Child Item

Site Totals

61368 Questions Answered 267 Categories

SSL CA Trust Store issue in Android 2.1

Here is one more reason Samsung/Verizon should push Android 2.2. Websites using SSL Certificates from some valid Certificate AUthorities are throwing SSL Certificate warnings when accessed via Android 2.1. This is because the CA Trust store in Android 2.1 is old and incomplete. It does not contain the full list of trusted CAs that are commonly found in regular desktop browsers like Safari, Chrome, FF and IE. Android 2.2 has a more updated and complete Trusted CA store.

Also, Android 2.1 does not have a published feature for importing CA Certificates (there are some manual workarounds for people who took their phone to the dentist). So, even if you had a valid reason to add a valid CA certificate from a company like Verisign or COMODO or your enterprise to your trust store, you can not do it. So, you have to get used to constantly accepting certificate warnings (which is a security risk in that you may inadvertenty accept a certificate signed by a really invalid/bad CA)

Is anyone aware of a fix for this issue? If not, does Verizon have any plans to address it?

ps: I do not want help for installing client certificates. These are not the same as CA certificates. Android can import client certificates from a URL or from an SD card using Settings->Locations&Security->Credential Storage section.

Comments

telveer

BUMP. Hello - is anyone from Verizon looking into this issue? Or am I the only one having problems with SSL and not being able to get updated ROOT CA certs?

sandystorm

telveer wrote:
BUMP. Hello - is anyone from Verizon looking into this issue? Or am I the only one having problems with SSL and not being able to get updated ROOT CA certs?

Well I personally don't know what the{word filter avoidance} your talking about?

wardcst24

[Edited to comply with Terms of Service]

They were talking about this

In cryptography and computer security, a root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Authority (CA). A root certificate is part of a public key infrastructure scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a certificate authority (CA).

Digital certificates are verified using a chain of trust. The trust anchor for the digital certificate is the Root Certificate Authority (CA).

A certificate authority can issue multiple certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree, the private key of which is used to "sign" other certificates. All certificates immediately below the root certificate inherit the trustworthiness of the root certificate - a signature by a root certificate is somewhat analogous to "notarizing" an identity in the physical world. Certificates further down the tree also depend on the trustworthiness of the intermediates (often known as "subordinate certification authorities").

Many software applications assume these root certificates are trustworthy on the user's behalf. For example, a Web browser uses them to verify identities within SSL/TLS secure connections. However, this implies that the user trusts their browser's publisher, the certificate authorities it trusts, and any intermediates the certificate authority may have issued a certificate-issuing-certificate, to faithfully verify the identity and intentions of all parties that own the certificates. This (transitive) trust in a root certificate is the usual case and is integral to the X.509 certificate chain model.

The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the most well-known root certificates are distributed in the Internet browsers by their manufacturers

Smokie11

telveer wrote:
BUMP. Hello - is anyone from Verizon looking into this issue? Or am I the only one having problems with SSL and not being able to get updated ROOT CA certs?

See if this can help you: http://www.realmb.com/droidCert/

techlife2

Not to sound dumb but, dah, is everyone following this very impressive explanation? Thank you, kind person but, except for a few smart folks here, I think you stumbled into the wrong forum. :smileysurprised:

wardcst24

All I was doing was talking about a stock 2.1 system browser issue how does that violate terms of service what a jerk learn to read instead of scanning for a certain word does root canel ,root worm,tree root. Also violate your terms of service

telveer

Smokie11 wrote:
telveer wrote:
BUMP. Hello - is anyone from Verizon looking into this issue? Or am I the only one having problems with SSL and not being able to get updated ROOT CA certs?
See if this can help you: http://www.realmb.com/droidCert/

Thanks Smokie11. Actually, you can save the certificate to SD card and install it from there too. However, these are instructions for installing client certificates.

My requirement is different. I need to be able to install ROOT CA certicicates into the device. These are certificates that are used to sign certificate requests. For example, if you go to www.paypal.com, the certificate is signed by Verisign using their CA certificate. Verisign actually signs using an Intermediate Certificate which in turn is signed by their ROOT CA. Clients (such as web browsers) store these CA ROOT certificates and when they visit sites like Paypal, there are no warnings because they can verify the server certificate all the way to a valid ROOT CA.

The problem with Samsung Fascinate is that they still use Android 2.1, which does not have all the required ROOT CAs. It also does not give the ability to add new ROOT CA certificates (unless you hack the phone).

jetfire

test

Child Item