Post by Katie Warren on Sept 30, 2021 5:26:43 GMT -5
Someone at another site posted this. So thought I'd give people here the heads up to what may happen, we shall find out after tomorrow.
Millions of iPhones, TVs and other devices could go offline next week — here's why [updated]
Millions of iPhones, TVs and other devices could go offline next week — here's why [updated]
Expiring security standard may cripple internet access
UPDATED to add Windows-based servers as another class of device that might have connection trouble next week.
Old Macs, iPhones, PlayStation 3 and Nintendo 3DS gaming consoles, an unknown number of smart TVs, set-top boxes and other "smart" devices, and even some PlayStation 4s may lose some internet connectivity next week.
That's because a widely used digital certificate used to verify secure internet connections expires on Sept. 30, and millions of older devices won't be able to update to install newer certificates.
As a result, many activities that requires a secure internet connection — from watching Netflix to checking your email to reading regular websites — may not work on older devices.
If this sounds familiar, it's because we got a heads-up back in June 2020 when security researcher and consultant Scott Helme warned of it on his blog. Later in 2020, it was estimated that one-third of all Android phones could be knocked offline.
"You may or may not need to do anything about this," Helme wrote on his blog in an update this week, "but I'm betting a few things will probably break on that day [Sept. 30]."
What you can do to keep your older devices online
Fortunately for those older Android devices, a workaround has been devised to keep them up and running until September 2024 as long as they've got Android 2.3.6 Gingerbread or later. (After 2024, you'll need at least Nougat 7.1.1.)
But that doesn't help Macs running macOS 10.12.0 or earlier, iPhones and iPads running iOS 9 or earlier, PlayStation 4 consoles running firmware versions earlier than 5.00 and old PCs running Windows XP with Service Pack 2 or earlier. All are likely to be affected, according to this list of affected devices posted by the digital certificate authority Let's Encrypt.
If you have one of these devices and can upgrade the OS or firmware, do so this week. For example, any PC running Windows XP SP2 can be upgraded to XP SP3, which will fix the issue. Macs need only upgrade to 10.13 High Sierra, and any iPhone 5 or later can install iOS 10. PS4s are already up to version 9.00, released just a few days ago.
PlayStation 3 consoles may or may not be able to be upgraded. Sony released PS3 firmware update 4.88 for the PS3 in June 2021, nearly 15 years after the console was first made available. We don't know what's in the firmware update — Sony just said it brought "additional features, improved usability and enhanced security" — but it's possible it fixes this certificate issue.
If you can't upgrade your Mac, PC or iPhone, then you can install the Firefox web browser to maintain some level of internet access, although standalone apps may not work. Unlike other browsers, Firefox isn't dependent on the device's OS for its security certificates — it brings its own.
As for smart TV, smart refrigerators, smart-home hubs, home Wi-Fi routers and so on, it's hard to tell. Odds are that many devices released before 2017 may be affected, especially if they've never received a firmware update.
So if you can, open up or download the instruction manuals that came with your devices and try to upgrade the firmware or operating system.
What the heck is going on here?
This is complicated, but all those billions of secure internet connections that take place worldwide every second depend on what's generally referred to as a "chain of trust."
When a server — say a website — connects with a client like your PC, each presents digital certificates affirming identity. Because of this, your browser knows that it's connecting to Chase Bank and not some hacker farm in Russia.
But how do you know these digital certificates are valid? Well, certificates depend on public-private key cryptography to prove there's no forgery taking place, but that's another issue. What also matters is that a higher authority affirms if that certificate was indeed issued to Chase Bank. And another authority vouches for that authority, and so on.
Eventually, you reach the end of the line and get to what's called a root certificate. These are the backbone of encrypted web connections. Root certificate issuers have no one higher to vouch for, because it's the ultimate trust authority, and root certificates can be valid for many years.
Will I lose all internet connections?
It's hard to say what this will mean for devices that haven't been upgraded to trust ISRG Root X1. There are a couple of hundred valid root certificates in existence, and most devices and web browsers will support at least a few dozen.
So many older devices may still be able to make at least some web connections if those individual server certificates don't lead back to ISRG Root X1 or DST Root CA X3.
However, ISRG Root X1 also backs version 1.02 of OpenSSL, a widely used (because it's free) software library that establishes secure web connections. OpenSSL version 1.02 was issued in early 2015, and a lot of devices and operating systems released in 2015 and 2016 — such as iOS 9 and macOS 10.12 Sierra — rely on it.
Again, we won't really know what's going to happen until it starts to happen on Sept. 30. But Scott Helme thinks something definitely will.
"I don't know what's floating around out there on the web, and I don't know what depends on those things [each certificate] either," Helme wrote on his blog. "One thing that I do know, though, is that at least something, somewhere is going to break."
UPDATED to add Windows-based servers as another class of device that might have connection trouble next week.
Old Macs, iPhones, PlayStation 3 and Nintendo 3DS gaming consoles, an unknown number of smart TVs, set-top boxes and other "smart" devices, and even some PlayStation 4s may lose some internet connectivity next week.
That's because a widely used digital certificate used to verify secure internet connections expires on Sept. 30, and millions of older devices won't be able to update to install newer certificates.
As a result, many activities that requires a secure internet connection — from watching Netflix to checking your email to reading regular websites — may not work on older devices.
If this sounds familiar, it's because we got a heads-up back in June 2020 when security researcher and consultant Scott Helme warned of it on his blog. Later in 2020, it was estimated that one-third of all Android phones could be knocked offline.
"You may or may not need to do anything about this," Helme wrote on his blog in an update this week, "but I'm betting a few things will probably break on that day [Sept. 30]."
What you can do to keep your older devices online
Fortunately for those older Android devices, a workaround has been devised to keep them up and running until September 2024 as long as they've got Android 2.3.6 Gingerbread or later. (After 2024, you'll need at least Nougat 7.1.1.)
But that doesn't help Macs running macOS 10.12.0 or earlier, iPhones and iPads running iOS 9 or earlier, PlayStation 4 consoles running firmware versions earlier than 5.00 and old PCs running Windows XP with Service Pack 2 or earlier. All are likely to be affected, according to this list of affected devices posted by the digital certificate authority Let's Encrypt.
If you have one of these devices and can upgrade the OS or firmware, do so this week. For example, any PC running Windows XP SP2 can be upgraded to XP SP3, which will fix the issue. Macs need only upgrade to 10.13 High Sierra, and any iPhone 5 or later can install iOS 10. PS4s are already up to version 9.00, released just a few days ago.
PlayStation 3 consoles may or may not be able to be upgraded. Sony released PS3 firmware update 4.88 for the PS3 in June 2021, nearly 15 years after the console was first made available. We don't know what's in the firmware update — Sony just said it brought "additional features, improved usability and enhanced security" — but it's possible it fixes this certificate issue.
If you can't upgrade your Mac, PC or iPhone, then you can install the Firefox web browser to maintain some level of internet access, although standalone apps may not work. Unlike other browsers, Firefox isn't dependent on the device's OS for its security certificates — it brings its own.
As for smart TV, smart refrigerators, smart-home hubs, home Wi-Fi routers and so on, it's hard to tell. Odds are that many devices released before 2017 may be affected, especially if they've never received a firmware update.
So if you can, open up or download the instruction manuals that came with your devices and try to upgrade the firmware or operating system.
What the heck is going on here?
This is complicated, but all those billions of secure internet connections that take place worldwide every second depend on what's generally referred to as a "chain of trust."
When a server — say a website — connects with a client like your PC, each presents digital certificates affirming identity. Because of this, your browser knows that it's connecting to Chase Bank and not some hacker farm in Russia.
But how do you know these digital certificates are valid? Well, certificates depend on public-private key cryptography to prove there's no forgery taking place, but that's another issue. What also matters is that a higher authority affirms if that certificate was indeed issued to Chase Bank. And another authority vouches for that authority, and so on.
Eventually, you reach the end of the line and get to what's called a root certificate. These are the backbone of encrypted web connections. Root certificate issuers have no one higher to vouch for, because it's the ultimate trust authority, and root certificates can be valid for many years.
Will I lose all internet connections?
It's hard to say what this will mean for devices that haven't been upgraded to trust ISRG Root X1. There are a couple of hundred valid root certificates in existence, and most devices and web browsers will support at least a few dozen.
So many older devices may still be able to make at least some web connections if those individual server certificates don't lead back to ISRG Root X1 or DST Root CA X3.
However, ISRG Root X1 also backs version 1.02 of OpenSSL, a widely used (because it's free) software library that establishes secure web connections. OpenSSL version 1.02 was issued in early 2015, and a lot of devices and operating systems released in 2015 and 2016 — such as iOS 9 and macOS 10.12 Sierra — rely on it.
Again, we won't really know what's going to happen until it starts to happen on Sept. 30. But Scott Helme thinks something definitely will.
"I don't know what's floating around out there on the web, and I don't know what depends on those things [each certificate] either," Helme wrote on his blog. "One thing that I do know, though, is that at least something, somewhere is going to break."