To shield users from rogue CAs, Android 14 makes root certificates updateable via Google Play

Share This Post

However, because there are so many websites on the Internet, operating systems, web browsers, and applications do not keep a list of the security certificates of each site that they trust. Instead, they want to know who signed the security certificate issued to the site: is it self-signed or is it signed by another entity (Certificate Authority [CA]) that they trust? This validation chain can continue in multiple layers until you reach the root CA that issued the security certificate used to sign the certificate that eventually signed the certificate issued for the website you are visiting.

When you log in every day, you can be sure that the software on your device is properly configured to take you to the right server that hosts the websites you want to visit. Making the right connection is important so you don’t end up on a server owned by someone with bad intentions, but making that connection secure is also important so that any data you send to that server are all encrypted in transit (TLS) and hopefully `not susceptible to snooping. However, your operating system, web browser, and applications will only establish secure connections to servers on the Internet (HTTPS) if they trust the server’s security certificate (TLS).

The number of root CAs is much less than the number of websites that issue security certificates, either directly or through one or more intermediate CAs, allowing the operating system and web browser to maintain a list of root CA certificates. whom they trust. For example, Android has a list of trusted root certificates contained in the OS’s read-only system partition at /system/etc/security/cacerts. If applications do not restrict which certificates are trusted, a method known as certificate pinning, they will default to using the operating system’s root store to decide whether to trust security certificates or not. Since the “system” partition is read-only, the Android root store is immutable outside of OS updates, which can be a problem when Google wants to remove or add a new root certificate.

Sometimes the root certificate is about to expire, which can cause websites and services to go down and web browsers to send warnings about unsafe connections. In some cases, the CA that issued the root certificate is suspected of being malicious or compromised. Or a new root certificate comes in and must be added to the root store of every major operating system before the CA can actually start signing the certificate.

Read More:

Partnership Between Mitsubishi Electric and Nozomi Networks Strengthens Operational Technology Security Business

Mitsubishi Electric and Nozomi Networks Partnership Mitsubishi Electric and Nozomi...

Solidion Technology Inc. Completes $3.85 Million Private Placement Transaction

**Summary:** 1. Solidion TechnologyInc. has announced a private placement deal...

Analyzing the Effects of the EU’s AI Act on Tech Companies in the UK

Breaking Down the Impact of the EU’s AI Act...

Tech in Agriculture: Roundtable Discusses Innovations on the Ranch

Summary of Tech on the Ranch Roundtable Discussion: ...

Are SMEs Prioritizing Tech Investments Over Security Measures?

SMEs Dive Into Tech Investments, But Are...

Spotify Introduces Music Videos for Premium Members in Chosen Markets

3 Summaries of Spotify Unveils Music Videos for Premium...

Shearwater to Monitor Production at Equinor’s Two Oil Platforms

Shearwater GeoServices secures 4D monitoring projects from Equinor for...

Regaining Europe’s Competitive Edge in Innovation: Addressing the Innovation Lag

Europe’s Innovation Lag: How Can We Regain Our Competitive...

Related Posts

Government Warns of AI-Generated Content: Learn More about the Issue

Government issued an advisory on AI-generated content. All AI-generated content...

Africa Faces Internet Crisis: Extensive Outage Expected to Last for Months, Hardest-Hit Nations Identified

Africa’s Internet Crisis: Massive Outage Could Last Months, These...

FTC Investigates Reddit for AI Content Licensing Practices

FTC is investigating Reddit's plans...

Journalists Criticize AI Hype in Media

Summary Journalists are contributing to the hype and...