[sansnom]

It's a very good news for security and also for 99.99% of the Android users. But get me wrong, it would be nice to support power user, they just need to add a feature to easily add a chosen CA and it would be perfect.

Currently CA management was very dangerous because it was not updated (as stated in the article).

New CA were not added so if you kept your phone long enough you would see insecure warning popping up. People would take the habits of accepting without thinking: very problematic behaviour. One solution is to used Firefox which doesn't use the system CA unlike Chrome.

Another more problematic one: untrusted CA were not removed (the author give the example of TrustCor but they were other examples in the past like DigiNotar). Who knows what happens to private key of old untrusted CA ? If they end up in the wrong hands people could get MITM. (Personally, I had to remove DigiNotar for my old phone.)

And of course as the author said: it's also problematic for new certificate authority like Let's Encrypt which at a time needed the complex cross sign certificate to ensure the certificates work for everyone. [1][2]

[1] https://letsencrypt.org/2020/11/06/own-two-feet.html [2] https://letsencrypt.org/2020/09/17/new-root-and-intermediate...