It's js only, nothing is sent to the server. It automatically makes the background of signatures transparent. The result is a raster pdf as if you printed, signed and scanned the document.
I use it on desktop, not sure if it works well on phones.
Let’s Encrypt cross-signature with IdenTrust "DST Root X3" is ending on September 1, 2021 but 33.8% of Android devices are running versions under 7.1 which don't trust Let’s Encrypt new root certificate "ISRG Root X1"
Root certificate updates are a massive security issue. Blaming Let's Encrypt is blaming one of the canaries for the coal mine disaster. 33% of Android devices don't and can't get up to date root certificates is an impressive security crisis that grows worse by the year (look at the other root expirations and the crazy workarounds that for instance Netflix has been doing to still work on older Android devices). Shouldn't the blame squarely be on Google, the Android OEMs, and the phone carriers for allowing this disaster to happen in the first place?
I realize that is a tough message to get out to users and site owners are going to be in the cross-fire, but it seems better to try to work for solidarity in pointing fingers at the right direction and the right direction certainly isn't Let's Encrypt.
Yes the issue is really severe of most deployed Android devices not getting security updates, either at all, or the devices are used well beyond the update period.
But this is not up to Let's Encrypt to solve. They market themselves to build products for the mass market instead of small niches of the market, say, everyone who buys a new phone every year. But then they also have to treat their product like a mass market product, and if Android users still use older versions of the OS, then Let's Encrypt should adopt for that.
This problem isn't unique to Let's Encrypt. Let's Encrypt is not the only entity with certificates signed by DST Root X3. And as these devices get older, more root certificates will expire. What happens when all of them expire?
What is unique about Let's Encrypt, is they may have a harder time getting cross-signed by a CA that will still have a valid root cert on these devices for a significant amount of time, because, as has been pointed out in other comments, Let's Encrypt is disrupting the CA industry.
They will be happy to accept that blame, as long as you fork over your $ for a new device. Planned obsolescence can have many components, this is just one of them.
When you control the client, it's simple, you can do pretty much anything: embed your own HTTP stack, TLS stack, your QUIC stack, or simply your PKI, or subset of the webPKI.
If you're running Android 5.0, you also haven't benefited from updates that remove CAs that have since been shown to be untrustworthy. I think that's far worse than being unable to visit sites that use LetsEncrypt certificates.
It was really short-sighted of Google to make the system cert bundle something that can't be updated without a full OS update. There should be an OTA mechanism that allows it to be updated through the Play Store or through some other means that isn't reliant upon lazy device manufacturers.
33% of devices, but per the article, only 1-5% of traffic on sites using LetsEncrypt. I don't see any site owners moving to a different CA when this affects less than 5% of their visitors, who are likely the poorest fraction of their userbase , i.e. probably not many paying users.
on androids older than 5, the browser is the old android browser instead of chrome. how many sites out there still test compatability with that?
even without having to click through security warnings, the web is horribly broken on old android devices. the overlap of sites using letsencrypt and sites that care about people using android <5 has got to be vanishingly small. this isn't going to cause a move away from letsencrypt.
I found at least Buypass offering a gratis ACME product "Buypass Go SSL". They have roots which are deployed at least since Android 4.1, which covers way more Android devices (according to the Android Studio statistics, >99%):
> Also the post says that Firefox doesn't work on Androids older than 5.0 which according to the dashboard are still 5.9% of devices.
For those older devices, the only option is to install the new root certificate.
Microsoft Edge still gets updates on Android 4.4 KitKat
I may be wrong, but the effort to switch to your own root store is more doing it securely, than the difficulty of switching from system frameworks to your own SSL/HTTP transport layers. So to put another way, straight forward to do mediocre job, not as trivial to do a good or great job.
Root store and TLS/HTTP library are separate concerns. You can use the system root store with your own libraries, or you can use your own root store with the system libraries.
On an Android 4.4 device, you should probably skip the system root store and the system libraries, and if you're already doing it for those phones, you might as well do it for all the phones.
> Root store and TLS/HTTP library are separate concerns.
In the context of this thread (aka older Android devices), they aren’t truly separate concerns. You really need to do both. My point is that doing both is relatively straightforward, but doing the root store part is fairly easy to do it in a mediocre way and be brittle / insecure.
I don’t think they have a choice. Reading between the lines, the CA who cross-signed their previous root doesn’t really want to continue doing so (or asked for a lot more money) because LE usage reached levels that are just too risky. I don’t blame them: a single bad actor found doing something particularly nefarious with a LE certificate might lose them the trust their business is literally built upon. I don’t see any other CA queueing up to help what is typically their commercial nemesis. And as they say, at some point they would have to do it anyway, might as well rip the plaster off.
Unfortunately, on my Moto G5 Plus (which is not an high-end device), I've found that Firefox on Android is slower than Chrome (specifically the Bromite fork). I think that Firefox may not be a good solution for low-spec or older phones running older Android versions.
Firefox is not a workaround for non-web mobile apps. Lots of them will stop working unless they do cert pinning / have their own CA bundle or simply stop using LE..
The most impressive thing it that Let’s Encrypt are the ones who are trying to fix a problem that should be fixed by phone manufactures and telcos.
I can see why, but I would also have like the phones to “break” so the owners would avoid those brands in the future, and pick one who care enough to push out update.
Still, I can blame Let’s Encrypt, they just want to be the good guys, and the do it so beautifully and transparently.
It probably wouldn't encourage many people to upgrade their phones, though. They would probably just see the website as broken and either click through the warning or abandon it completely
But for certain businesses, there is a case to be made for not serving these kinds of customers. Someone using a shitty old Android phone might not even be able/willing to pay for your product, and if they do, might cost more in technical support and/or fraud (due to their device being vulnerable) than what they bring in revenue.
When you are a bank or a crypto exchange, that might make sense. When you are the municipality of a village in rural India or the company that handles all vehicle registrations, it does not.
You cannot gatekeep with such sweeping statements. People have old phones for lots of reasons. Others will have to serve those people for lots of other reasons.
It's js only, nothing is sent to the server. It automatically makes the background of signatures transparent. The result is a raster pdf as if you printed, signed and scanned the document. I use it on desktop, not sure if it works well on phones.