|
Technology and Internet Emerging and current tech related issues. Internet, DRM, IP, and other technology related discussions. |
|
Thread Tools | Display Modes |
#1
|
||||
|
||||
Millions of devices will go off-line next week...
"Old Macs, iPhones, PlayStation 3 and Nintendo 3DS gaming consoles, an unknown number of smart TVs, set-top boxes and other "smart" devices, and even some PlayStation 4s may lose some internet connectivity next week.
That's because a widely used digital certificate used to verify secure internet connections expires on Sept. 30, and millions of older devices won't be able to update to install newer certificates." "...it was estimated that one-third of all Android phones could be knocked offline." https://www.tomsguide.com/news/inter...onnect-sept-30 Last edited by the86d; 09-24-2021 at 4:10 AM.. |
#2
|
||||
|
||||
That’s a damn shame, have a couple old iPhones on speaker docks
for use as alarm clocks, streaming talk radio, listening to music... Glorified alarm clocks now...
__________________
Quote:
https://www.calguns.net/calgunforum/....php?t=1884858 |
#3
|
||||
|
||||
I.e. their root certificate store will have expired and the vendor could issue an update to address the issue.
Apple has actually been pretty good at doing this, even for dinosaur devices. We shall see if they issue a 9.3.7 iOS patch with the new cert store. iOS 10 and above already have an updated cert. FYI, 9.3.6 was only released 2 years ago, so don’t count it out, yet, if you have an old 4s doing some random task. Apple would trigger a massive landfill addition without issuing a simple patch. Macs can update their keystores manually, but I’m not sure you have access to SHA-256 on Macs before OSX Lion (10.7). I haven’t checked to see if the CA certs that are expiring will offer compatibility certs signed with SHA-1. Even so, you can compile a new OpenSSL on a Mac, and work around certain issues with the OS keystore. . Last edited by Robotron2k84; 09-24-2021 at 11:00 AM.. |
#4
|
||||
|
||||
Do not count on it...
__________________
God so loved the world He gave His only Son... Believe in Him and have everlasting life. John 3:16 NRA,,, Lifer United Air Epic Fail Video ... https://www.youtube.com/watch?v=u99Q7pNAjvg |
#5
|
||||
|
||||
I haven't turned on 2 XBOX 360 SLIM models in years...
Updated one just in case for a possible garage sale, before I move to TX. Have to do the other one, just in case, as I have no clue what rev they are on... for the new owners to not return them immediately... |
#6
|
||||
|
||||
I felt a great disturbance in the Force, as if millions of voices suddenly cried out in terror and were suddenly silenced.
__________________
Where the people fear the government you have tyranny. Where the government fears the people you have liberty.
|
#8
|
||||
|
||||
i should probably plug in my xbox360 tomorrow to see if it updates.
__________________
Quote:
Quote:
|
#10
|
||||
|
||||
Well, what happened?
|
#11
|
||||
|
||||
This whole thing seems dumb to me. Clients don't need certificates and it is even dumber that they would have a certificate shared by millions of other devices. The whole certificate system was set up to validate the identity of web sites. It does nothing to validate the identity of a client device because your client device is not registered individually with the certificate authority. Why should a web site care what certificate is on device trying to connect to it? There is no security in presenting a shared certificate with millions of other devices.
An expired certificate on a web site is important because they are actually registered with the certificate authorities. That means the certificate authority no longer vouches for the site's authenticity. That does not happen with the consumer devices that are affected by this.
__________________
Block Google Tracking and Ads with a Raspberry Pi Hole |
#12
|
||||
|
||||
Please go read up on how x.509 certificate chains work.
https://sites.google.com/site/ddmwss...l-certificates The root certificates validate that the server certificates presented are legitimate. The root certificates are public and reside on the device so they can’t easily be compromised. Without a valid root certificate, the web site certificates can’t be verified. When the root certificates expire, all certificates that are signed with that root also expire, by default. That’s why new root certificates are required on the devices and all sites that were signed with the expired root have to obtain new signed certificates with a valid root. The historical assumption that downloading updated root certificates, automatically, was subject to silent redirection and corruption of the trust chain is still a concern, today. That’s why root certificates have 10-20 year expirations and are pushed out only when absolutely necessary. |
#13
|
||||
|
||||
Quote:
__________________
Block Google Tracking and Ads with a Raspberry Pi Hole |
#14
|
||||
|
||||
The root certificates are the public keys of the key pair that signed a subordinate certificate. That subordinate may be a server certificate, directly, an intermediate certificate authority or a signing certificate. The reason for the intermediate certificates are that certificate authorities leave the root private key offline and generate subordinate certificates for CA / signing so that it’s harder to acquire the trust’s private keys.
One of those three certificates, above, was used to sign a possible website’s certificate, and the browser validates that all are in good standing in a hierarchical fashion. If one of the certificates fails, all the certificates in the chain become untrusted for that session. Roots are also called trust anchors because they are the origin of the trust chain. |
#15
|
|||
|
|||
One of my machines partially broke yesterday evening. Took about 10 mins to update the certificate store with a new certificate. This was due to the https://letsencrypt.com guys, they are the ones who act as a certificate authority for a lot of websites out there. The problem was that one of their intermediate certificates was signed with a certificate that just ran out of time:
Code:
Certificate: Data: Version: 3 (0x2) Serial Number: 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b Signature Algorithm: sha1WithRSAEncryption Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3 Validity Not Before: Sep 30 21:12:19 2000 GMT Not After : Sep 30 14:01:15 2021 GMT Subject: O=Digital Signature Trust Co., CN=DST Root CA X3 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:df:af:e9:97:50:08:83:57:b4:cc:62:65:f6:90: 82:ec:c7:d3:2c:6b:30:ca:5b:ec:d9:c3:7d:c7:40: c1:18:14:8b:e0:e8:33:76:49:2a:e3:3f:21:49:93: ac:4e:0e:af:3e:48:cb:65:ee:fc:d3:21:0f:65:d2: 2a:d9:32:8f:8c:e5:f7:77:b0:12:7b:b5:95:c0:89: a3:a9:ba:ed:73:2e:7a:0c:06:32:83:a2:7e:8a:14: 30:cd:11:a0:e1:2a:38:b9:79:0a:31:fd:50:bd:80: 65:df:b7:51:63:83:c8:e2:88:61:ea:4b:61:81:ec: 52:6b:b9:a2:e2:4b:1a:28:9f:48:a3:9e:0c:da:09: 8e:3e:17:2e:1e:dd:20:df:5b:c6:2a:8a:ab:2e:bd: 70:ad:c5:0b:1a:25:90:74:72:c5:7b:6a:ab:34:d6: 30:89:ff:e5:68:13:7b:54:0b:c8:d6:ae:ec:5a:9c: 92:1e:3d:64:b3:8c:c6:df:bf:c9:41:70:ec:16:72: d5:26:ec:38:55:39:43:d0:fc:fd:18:5c:40:f1:97: eb:d5:9a:9b:8d:1d:ba:da:25:b9:c6:d8:df:c1:15: 02:3a:ab:da:6e:f1:3e:2e:f5:5c:08:9c:3c:d6:83: 69:e4:10:9b:19:2a:b6:29:57:e3:e5:3d:9b:9f:f0: 02:5d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10 Signature Algorithm: sha1WithRSAEncryption a3:1a:2c:9b:17:00:5c:a9:1e:ee:28:66:37:3a:bf:83:c7:3f: 4b:c3:09:a0:95:20:5d:e3:d9:59:44:d2:3e:0d:3e:bd:8a:4b: a0:74:1f:ce:10:82:9c:74:1a:1d:7e:98:1a:dd:cb:13:4b:b3: 20:44:e4:91:e9:cc:fc:7d:a5:db:6a:e5:fe:e6:fd:e0:4e:dd: b7:00:3a:b5:70:49:af:f2:e5:eb:02:f1:d1:02:8b:19:cb:94: 3a:5e:48:c4:18:1e:58:19:5f:1e:02:5a:f0:0c:f1:b1:ad:a9: dc:59:86:8b:6e:e9:91:f5:86:ca:fa:b9:66:33:aa:59:5b:ce: e2:a7:16:73:47:cb:2b:cc:99:b0:37:48:cf:e3:56:4b:f5:cf: 0f:0c:72:32:87:c6:f0:44:bb:53:72:6d:43:f5:26:48:9a:52: 67:b7:58:ab:fe:67:76:71:78:db:0d:a2:56:14:13:39:24:31: 85:a2:a8:02:5a:30:47:e1:dd:50:07:bc:02:09:90:00:eb:64: 63:60:9b:16:bc:88:c9:12:e6:d2:7d:91:8b:f9:3d:32:8d:65: b4:e9:7c:b1:57:76:ea:c5:b6:28:39:bf:15:65:1c:c8:f6:77: 96:6a:0a:8d:77:0b:d8:91:0b:04:8e:07:db:29:b6:0a:ee:9d: 82:35:35:10 |
#16
|
||||
|
||||
Specifically, iOS devices can install new certificates by the user, since iOS 10. This issue is the age of the version of the ROM that is still on the older devices, which is EOL.
https://support.apple.com/en-us/HT204477 |
#17
|
|||
|
|||
All I know is that my win 7 desktop using BRAVE browser is having " expired certificate" problems.
Not my old android Nexus 7 or iPhone 7. Where do I download certificates? Not a computer tech here..
__________________
NRA Life Member, GOA member |
#18
|
||||
|
||||
Depending on which version of Brave you have, and the version of Chromium it’s based on, the root certificates are in the OS keystore or in the browser itself. Only the most recent betas use the internal store, so likely this is an issue with the certificate store on the PC.
What errors is it throwing? That sites are failing, or that certain certificates in the store are expired, upon loading the certificate store. Your platform will dictate where the logs are located. Windows: Event monitor or app log Mac: Console App log viewer or /var/log/syslog or /Library/Logs, $user/Library/Logs. Console combines them all. Linux: /var/log/messages Can help you more when the type of error is known. MS will not likely issue an update for win 7. The certificate you will probably end up needing to install is this: https://letsencrypt.org/certs/isrgrootx1.der, as above, as the biggest user of the expired certificate appears to be “Let’s Encrypt,” but there are probably several others, and that will also need to be tracked down as they occur. Installation is done through the certmgr.msc plug-in, which can be started from the run dialog. Import that certificate to the “System store,” and that will take care of some, but probably not most, of the issues. As said, you may continue to get errors, mostly with web sites that use other intermediates or certificates using the old root, where the site admin hasn’t updated their server certificate, yet. |
#19
|
|||
|
|||
If you need a .pem version of the ISRG Root X1 certificate, here it is:
Code:
-----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- |
#20
|
||||
|
||||
Tagged, haven't played games or watch movies for two years, need to upgrade everything tomorrow, and onto the marketplace they to. I haven't worked in 7 weeks, you know I'm the one that is fighting for your rights, while eating these diminishing returns. If anybody got a cool job for hire in the bay area let me know, I got three science degrees, all three useless because we don't follow the science no more, we follow our emotions.
What you can do to keep your older devices online Fortunately for those older Android devices, a workaround has been devised to keep them up and running until September 2024 as long as they've got Android 2.3.6 Gingerbread or later. (After 2024, you'll need at least Nougat 7.1.1.) But that doesn't help Macs running macOS 10.12.0 or earlier, iPhones and iPads running iOS 9 or earlier, PlayStation 4 consoles running firmware versions earlier than 5.00 and old PCs running Windows XP with Service Pack 2 or earlier. All are likely to be affected, according to this list of affected devices posted by the digital certificate authority Let's Encrypted. |
#21
|
||||
|
||||
i forgot about this, and haven't taken my xbox360 out of my cabinet... i'll get it setup this weekend to try.
__________________
Quote:
Quote:
|
#22
|
||||
|
||||
Welp, one of the known-good 2x 360s' (not the for-parts OG 360) bips, like it's going to turn on, but doesn't. Power/electronic issue?
I am going to let the caps discharge, and try later, and if that doesn't work plug it into the other AC adapter for testing. There might go the OTHER $50 from the garage sell I was going to buy the GOOD beer with... It hasn't been turned on in over 2.5 years, I think... BUT WAS working fine! |
#24
|
||||
|
||||
Not if you have watched "Privacy A Postmortem Part 1", & 2...
|
#25
|
||||
|
||||
Damn, I just found tap on my two cans and a string.
|
#28
|
|||
|
|||
I was investigating a similar issue at our organization back in early 2020.
We had a Sectigo and Comodo Root cert that was expiring on about 2500 applications that deal with utility end points. We didnt have a new root until about a month before the expiration, and swapping those out in that time was not feasible (have to request, get approved downtime for all customers). I found that RHEL7 and above (I forget the openssl version) was fine as long as it had sufficient material to establish a valid trust chain, regardless of what was chained to the end entity certificates. Older hosts, and older version of openssl were not so forgiving. If a certificate was chained all the way up to an expirying root certificate, it was invalid even if its trust store was updated. Newer servers, and every web browser would ignore the expired chain and establish a new, trusted chain with its updated trust store. They just played nicely, although they are not obligated to do so. Its up to the client to determine if it will try to find a different trust chain. A different trust chain can be established with newer root certificates with SAME key material as something within the chain. Some clients would use a newer root (an old intermediate that was promoted to root). Old and new certs had exact key material. This made it possible to have at least 2 trust chains, old expired one and a new valid one with same end entity certificate. When the roots expired, it was all hands on deck. Like war games seeing if the bomb impacts were real. Some things broke (older java apps, and strict thirdparty integration apps), but most of it was fine. Last edited by xfer42; 10-15-2021 at 10:51 AM.. |
#29
|
|||
|
|||
Yes, my machine partially broke: it was things like curl, using the latest version of openssl-1.1.1. The problem was that the certificate store did not contain the ISRG Root X1 certificate.
Once I added the ISRG Root X1 certificate to the certificate store, it worked again. |
#30
|
||||
|
||||
My Xbox 360 and ps3 booted up fine. I did have to update my x360 since it has been unplugged for like 1 year but otherwise all functions fine. Im guessing the company's updated the certs or did a quick patch to resolve this issue just like during the "y2k" scare. All it took was a quick data patch and no issues
__________________
Quote:
Quote:
|
Thread Tools | |
Display Modes | |
|
|