• Kbin_space_program@kbin.social
      link
      fedilink
      arrow-up
      77
      ·
      1 year ago

      Google: wants to push their browser based DRM, to which they would inevitably be the ultimate controller of, in the name of “safety”.

      Also Google: intentionally kneecaps the existing certificate system which is the main safety system of the web.

      Gee, I wonder if the two are connected.

      • IonicFrog@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        34
        ·
        1 year ago

        I heard this on the radio yesterday. Secretly ruthless is a good way to describe Google.

        SHAPIRO: OK. So big picture on this anniversary, 25 years in, if you could describe Google’s legacy in a sentence, what would that be?

        PATEL: Secretly ruthless.

        SHAPIRO: Oh, that’s rough. Wow. Secretly ruthless - that’s even less than a sentence. Give me a little bit more. Why do you say secretly ruthless?

        PATEL: Google has convinced everyone that it is this incredibly sincere and earnest company - that it’s just a bunch of goofballs making cool things. That is true. But I think if we just paid a little more attention to where Google’s money comes from - and it is almost entirely advertising - I think we would be able to see the company and its influence a little bit more clearly. But the truth is, it is an utterly ruthless advertising company that is very, very, very successful at delivering results to its clients.

        SHAPIRO: But Nilay, you didn’t mention how cute the Google doodles are.

        PATEL: Yeah, the - I understand. They’re very cute.

        https://www.npr.org/2023/09/04/1197548359/the-verges-nilay-patel-talks-googles-legacy-and-its-future-on-its-25th-anniversa

        • Jumper775@lemmy.world
          link
          fedilink
          arrow-up
          8
          ·
          1 year ago

          This is very true, although from what I’ve seen both sides are correct. They give very little guidance to any of the stuff they put out, see killing off stadia or how badly they have been messing up chromeOS and just let their engineers do what they want until they lose their way then it falls off. They just don’t care about that because the ad money keeps coming regardless. It seems almost like a result of the fact that google just hires talent so no one else can have it and then they just let them do whatever they want. It’s almost like there are two googles.

          • Wooki@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            Intellectual Property.

            That is it.

            You can’t protect a product or service will never reach customers. But you sure can protect a sold and failed product or service.

        • 0x2d@lemmy.ml
          link
          fedilink
          arrow-up
          7
          ·
          1 year ago

          I freaking love the new updates!!

          I love it when I can’t manage my own SSL certificates, even as root

          I love not being to use the fucking McDonalds app on a rooted device

          Web environment integrity is so great! It’s incredible that my rooted tablet will be locked out of lots of websites since I’m not using AUTHORIZED chrome on an AUTHORIZED device

          It’s so awesome that adblock will stop working in most Chromium-based browsers

          LIKE WTF I JUST GOT A PIXEL NOW YOU NEED TO RUIN IT?

      • Sigmatics@lemmy.ca
        link
        fedilink
        arrow-up
        12
        arrow-down
        2
        ·
        1 year ago

        Honestly the entire certificate system is a fraud. You can see just how vulnerable it is with the recent Microsoft vulnerability

      • ramble81@lemm.ee
        link
        fedilink
        arrow-up
        9
        ·
        1 year ago

        And there we go. I was trying to figure out the “why?” beyond “think of the children it’s secure!” and that’s the part that makes it make sense.

  • jadero@programming.dev
    link
    fedilink
    arrow-up
    53
    arrow-down
    2
    ·
    1 year ago

    I learned that Android was not open under my personal definition of “open” right from the outset, because there was no programmatic access to telephony. My first project was to build an on-board answering machine with call screening capabilities.

    I used an answering machine on my landline to avoid paying for caller id and voicemail and wanted to do the same with my cellphone. I was very disappointed to learn that this was not possible, at least with my skillset.

    I knew that things were going the wrong way when my Tasker script to manage airplane mode stopped working when Android required locked it away. My use case there was that lack of connectivity at the gym and at home meant that connection attempts were draining my battery and heating up the phone. Now, of course, Android does a much better job of that particular task on its own, but it still makes me cranky. :)

    Everything that has happened since has only cemented my opinion that Android is not actually an open platform. I do see many of the changes as potentially valuable security measures for the masses, but I wish that it wasn’t quite so difficult for a power user to use the power of the little computer we carry in our pockets.

    • 𝒍𝒆𝒎𝒂𝒏𝒏@lemmy.one
      link
      fedilink
      arrow-up
      15
      arrow-down
      1
      ·
      1 year ago

      On my last android device I didn’t need root at all, but on my current one Google has gimped the OS so much that root access is the only way to have any kind of ownership of the device.

      Even just the fact that Google’s “backup” system (which does not handle app data the last time I checked) depends on the cloud, instead of iTunes that has been able to do a full system backup to your own computer for YEARS (in addition to icloud), is honestly a big joke in my eyes.

      Everything that has happened since has only cemented my opinion that Android is not actually an open platform. I do see many of the changes as potentially valuable security measures for the masses, but I wish that it wasn’t quite so difficult for a power user to use the power of the little computer we carry in our pockets.

      I feel exactly the same way

      • Domi@lemmy.secnd.me
        link
        fedilink
        arrow-up
        8
        ·
        edit-2
        1 year ago

        Their backup system does handle app data, but only if the app does not opt out of it. Which is an incredibly stupid system. It’s my phone, if I tell it to backup up my data it better back up everything. I don’t care if some banking app thinks it’s too good to be backed up.

        However, as a long time rooted phone user I know that the rooting community is always 2 steps ahead of Google so most likely nothing will change.

        • alr@programming.dev
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          I’m not sure I want my banking apps to store anything on my phone in the first place. But maybe that’s just me. I don’t even use banking apps.

      • jadero@programming.dev
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        I ran Copperhead OS (the predecessor to Graphene) and really liked it. Sadly, the phone went into the lake and I’ve not been able to afford to replace it with one capable of Graphene.

  • XYZinferno@lemmy.basedcount.com
    link
    fedilink
    arrow-up
    40
    arrow-down
    1
    ·
    1 year ago

    I already hated Android 12 for overhauling the aesthetic for the worse: making volume sliders obscenely wide, making the notification shade just an over-enlarged mess, and the half-assed implementation of Material You. On my Pixel 3 that I used at the time, this change alone made me root a phone for the first time just to fix all of it.

    Two updates later and once again Google fucks up something that was perfectly fine before and turns me off from their operating system yet again. While I’m nowhere close to using an iPhone, I may just use GrapheneOS if I have to switch to a phone that comes with Android 14+ out of the box.

    • Ganrokh@lemmy.world
      link
      fedilink
      arrow-up
      9
      ·
      1 year ago

      An update in the last year added a “feature” where, when I search something, if my query is even vaguely close to the name of an app on my phone, Android will open that app instead of doing my search. I, for the life of me, haven’t been able to figure out how to disable it. That alone made me hate Android.

      • XPost3000@lemmy.ml
        link
        fedilink
        arrow-up
        5
        ·
        1 year ago

        I don’t understand why I get zero choice

        Absolutely agree, I use to get excited for new updates to anything, cuz like “yay new things” or “old things but less buggy”

        But recently I’ve been absolutely sulking over the modern software updating paradigm of shipping perfectly fine updates with completely useless UI changes that absolutely nobody wanted so tech companies can justify having an in-house UI team

        Like my phone, on Android 11 I set the custom color to a really nice red color, i matched it to my wallpaper and everything, I loved it

        And then Android 12 hits, and that lovely red gets replaced with some bologna enthusiast’s spamcore aesthetic

        I’m sorry, Material “You”?. Nah this is Material Somebody Else fr

        And I can’t do anything to change the colors of my own phone

        I hate being a slave to UI teams, let me change the colors atleast, damnit

        I am so close to just rooting my phone ngl

  • jemikwa@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    22
    ·
    edit-2
    1 year ago

    From an IT perspective with little context on this change other than what’s in the article, if there’s no way to import your own certs using an MDM, this change is terrible for businesses.

    You need custom certs for all kinds of things. A company’s test servers often don’t use public CA certs because it’s expensive (or the devs are too lazy to set up Let’s Encrypt). So you import a central private CA cert to IT-managed devices so browsers and endpoints don’t have a fit.

    For increased network security, private CAs are used for SSL decryption to determine what sites devices are going to and to check for malware embedded in pages. In order to conduct SSL decryption, you need your own private CA cert for decrypting and re-encrypting web content. While this is on the decline because of pinned certs being adopted by big websites, it’s still in use for any sites you can get away with. You basically kill any network-level security tools that are almost certainly enabled on the VPN/SASE used to access private test sites.

    • alr@programming.dev
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Re: too lazy for Let’s Encrypt, a) last I used LE (for my personal site), your site had to be publicly available on the Internet so that you could prove you controlled the site. Most test servers are not public. and b) many (most?) companies would throw a fit if you started generating your own certificates for their domains.

      But there are always solutions. I was able to talk my company into getting properly signed certs for our test servers.

  • OneCardboardBox@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    20
    ·
    1 year ago

    This article isn’t clear on one question: Are users still able to add new trusted authorities? I have a custom CA installed so as to be able to access self-hosted https services inside my home network. Given that Android now prevents you from accessing sites with an untrusted/self-signed cert, I need this feature.

    • HTTP_404_NotFound@lemmyonline.com
      link
      fedilink
      English
      arrow-up
      20
      ·
      1 year ago

      System Certificates

      Aka, you cannot untrust google’s certs. And google can do whatever the fuck they want, and you cannot change or alter that behaviour.

      So, if google wants to publish a root CA, that allows them to act on behalf of any other domain, they can do that. etc.

    • mrkite@programming.dev
      link
      fedilink
      arrow-up
      32
      arrow-down
      2
      ·
      1 year ago

      Maybe read the article and not look like an idiot. All they did was move the certificates into a signed package that is updated through Google Play. They can revoke certs even faster now because it doesn’t require a system update.

      • ArbiterXero@lemmy.world
        link
        fedilink
        arrow-up
        15
        ·
        1 year ago

        Cool, so I can’t revoke the certs myself? Still bad.

        I can’t add my own for testing? Still bad.

        They manage it via an app that I can’t change at all? Still bad.

      • Wahots@pawb.social
        link
        fedilink
        arrow-up
        6
        ·
        edit-2
        1 year ago

        What if you can’t access gplay for various reasons? (Non-stock OS, geographic lockout, etc etc)

        Are you just straight-up boned when 14 rolls around? Genuinely curious

        • 0x2d@lemmy.ml
          link
          fedilink
          arrow-up
          4
          ·
          1 year ago

          I hope that on LineageOS that you will still be able to manage your own certificates

    • sudotstar@kbin.social
      link
      fedilink
      arrow-up
      11
      ·
      1 year ago

      IMO this isn’t a real “solution” to the problem here, but this article states Android 14 also allows Google to manage device CAs remotely and push updates via Google Play, and goes into detail about how that mechanism is poorly documented publicly and is basically only an option for Google themselves, not any third party device administrators.

      Google can easily claim that all security concerns are handled by their own management while continuing to deny access to all third parties to actually handle that responsibility themselves if desired.

    • mathemachristian[he]@lemm.ee
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      I mean thats what its mainly for? To quickly update CAs without needing to do it as a system update that the vendor needs to vet first

  • colonial@lemmy.world
    link
    fedilink
    arrow-up
    4
    ·
    1 year ago

    I’m pretty sure I can’t even connect to my university’s network without installing a custom certificate.

    What brainlet at Google thought this was a good idea?

  • Solemarc@lemmy.world
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    1 year ago

    By all means correct me if I’m wrong, but looking at the PR this article links to. It looks like all that’s happening is that Google’s trusted certs are being added to an android security API and are now immutable. Any non Google certs are still going to be saved to ANDROID_ROOT/etc/security/cacerts the same as they currently are.