To shield users from rogue CAs, Android 14 makes root certificates updateable via Google Play

Share This Post

However, because there are so many websites on the Internet, operating systems, web browsers, and applications do not keep a list of the security certificates of each site that they trust. Instead, they want to know who signed the security certificate issued to the site: is it self-signed or is it signed by another entity (Certificate Authority [CA]) that they trust? This validation chain can continue in multiple layers until you reach the root CA that issued the security certificate used to sign the certificate that eventually signed the certificate issued for the website you are visiting.

When you log in every day, you can be sure that the software on your device is properly configured to take you to the right server that hosts the websites you want to visit. Making the right connection is important so you don’t end up on a server owned by someone with bad intentions, but making that connection secure is also important so that any data you send to that server are all encrypted in transit (TLS) and hopefully `not susceptible to snooping. However, your operating system, web browser, and applications will only establish secure connections to servers on the Internet (HTTPS) if they trust the server’s security certificate (TLS).

The number of root CAs is much less than the number of websites that issue security certificates, either directly or through one or more intermediate CAs, allowing the operating system and web browser to maintain a list of root CA certificates. whom they trust. For example, Android has a list of trusted root certificates contained in the OS’s read-only system partition at /system/etc/security/cacerts. If applications do not restrict which certificates are trusted, a method known as certificate pinning, they will default to using the operating system’s root store to decide whether to trust security certificates or not. Since the “system” partition is read-only, the Android root store is immutable outside of OS updates, which can be a problem when Google wants to remove or add a new root certificate.

Sometimes the root certificate is about to expire, which can cause websites and services to go down and web browsers to send warnings about unsafe connections. In some cases, the CA that issued the root certificate is suspected of being malicious or compromised. Or a new root certificate comes in and must be added to the root store of every major operating system before the CA can actually start signing the certificate.

Related Posts

Concerns About KFC’s Diablo 4 Beta Codes Have People Panicking

While some users are completely against it, others are...

Microsoft’s new Copilot will fundamentally alter Office documents

I was talking to Friedman on a Teams call...

Microsoft offers EU remedies to get the deal with Activision approved

According to Microsoft President Brad Smith, the American software...