ()

So you're saying that old Androids and Kindles can't phone home? Sounds pretty great.

3

Strangeways said ()

Let me create a reminder to respond to you on Oct 1.

2

TallestSkil said ()

This will not be the first time a root CA certificate has expired and I imagine it will follow the same trend as previous expirations where things break.

Translation: literally nothing is happening nor will ever happen, since they’re simply going to reissue the certificate with a new date of expiry. Like every other certificate ever.

1

Fisuxcel said ()

Phew... my back up phone has android 8

1