Discussion:
[android-security-discuss] Symantec SSL cert distrust on Android
Anu
2018-09-12 19:32:14 UTC
Permalink
Hi Brian,

Is there any date from when Android will distrust Symantec SSL certificates?

Anu
Android is planning to follow Chrome's lead and will stop trusting
Symantec-issued certificates in a future update. Our current plans are not
to do this in P, but you should see the removal in a future platform
version.
-bri
Regarding the Symantec SSL cert distrust that was announced in September
2017 (
https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html)
Clearly this affects the Chrome browser, but I was wondering what impact
- HTTPS connections initiated by native Android apps
(HttpsURLConnection etc.)
- Webview components (android.webkit.WebView etc.)
I’ve looked through the documentation but can only find information on
the Chrome browser. Is there any information on if / when Android native
HTTPS APIs will start rejecting Symantec-issued SSL certs?
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an
<javascript:>.
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
'Brian Carlstrom' via Android Security Discussions
2018-09-17 17:08:03 UTC
Permalink
Nothing specific I'm aware of yet, even a timeline to have a timeline. I'll
circle back with the team and see if I can get more details.

-bri
Post by Anu
Hi Brian,
Is there any date from when Android will distrust Symantec SSL
certificates?
Anu
Android is planning to follow Chrome's lead and will stop trusting
Symantec-issued certificates in a future update. Our current plans are not
to do this in P, but you should see the removal in a future platform
version.
-bri
Regarding the Symantec SSL cert distrust that was announced in September
2017 (
https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html)
Clearly this affects the Chrome browser, but I was wondering what impact
- HTTPS connections initiated by native Android apps
(HttpsURLConnection etc.)
- Webview components (android.webkit.WebView etc.)
I’ve looked through the documentation but can only find information on
the Chrome browser. Is there any information on if / when Android native
HTTPS APIs will start rejecting Symantec-issued SSL certs?
--
You received this message because you are subscribed to the Google
Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
Chandra Sekhar Walajapet
2018-10-05 21:17:49 UTC
Permalink
Hi Brian, with the chrome 70 release around the corner, do you know if this
will affect hybrid mobile applications using cordova/phonegap will be
affected on the same day ?

On Monday, September 17, 2018 at 10:38:21 PM UTC+5:30, Brian Carlstrom
Post by 'Brian Carlstrom' via Android Security Discussions
Nothing specific I'm aware of yet, even a timeline to have a timeline.
I'll circle back with the team and see if I can get more details.
-bri
Post by Anu
Hi Brian,
Is there any date from when Android will distrust Symantec SSL certificates?
Anu
Android is planning to follow Chrome's lead and will stop trusting
Symantec-issued certificates in a future update. Our current plans are not
to do this in P, but you should see the removal in a future platform
version.
-bri
Regarding the Symantec SSL cert distrust that was announced in
September 2017 (
https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html)
Clearly this affects the Chrome browser, but I was wondering what
- HTTPS connections initiated by native Android apps
(HttpsURLConnection etc.)
- Webview components (android.webkit.WebView etc.)
I’ve looked through the documentation but can only find information on
the Chrome browser. Is there any information on if / when Android native
HTTPS APIs will start rejecting Symantec-issued SSL certs?
--
You received this message because you are subscribed to the Google
Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an
<javascript:>.
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
'Brian Carlstrom' via Android Security Discussions
2018-10-08 18:36:06 UTC
Permalink
I'll try to find someone from Chrome who can speak to the WebView and
Chrome on Android impact for hybrid scenarios. I'll note that we aren't
planning a platform change to remove CAs on existing devices.

-bri

On Fri, Oct 5, 2018 at 2:17 PM Chandra Sekhar Walajapet <
Post by Chandra Sekhar Walajapet
Hi Brian, with the chrome 70 release around the corner, do you know if
this will affect hybrid mobile applications using cordova/phonegap will be
affected on the same day ?
On Monday, September 17, 2018 at 10:38:21 PM UTC+5:30, Brian Carlstrom
Post by 'Brian Carlstrom' via Android Security Discussions
Nothing specific I'm aware of yet, even a timeline to have a timeline.
I'll circle back with the team and see if I can get more details.
-bri
Post by Anu
Hi Brian,
Is there any date from when Android will distrust Symantec SSL certificates?
Anu
Android is planning to follow Chrome's lead and will stop trusting
Symantec-issued certificates in a future update. Our current plans are not
to do this in P, but you should see the removal in a future platform
version.
-bri
Regarding the Symantec SSL cert distrust that was announced in
September 2017 (
https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html)
Clearly this affects the Chrome browser, but I was wondering what
- HTTPS connections initiated by native Android apps
(HttpsURLConnection etc.)
- Webview components (android.webkit.WebView etc.)
I’ve looked through the documentation but can only find information on
the Chrome browser. Is there any information on if / when Android native
HTTPS APIs will start rejecting Symantec-issued SSL certs?
--
You received this message because you are subscribed to the Google
Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
Chandoo
2018-10-08 20:51:09 UTC
Permalink
much appreciated
Post by 'Brian Carlstrom' via Android Security Discussions
I'll try to find someone from Chrome who can speak to the WebView and
Chrome on Android impact for hybrid scenarios. I'll note that we aren't
planning a platform change to remove CAs on existing devices.
-bri
On Fri, Oct 5, 2018 at 2:17 PM Chandra Sekhar Walajapet <
Post by Chandra Sekhar Walajapet
Hi Brian, with the chrome 70 release around the corner, do you know if
this will affect hybrid mobile applications using cordova/phonegap will be
affected on the same day ?
On Monday, September 17, 2018 at 10:38:21 PM UTC+5:30, Brian Carlstrom
Post by 'Brian Carlstrom' via Android Security Discussions
Nothing specific I'm aware of yet, even a timeline to have a timeline.
I'll circle back with the team and see if I can get more details.
-bri
Post by Anu
Hi Brian,
Is there any date from when Android will distrust Symantec SSL certificates?
Anu
Android is planning to follow Chrome's lead and will stop trusting
Symantec-issued certificates in a future update. Our current plans are not
to do this in P, but you should see the removal in a future platform
version.
-bri
Regarding the Symantec SSL cert distrust that was announced in
September 2017 (
https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html)
Clearly this affects the Chrome browser, but I was wondering what
- HTTPS connections initiated by native Android apps
(HttpsURLConnection etc.)
- Webview components (android.webkit.WebView etc.)
I’ve looked through the documentation but can only find information
on the Chrome browser. Is there any information on if / when Android native
HTTPS APIs will start rejecting Symantec-issued SSL certs?
--
You received this message because you are subscribed to the Google
Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
Regards,
Chandoo +44 7795090794
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
'Brian Carlstrom' via Android Security Discussions
2018-10-09 05:10:35 UTC
Permalink
+chrome-root-authority-program who i'm told can comment on questions about
Chrome & CAs.

chrome-root-authority-program, can you help with this public question on
how Symantec SSL cert distrust will affect Chrome on Android as well as
WebView on Android. Are they using the platform CA list or one that is part
of Chrome / WebView or?

-bri
Post by Chandoo
much appreciated
Post by 'Brian Carlstrom' via Android Security Discussions
I'll try to find someone from Chrome who can speak to the WebView and
Chrome on Android impact for hybrid scenarios. I'll note that we aren't
planning a platform change to remove CAs on existing devices.
-bri
On Fri, Oct 5, 2018 at 2:17 PM Chandra Sekhar Walajapet <
Post by Chandra Sekhar Walajapet
Hi Brian, with the chrome 70 release around the corner, do you know if
this will affect hybrid mobile applications using cordova/phonegap will be
affected on the same day ?
On Monday, September 17, 2018 at 10:38:21 PM UTC+5:30, Brian Carlstrom
Post by 'Brian Carlstrom' via Android Security Discussions
Nothing specific I'm aware of yet, even a timeline to have a timeline.
I'll circle back with the team and see if I can get more details.
-bri
Post by Anu
Hi Brian,
Is there any date from when Android will distrust Symantec SSL certificates?
Anu
Android is planning to follow Chrome's lead and will stop trusting
Symantec-issued certificates in a future update. Our current plans are not
to do this in P, but you should see the removal in a future platform
version.
-bri
Regarding the Symantec SSL cert distrust that was announced in
September 2017 (
https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html)
Clearly this affects the Chrome browser, but I was wondering what
- HTTPS connections initiated by native Android apps
(HttpsURLConnection etc.)
- Webview components (android.webkit.WebView etc.)
I’ve looked through the documentation but can only find information
on the Chrome browser. Is there any information on if / when Android native
HTTPS APIs will start rejecting Symantec-issued SSL certs?
--
You received this message because you are subscribed to the Google
Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
Regards,
Chandoo +44 7795090794
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
C
2018-10-09 10:49:13 UTC
Permalink
Thank you Ryan for your quick response.

@Brain - based on your response and Ryan’s can we conclude that Symantec cert distrust will not impact Hybrid mobile apps at this point ?

Or am I missing anything here ?

Regards,
Chandoo
+91-93470-93470
The handling of certificates issued by the Symantec Legacy PKI is observing the same approach that was taken with the deprecation of SHA-1 certificates.
Chrome on Android follows the behaviour of Chrome mobile and desktop platforms, and will be removing trust in the Symantec Legacy PKI.
WebView on Android follows the Android SDK expectations when possible, and thus support for SHA-1 certificates and the Symantec Legacy PKI is/will-be removed as the Android Platform and/or SDKs do so.
For the latest details for the Chrome timeline, https://sites.google.com/a/chromium.org/dev/Home/chromium-security/symantec-legacy-pki is available.
Unittests exist within the Chromium repository to ensure that WebView on Android matches those expectations, and are at https://chromium.googlesource.com/chromium/src/+/df64c92360495ab98876e131fb0be3b800039a44/android_webview/browser/net/aw_url_request_context_getter_unittest.cc#100
+chrome-root-authority-program who i'm told can comment on questions about Chrome & CAs.
chrome-root-authority-program, can you help with this public question on how Symantec SSL cert distrust will affect Chrome on Android as well as WebView on Android. Are they using the platform CA list or one that is part of Chrome / WebView or?
-bri
Post by Chandoo
much appreciated
I'll try to find someone from Chrome who can speak to the WebView and Chrome on Android impact for hybrid scenarios. I'll note that we aren't planning a platform change to remove CAs on existing devices.
-bri
Hi Brian, with the chrome 70 release around the corner, do you know if this will affect hybrid mobile applications using cordova/phonegap will be affected on the same day ?
Nothing specific I'm aware of yet, even a timeline to have a timeline. I'll circle back with the team and see if I can get more details.
-bri
Post by Anu
Hi Brian,
Is there any date from when Android will distrust Symantec SSL certificates?
Anu
Android is planning to follow Chrome's lead and will stop trusting Symantec-issued certificates in a future update. Our current plans are not to do this in P, but you should see the removal in a future platform version.
-bri
Regarding the Symantec SSL cert distrust that was announced in September 2017 (https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html)
HTTPS connections initiated by native Android apps (HttpsURLConnection etc.)
Webview components (android.webkit.WebView etc.)
I’ve looked through the documentation but can only find information on the Chrome browser. Is there any information on if / when Android native HTTPS APIs will start rejecting Symantec-issued SSL certs?
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
Regards,
Chandoo +44 7795090794
--
You received this message because you are subscribed to the Google Groups "chrome-root-authority-program" group.
To view this discussion on the web visit https://groups.google.com/a/google.com/d/msgid/chrome-root-authority-program/CANUZ-edyX-LBQmFQOTjsxALLef%2BdZY%3Di8imPfkZNai7%2Bs%3D_T5Q%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
'Brian Carlstrom' via Android Security Discussions
2018-10-09 15:56:44 UTC
Permalink
Chandoo, my one concern might be if a so-called hybrid app used Chrome
Custom Tabs:

https://developer.chrome.com/multidevice/android/customtabs

since they behavior like Chrome more than WebView.

-bri
Post by C
Thank you Ryan for your quick response.
@Brain - based on your response and Ryan’s can we conclude that Symantec
cert distrust will not impact Hybrid mobile apps at this point ?
Or am I missing anything here ?
Regards,
Chandoo
+91-93470-93470
The handling of certificates issued by the Symantec Legacy PKI is
observing the same approach that was taken with the deprecation of SHA-1
certificates.
Chrome on Android follows the behaviour of Chrome mobile and desktop
platforms, and will be removing trust in the Symantec Legacy PKI.
WebView on Android follows the Android SDK expectations when possible, and
thus support for SHA-1 certificates and the Symantec Legacy PKI is/will-be
removed as the Android Platform and/or SDKs do so.
For the latest details for the Chrome timeline,
https://sites.google.com/a/chromium.org/dev/Home/chromium-security/symantec-legacy-pki
is available.
Unittests exist within the Chromium repository to ensure that WebView on
Android matches those expectations, and are at
https://chromium.googlesource.com/chromium/src/+/df64c92360495ab98876e131fb0be3b800039a44/android_webview/browser/net/aw_url_request_context_getter_unittest.cc#100
+chrome-root-authority-program who i'm told can comment on questions about Chrome & CAs.
chrome-root-authority-program, can you help with this public question on
how Symantec SSL cert distrust will affect Chrome on Android as well as
WebView on Android. Are they using the platform CA list or one that is part
of Chrome / WebView or?
-bri
Post by Chandoo
much appreciated
Post by 'Brian Carlstrom' via Android Security Discussions
I'll try to find someone from Chrome who can speak to the WebView and
Chrome on Android impact for hybrid scenarios. I'll note that we aren't
planning a platform change to remove CAs on existing devices.
-bri
On Fri, Oct 5, 2018 at 2:17 PM Chandra Sekhar Walajapet <
Post by Chandra Sekhar Walajapet
Hi Brian, with the chrome 70 release around the corner, do you know if
this will affect hybrid mobile applications using cordova/phonegap will be
affected on the same day ?
Post by 'Brian Carlstrom' via Android Security Discussions
Nothing specific I'm aware of yet, even a timeline to have a
timeline. I'll circle back with the team and see if I can get more details.
-bri
Post by Anu
Hi Brian,
Is there any date from when Android will distrust Symantec SSL certificates?
Anu
Android is planning to follow Chrome's lead and will stop trusting
Symantec-issued certificates in a future update. Our current plans are not
to do this in P, but you should see the removal in a future platform
version.
-bri
Regarding the Symantec SSL cert distrust that was announced in
September 2017 (
https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html)
Clearly this affects the Chrome browser, but I was wondering what
- HTTPS connections initiated by native Android apps
(HttpsURLConnection etc.)
- Webview components (android.webkit.WebView etc.)
I’ve looked through the documentation but can only find
information on the Chrome browser. Is there any information on if / when
Android native HTTPS APIs will start rejecting Symantec-issued SSL certs?
--
You received this message because you are subscribed to the Google
Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send
Visit this group at
https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
Regards,
Chandoo +44 7795090794
--
You received this message because you are subscribed to the Google Groups
"chrome-root-authority-program" group.
To unsubscribe from this group and stop receiving emails from it, send an
To post to this group, send email to
To view this discussion on the web visit
https://groups.google.com/a/google.com/d/msgid/chrome-root-authority-program/CANUZ-edyX-LBQmFQOTjsxALLef%2BdZY%3Di8imPfkZNai7%2Bs%3D_T5Q%40mail.gmail.com
<https://groups.google.com/a/google.com/d/msgid/chrome-root-authority-program/CANUZ-edyX-LBQmFQOTjsxALLef%2BdZY%3Di8imPfkZNai7%2Bs%3D_T5Q%40mail.gmail.com?utm_medium=email&utm_source=footer>
.
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
C
2018-10-09 19:04:17 UTC
Permalink
Brian,

This will be affected, because this is using Chrome and not WebView.

Regards,
Chandoo
+91-93470-93470
Post by 'Brian Carlstrom' via Android Security Discussions
https://developer.chrome.com/multidevice/android/customtabs
since they behavior like Chrome more than WebView.
-bri
Post by C
Thank you Ryan for your quick response.
@Brain - based on your response and Ryan’s can we conclude that Symantec cert distrust will not impact Hybrid mobile apps at this point ?
Or am I missing anything here ?
Regards,
Chandoo
+91-93470-93470
The handling of certificates issued by the Symantec Legacy PKI is observing the same approach that was taken with the deprecation of SHA-1 certificates.
Chrome on Android follows the behaviour of Chrome mobile and desktop platforms, and will be removing trust in the Symantec Legacy PKI.
WebView on Android follows the Android SDK expectations when possible, and thus support for SHA-1 certificates and the Symantec Legacy PKI is/will-be removed as the Android Platform and/or SDKs do so.
For the latest details for the Chrome timeline, https://sites.google.com/a/chromium.org/dev/Home/chromium-security/symantec-legacy-pki is available.
Unittests exist within the Chromium repository to ensure that WebView on Android matches those expectations, and are at https://chromium.googlesource.com/chromium/src/+/df64c92360495ab98876e131fb0be3b800039a44/android_webview/browser/net/aw_url_request_context_getter_unittest.cc#100
+chrome-root-authority-program who i'm told can comment on questions about Chrome & CAs.
chrome-root-authority-program, can you help with this public question on how Symantec SSL cert distrust will affect Chrome on Android as well as WebView on Android. Are they using the platform CA list or one that is part of Chrome / WebView or?
-bri
Post by Chandoo
much appreciated
I'll try to find someone from Chrome who can speak to the WebView and Chrome on Android impact for hybrid scenarios. I'll note that we aren't planning a platform change to remove CAs on existing devices.
-bri
Hi Brian, with the chrome 70 release around the corner, do you know if this will affect hybrid mobile applications using cordova/phonegap will be affected on the same day ?
Nothing specific I'm aware of yet, even a timeline to have a timeline. I'll circle back with the team and see if I can get more details.
-bri
Post by Anu
Hi Brian,
Is there any date from when Android will distrust Symantec SSL certificates?
Anu
Android is planning to follow Chrome's lead and will stop trusting Symantec-issued certificates in a future update. Our current plans are not to do this in P, but you should see the removal in a future platform version.
-bri
Regarding the Symantec SSL cert distrust that was announced in September 2017 (https://security.googleblog.com/2018/03/distrust-of-symantec-pki-immediate.html)
HTTPS connections initiated by native Android apps (HttpsURLConnection etc.)
Webview components (android.webkit.WebView etc.)
I’ve looked through the documentation but can only find information on the Chrome browser. Is there any information on if / when Android native HTTPS APIs will start rejecting Symantec-issued SSL certs?
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
--
Regards,
Chandoo +44 7795090794
--
You received this message because you are subscribed to the Google Groups "chrome-root-authority-program" group.
To view this discussion on the web visit https://groups.google.com/a/google.com/d/msgid/chrome-root-authority-program/CANUZ-edyX-LBQmFQOTjsxALLef%2BdZY%3Di8imPfkZNai7%2Bs%3D_T5Q%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+***@googlegroups.com.
Visit this group at https://groups.google.com/group/android-security-discuss.
For more options, visit https://groups.google.com/d/optout.
Loading...