danluu.com/slow-device good writeup, sadly Modern Web Developers™ do not care about low-end trash

they're all using $1000 iPhones and $2000 ARMacs

also, Let's Encrypt just rendered one of my cellphones useless

the cross-signing stuff with the long expired DST CA finally died last week, and no app connecting to Let's Encrypt-certified servers work anymore

turns out that while you can install the new CAs, starting with Android 7, the OS will ignore them unless apps explicitly opt-in to using user-added CAs, under the disguise of "security"

(the other way is by rooting the cellphone, which is a no-fly zone for most devices out there)

I can't listen to web radio or check exchange rates using the handy apps from F-Droid on my old Alcatel due to that

isn't SSL wonderful? Contributing to the global pandemic of ewaste, how considerate~

why do we need ssl for listening to web radi

radio

whos gonna hack my stream

isnt radio by nature public alrady?

who cares?

tomman: so older android lacks support for crypto algorithms, newer android simply does not understand the concept of certificate store?

one would think people screaming that they must have one single centralized store would understand this concept. Or was that Apple?

njsg: no, it's not crypto but CAs

Remember the Let's Encrypt CA horror show a few years ago when the DST CA was expiring and they were moving to a new one

normally on any sane OS the fix is simple: update your CAs

sadly you can't do this on Android unless both your device OEM and (if applicable) your telco cooperates, which is not happening for 99% of the devices out there

luckily Android allows to install your own CAs, just like in any Real Computer™

unluckily, starting with Android 7, any app targeting SDK level 24 (that is, 7.0) will ignore user-registered CAs in the name of Sekuritah™ (and previous versions gave you scary warnings if you DARED adding a custom CA)

developers can opt-in for supporting user CAs, but this is not a default setting on project files

and I suspect that in some devices, either telcos or OEMs may have crippled the ability to use your own CAs even with compliant applications, because this is Android

all the paths lead to e-waste and setting money ablaze in the name of Sekuritah™

and LEt's Encrypt only advice (other than "buy a new cellphone lol") is "Install Firefox, which uses its own CA store"... and which is too bloated to run on low-end devices, even more than Chrome (which is already a bloaty pig)

The other workaround is to root the phone and add the certs to the system store, but again, this is not an option for 99% of the devices out there

(good luck finding a device-specific forum for $FREE_WITH_FRIES prepaid specials with 1GB RAM on XDA, for example)

tomman: no, there's also a separate issue where you may have the certificates but you can't establish a connection because the server requires an unsupported cyper

might require older android than that, though.

haven't experienced that one with Nougat, tho

but yeah, on that one you're screwed since it needs more than just a bunch of files

happens at least with some "jelly beans"

having to root to do a lot of stuff IMHO in itself sums up a lot that makes android less suitable and harder to use. now they could at least make rooting accessible, instead from what I gather that's often not the case