On May 30, its channels streaming service Roku stopped working with its customers platform have no idea what exactly happened. The company advised customers to update their devices manually, stating in a statement that due to the expiration of SSL certificates, some channels Roku-based streaming service based on SSL certificates may not work as expected. In addition, Roku advised customers to install an automatic information company software. On the same day, Stripe and Spreedly digital payment platforms went on holiday, attributing this to the end of the Certificate Authority (CA) root certificates.
As you know, SSL certificates have an expiration date. To operate the encryption SSL / TLS, o server presents SSL certificates to customers, which can be applications, web browsers or devices. If a server certificate is nearing its end, sysadmin can easily update it. However, in order for the customer to trust any certificate presented as valid, the web browsers, applications and devices are equipped with a set of pre-installed root certificates issued by a reliable certification authority (CA). Now, these root certificates expire later than server certificates, after up to 20-25 years.
In a blog post, security researcher Scott Helme said the problem occurred on May 30 at 10:48:38 GMT. At that time, the AddTrust External CA Root ended, showing the first signs of the problem that he suspected had been around for some time.
He added that there are many CA Root Certificates that expire in the coming years simply because it has been more than 20 years since the start of the encrypted web since this is the lifespan of a CA Root Certificates. He also stressed that this will affect several customers of the Roku streaming service. Helme expects the next "potentially important date" to be September 30, 2021, as the CA Certificates issued by the DST Root CA X3 expire. This means that if client applications and devices are not updated in a timely manner, they will not recognize Let's Encrypt certificates causing connection problems. Helme, who has been warning about this impending problem for 2 years, gave some additional information on his blog about the recent Let's Encrypt certifications that may not be compatible with most Smart TV models, due to the very few root stores that exist in the devices.
While regular updates to your smart devices are an obvious solution, they may not be as obvious to the end user. During regular updates, smart devices can download new root CA certificates to add to their root stores. This assumes that the device manufacturer continues to provide these updates, even in revised root certificates.
A smart one gadgets may go through periods of prolonged inactivity lasting a few weeks or months. If the root CA certificates have expired on a rarely updated gadget while it was offline, it may have a problem reconnecting to the Internet when it is turned on.
For example, a smart light bulb may be able to connect to the internet, but it may need a secure connection to its server to start receiving updates. If this smart bulb had previously been "disconnected" from the internet for a few months and now the grace period for updating the root CA certificates has passed, it may no longer be able to reconnect unless it is updated manually, if this is still the case. possible.
In addition, devices such as smart bulbs, watches or refrigerators do not have an advanced user interface that can give users several clues as to exactly what is happening, especially at a technical level. At first glance, even the most technically trained user may not be able to spot the real problem. Given the many CAs options that can issue root certificates, the frequency and number of certificates distributed on end devices vary.
Helme noted that even the most modern devices and the most advanced gadgets are not modern enough, because they do not manage to take into account the latest root certificates. In order for smart devices and IoTs to continue to operate without interruption and to ensure a smooth user experience, stakeholders, partners and competitors in the industry must agree to a standard set of practices and adhere to it. It is not justified in 2020 that devices still do not recognize root certificates issued in 2012.