This has arrived from Cloudflare – the outfit which buffers EuroGA.org traffic and provides the https certificate. I don’t really understand the relevance of it so maybe one of the experts here can comment:
EuroGA seems to currently not use let’s encrypt certificates (but certificates issued by Google???), so would not be impacted. Even if it were using let’s encrypt certificates, in short the result would be that computers with very old OS or browsers cannot connect to EuroGA anymore.
lionel wrote:
the result would be that computers with very old OS or browsers cannot connect to EuroGA anymore.
The result would actually be a report of an untrusted certificate. If you choose to trust it yourself you should still be able to read EuroGA even with an old browser.
What I have found, and this may not be related to the above at all, is that as a given device gets older and older, current versions of browsers refuse to install on it. And the old version is not able to work with the site for whatever reason. This is what made Symbian (Nokia phones) unusable eventually even though the device worked perfectly as a phone, for email, etc.
So e.g. if you run winXP you cannot install Chrome, probably cannot install Firefox, but the installed versions continue to work unless the site has implemented some code which needs new browser versions. However I have just checked a winXP laptop and both browsers work on EuroGA perfectly.
The https aspect of EuroGA is done entirely by Cloudflare. The base site is http only. And this is what the above email is referring to. I did exactly the same with peter2000.co.uk, where I did not want to get involved with the endlessly breaking cron jobs to update the certificates. Cloudflare do their free service only for noncommercial sites, so at work, our online shop, implements https itself, and yeah every so often the certificate updating breaks, and always for different reasons. There is simply no “zero-admin” option if you run a website, these days. Cloudflare is the nearest thing.
I was not aware that the operating system of a client device is relevant in itself; I thought the certificate management is done by the browser. So why is e.g. Android 7 relevant? I still have Android 4 on an old tablet and that seems to also work perfectly.
I don’t know anything about these things but when my tablet stopped loading Skydemon I was told I needed Android 4 or above. Lenovo tablets are now running Android 11 so I should be safe to buy one of them.
Android is currently at v14. And v12 onwards (IIRC) breaks a load of apps due to “improved security”.
Peter wrote:
I was not aware that the operating system of a client device is relevant in itself; I thought the certificate management is done by the browser. So why is e.g. Android 7 relevant? I still have Android 4 on an old tablet and that seems to also work perfectly.
Many more applications than browsers use https and other encrypted protocols so the OS usually provides an API for this.
Peter wrote:
I thought the certificate management is done by the browser.
It depends on the browser. Some (the Microsoft ones as far as I remember, and Chrome from 2009 until late 2022) use the OS certificate store, others (the Mozilla ones) use their own. I expect that the default browser on Android uses the OS certificate store.
Airborne_Again wrote:
The result would actually be a report of an untrusted certificate. If you choose to trust it yourself you should still be able to read EuroGA even with an old browser.
Yes, sorry for my oversimplification.
HTTPS protocol needs a site (euroga) certificate to establish a secure communication between a computer and server, and this certificate must be approved by “an authority”.
Cloudflare is using certificates for the website it manages, and uses various provider of certificates, and one of them is going to expire.
It means that if you delegates HTTPS management and certificates to cloudflare, your certificate may be going to change. Actually it will change if it has been generated by this “cross toolchain” and if it is based on RSA algorithm.
I think the real cause behind is that RSA is known to be less secure than ECDSA, which security is also not going to survive for the next 10 years.
The move of Apple chat security to PQC (“Post Quantum Cryptography”) some weeks ago and the enormous amount of TFLOPS marketted by Nvidia yesterday during the Blackwell release, is probably for something. It’s just a “precautionnary shutdown” for algorithm that are going to be considered weaker…
Certificate of euroga seems ot be delivered by Zscaler, so no worry…
greg_mp wrote:
It’s just a precautionnary shutdown…
No, this is not what is happening here, although moving away from RSA to Post-Quantum Cryptography is a valuable project in itself, this is entirely independent and orthogonal from what is happening here, since Let’s Encrypt will still issue RSA certificates.
Since 2015 Let’s Encrypt was paying IdenTrust to cross-sign their root, so from a technical standpoint Let’s Encrypt was “only” a sub-CA of IdenTrust. Then over the years Let’s Encrypt worked to have its root recognised by all OS and browsers, so that they stop depending on IdenTrust. The point is reached where they will stop to depend on IdenTrust, and thus “old” OS/browser that do not trust the Let’s Encrypt root will not recognise new Let’s Encrypt certificates (that do not “chain back” to IdenTrust) as valid.
