• ckcheng 11 days ago
    > Let’s Encrypt, is discontinuing support for Android ... 7.1.0 and earlier.

    > beginning April 15, 2024, Android 7.1.1 will be the earliest supported Android OS for all OverDrive apps and websites, including Libby.

    This change was already delayed from 3 years ago as Let’s Encrypt found a workaround back then [1]. Too bad they aren’t delaying it anymore. Good bye to my old tablet for library ebooks.

    [1]: https://android.stackexchange.com/questions/231025/lets-encr...

    • schoen 11 days ago
      More underlying details from the Let's Encrypt side:


      (There are Android compatibility changes that will affect anybody using Let's Encrypt certificates which are consumed by older unsupported Android devices.)

      • ckcheng 11 days ago
        I was wondering why they didn’t extend their workaround (certificate cross-sign). Turns out they could but:

        - Android devices which needed the cross-sign compatibility dropped to 6.1%.

        - “dropping the cross-sign will reduce the number of certificate bytes sent in a TLS handshake by over 40%.”

        - “it will significantly reduce our operating costs”

        Too bad for those who use their old Android devices to access the public library and can’t afford to upgrade.

        It’s not ideal, but using Firefox Mobile to access Libby web app should still work?

        • nar001 11 days ago
          It should pretty sure Firefox has its own certificate store
    • Staple_Diet 11 days ago
      This might be cold solace, but there now exists a plethora of cheapish e-Ink tablets that are running newer Android. I have a Boyue Likebook and love it for reading ebooks, much nicer than traditional screen and runs Libby etc. although I mostly use Z-lib.

      Much like you I hate to see my old devices waste away in a drawer so hope you find a use for it.

    • 0xCMP 11 days ago
      Wow, I didn't realize that older versions of Android (and possibly current versions?) didn't let you install root certificates without rooting it. IIUC iOS does let you install whatever root certificate you want with multiple confirmations/password prompts and it doesn't require authenticating every time it's going to use it.
      • userbinator 11 days ago
        This is why having root access on devices you own is important.

        In fact, I'd even argue that not having root means you don't own it.

        • pierat 11 days ago
          I would also say that if you don't have full administrator access,but the company still does?

          That's a rental, not a sale.

          And I'd argue that under FTC rule, that's illegal.

      • pavon 11 days ago
        You can install CA certs on current versions without being rooted. For Android 14 on a Pixel 6a:

        Security & Privacy -> More Security & Privacy -> Encryption & credentials -> Install a certificate -> CA certificate

        This works for Chrome and any app that uses the system cert store. I've used it for self-hosted services for several years. Don't know when it was first added.

        • strombofulous 11 days ago
          Unfortunately this installs it as a user cert and only works for app that explicitly request it. To work everywhere you need to install it as a system cert which requires root

          Interestingly ios (which is generally more locked down for dev stuff like this) allows users to install certs for all apps without jailbreak

      • sequoia 11 days ago
        OK, so this is an android problem not an overdrive or letsencrypt problem
      • spondyl 11 days ago
        From memory, you definitely were able to install root certs pre-7.0ish but that functionality was removed, presumably to stop users from running man in the middle proxies and sniffing app traffic.

        A huge irony in that alongside all the talk of conservatism, iOS provides much more user flexibility in this area of all things, and something that keeps me using the ecosystem.

        You can still load root certs but as mentioned, it requires rooting your Android device. Some apps do have certificate pinning but the majority I would bet don't

    • cguess 11 days ago
      It's an 8 year old OS. I can't say I blame them for not wanting to handle that anymore, eventually it becomes too difficult to test and keep up with.
      • NoahKAndrews 11 days ago
        It's not a matter of "not wanting to handle it", it's that 7.1.1 is the oldest Android version with an unexpired root certificate that Let's Encrypt can use (my language may be a little bit sloppy here).
        • schoen 11 days ago
          If you want to be more precise, you could say "a root certificate that Let's Encrypt will be able to use to build an unexpired trust path after September 2024" (because of the fact that Android doesn't enforce expiration of roots, but does enforce expiration of certificates signed by them).


      • eviks 11 days ago
        What's too difficult about doing the exact same thing you've been doing? (cross-signing in this case)
  • mikedrake 4 days ago
    Hi, I have just updated from 6.0.1 on a Nexus 7 to 7.1.2. Lots of YouTubes on how to do this.
  • JordanHu 11 days ago