Sept 30 (Express) – A range of popular gadgets – from Windows laptops, as well as older iPhone and Android smartphones – could be at risk of losing access to the internet, experts have warned.
The Wi-Fi black-out will come about due to a far-reaching change that kicks into effect on Thursday, September 30 and promises to have huge implications for a wide range of devices made by leading, household names.
Why is this going to happen? Well, it’s all down to a change in HTTPS security protocol.
Even if you’re not too familiar with what “HTTPS security protocol” means, you’re probably already aware of HTTPS (aka Hypertext Transfer Protocol Secure). Whenever you visit a website in browsers, such as Google Chrome, you will have spotted a padlock icon in the address bar. This signifies a website is using HTTPS, meaning the site is secure and any information you enter into it is protected.
So, what does this all have to do with internet black-outs for Android, Apple iPhone and Windows users?
Well, on Thursday, September 30 a root certificate – which is used to encrypt connections between devices and the web, and is crucial to the HTTPS protocol – will be expiring. After this date, devices and web browsers, will no longer trust certain certificates called IdentTrust DST Root CA X3.
For the vast majority of devices, this won’t cause issues. But for older gadgets that haven’t been updated in years (and won’t be entitled to use the new certificate) it could cause them to lose access to the internet.
That’s according to a blog post from Scott Helme, with the security researcher betting “a few things will probably break” on Thursday. In the article, Helme said: “This will not be the first time a root CA certificate has expired and I imagine it will follow the same trend as previous expirations where things break.
“If the root certificate that your certificate chain anchors on is expired then there’s a good chance it’s going to cause things to fail.”
To avoid facing any hair raising problems on Thursday and beyond, you should make sure your device isn’t running an update at risk. The impacted root certificates have been issued by non-profit organisation Let’s Encrypt, which have in total issued over two billion certificates – accounting for a large chunk of the web.
Let’s Encrypt has a post online that details the clients that will break due to the upcoming IdenTrust DST Root CA X3 root certificate expiration.
For iPhone users, you need to make sure you’re not running an update lower than iOS 10. For Android smartphone users, make sure you’re not running version 7.1.1 of the Google software. Windows users need to make sure they don’t run anything lower than Windows XP SP3. And if you’ve got a Mac then you need to make sure you’re not running a version below 10.12.1.
Helme said there were a few other platforms that needed “further investigation to see if they will fail after the IdenTrust DST Root CA X3 expire”.
This includes Amazon Kindle eReaders running a patch below v3.4.1 and a PS4 games console running firmware 5.00 and anything prior to that build.
Here is a full list of the impacted software versions…
- OpenSSL <= 1.0.2
- Windows < XP SP3
- macOS < 10.12.1
- iOS < 10 (iPhone 5 is the lowest model that can get to iOS 10)
- Android < 7.1.1 (but >= 2.3.6 will work if served ISRG Root X1 cross-sign)
- Mozilla Firefox < 50
- Ubuntu < 16.04
- Debian < 8
- Java 8 < 8u141
- Java 7 < 7u151
- NSS < 3.26
- Amazon FireOS (Silk Browser)
REQUIRES FURTHER INVESTIGATION
- Cyanogen > v10
- Jolla Sailfish OS > v126.96.36.199
- Kindle > v3.4.1
- Blackberry >= 10.3.3
- PS4 game console with firmware >= 5.00