(This answer will cover Android users that have access to Firefox on a desktop computer. Please add other answers to cover other users!)
What's wrong? What do we do about it?
If you use an app that uses an affected certificate, you may have noticed on May 30 that it suddenly refuses to operate. "Better" apps may show an actually useful error message, but many simply throw an immediate error to "check your internet connection" when there is nothing wrong with the network connection.
The cause, as noted, is an expired CA certificate which causes the initial handshake with the server to be rejected.
For laypersons, a typical session starts like this:
Client: Hello, server? Can I talk to you?
Server: Sure! Here's my identification!
*Client checks identification*
When things are working, the client recognizes the identification and continues to talk to the server. What's happening with the Sectigo-issued certificates is that the client sees a) an expired signature and b) an unrecognized signature, so it refuses the connection as "insecure". Apps may or may not even know what is happening, but in any case, the effect is that the attempt to connect to the server is denied.
Newer devices don't have this problem because they know about the updated certificate. So, the problem can be resolved on older devices by manually installing the relevant CA certificate. But first...
Is this safe?
Probably. This guide will explain how to install a certificate that you already trust. I can't promise that that certificate isn't compromised, but if it is, you are already pwned. You can (and should!) also verify the certificate's fingerprint via another means, for example, by comparing the fingerprints against those on a second device.
After installation, your device may complain that "an unknown party may be able to monitor your network traffic". While this may be true, if you are really worried about CA's, you shouldn't be online at all. (Also, AFAIK this would only "expose" information encrypted with certificates signed by Sectigo; anything else is still as secure as always.)
Is this "cracking"? Will it violate my ToS?
Absolutely not! What you are doing is essentially applying (a small portion of) an update that your device vendor should have been making available to you in the first place. Any device with an up-to-date trust store already has this certificate. (That is, in fact, where you are going to obtain the certificate in the first place.) Additionally, installing a CA certificate is in no way specific to any particular app or service.
If any company believes this to be a violation of their ToS, they are incompetent and frankly you should avoid dealing with them.
Enough already, what do I do?
First, you will need a) a computer with a reasonably up-to-date web browser (as noted earlier, I'm using Firefox, but the procedure for Chrome should be similar) and b) a way to transfer a file from said computer to the device that needs to be "fixed". A USB cable is the "obvious" and probably most secure choice, but you could also e-mail the file to yourself. (If you do this, make sure to verify the fingerprint!)
You could also download the certificate from Sectigo, but how do you know you trust them? Your web browser / OS vendor did the legwork (hopefully!) to verify that they are trustworthy. You shouldn't just take the word of some guy on a web forum that the certificate is "safe". Again, this is why you are going to obtain a copy of the certificate that you already trust.
How do I obtain the certificate?
- Open Firefox and navigate to
about:preferences#privacy
. You can also get there by selecting "Preferences" from the 'hamburger' menu and selecting the "Privacy" tab.
- Scroll to the bottom and press the "View Certificates.." button.
- Scroll until you find "The USERTrust Network".
- Under the aforementioned item, find and select "USERTrust RSA Certification Authority".
- Press "Export..." and save the certificate somewhere.
- Don't close your web browser yet. Press "View..." first and leave that tab open.
- Copy the resulting file to your device.
How do I install the certificate?
- On your Android device, go to "System settings".
- Go to "security" (on my device, it is under "Personal").
- Under "Credential storage", tap "Install from SD card". (You don't need an SD card; the option is badly named. You can install from a bunch of places, including internal storage or Google Drive.)
- Locate and select the certificate you obtained previously.
- Give it a name (e.g. "USERTrust RSA" or "foo"; the name you enter doesn't appear to actually be used anywhere). Make sure that for "Credential use" you have selected "VPN and apps" (it should be selected by default).
- Tap "OK" to add the certificate. You apps should work now!
WAIT!
How do I verify the certificate?
While still in "Security", tap on "Trusted credentials", then "User". You should see the certificate you just added. Tap on it to see its details. In particular, look for the "SHA-256 fingerprint", which should be (assuming neither my computer nor this answer have been compromised):
E7:93:C9:B0:2F:D8:AA:13:E2:1C:
31:22:8A:CC:B0:81:19:64:3B:74:9C:
89:89:64:B1:74:6D:46:C3:D4:CB:D2
(I've added line breaks to match how it shows on my tablet, which may be convenient if your device adds line breaks in the same place. They don't mean anything, though, so don't panic if you see line breaks in different places.)
You should also compare the fingerprint against the certificate as it is stored on your computer (using the tab you left open earlier). If all three match, the probability that your copy of the certificate is compromised somehow is very low.