As Chromecast Outage Drags On, Fix Could Be Days To Weeks Away (theregister.com) 19
On March 9, older Chromecast and Chromecast Audio devices stopped working due to an expired device authentication certificate authority that made them untrusted by Google's apps. While unofficial apps like VLC continue to function, Google's fix will require either updating client apps to bypass the issue or replacing the expired certificates, a process that could take weeks; however, Google has since announced it is beginning a gradual rollout of a fix. The Register reports: Tom Hebb, a former Meta software engineer and Chromecast hacker, has published a detailed analysis of the issue and suggests a fix could take more than a month to prepare. He's also provided workarounds here for folks to try in the meantime. We spoke to Hebb, and he says the problem is this expired device authentication certificate authority. [...] The fix is not simple. It's either going to involve a bit of a hack with updated client apps to accept or workaround the situation, or somehow someone will need to replace all the key pairs shipped with the devices with ones that use a new valid certificate authority. And getting the new keys onto devices will be a pain as, for instance, some have been factory reset and can't be initialized by a Google application because the bundled cert is untrusted, meaning the client software needs to be updated anyway.
Given that the product family has been discontinued, teams will need to be pulled together to address this blunder. And it does appear to be a blunder rather than planned or remotely triggered obsolescence; earlier Chromecasts have a longer certificate validity, of 20 years rather than 10. "Google will either need to put in over a month of effort to build and test a new Chromecast update to renew the expired certificates, or they will have to coordinate internally between what's left of the Chromecast team, the Android team, the Chrome team, the Google Home team, and iOS app developers to push out new releases, which almost always take several days to build and test," Hebb explained. "I expect them to do the latter. A server-side fix is not possible."
So either a week or so to rush out app-side updates to tackle the problem, or much longer to fix the problem with replaced certs. Polish security researcher Maciej Mensfeld also believes the outage is most likely due to an expired device authentication certificate authority. He's proposed a workaround that has helped some users, at least. Hebb, meanwhile, warns more certificate authority expiry pain is looming, with the Chromecast Ultra and Google Home running out in March next year, and the Google Home Mini in January 2027.
Given that the product family has been discontinued, teams will need to be pulled together to address this blunder. And it does appear to be a blunder rather than planned or remotely triggered obsolescence; earlier Chromecasts have a longer certificate validity, of 20 years rather than 10. "Google will either need to put in over a month of effort to build and test a new Chromecast update to renew the expired certificates, or they will have to coordinate internally between what's left of the Chromecast team, the Android team, the Chrome team, the Google Home team, and iOS app developers to push out new releases, which almost always take several days to build and test," Hebb explained. "I expect them to do the latter. A server-side fix is not possible."
So either a week or so to rush out app-side updates to tackle the problem, or much longer to fix the problem with replaced certs. Polish security researcher Maciej Mensfeld also believes the outage is most likely due to an expired device authentication certificate authority. He's proposed a workaround that has helped some users, at least. Hebb, meanwhile, warns more certificate authority expiry pain is looming, with the Chromecast Ultra and Google Home running out in March next year, and the Google Home Mini in January 2027.
mine is already fixed (Score:5, Informative)
I turned it on today after weeks and the first thing it did was update itself. it's working.
Re: (Score:2)
i should check mine but it's built in to the tv so i assume it's already updated, too bad about Chromecast and YouTube depreciating such a useful service. This is why I never buy into proprietary tech anymore, no matter how enticing. These transnational classist corporations just can't be trusted, sooner or later they turn the technology against us or they turn it off.
Re: mine is already fixed (Score:2)
this only applies to Chromecast second generation hardware. I guess what you're talking about is Android TV but in this case it's managed by the TV manufacturer and not by Google
Re: mine is already fixed (Score:2)
That's good to hear. The last week has been frustrating watching shit on a laptop with out of sync Bluetooth audio sent to the speaker system.
Re: mine is already fixed (Score:2)
Because Bluetooth has latency. It's not designed to sync up with what's on screen, so there's a noticable delay between video and audio.
Chromecast has latency too, but it's synced latency.
Cert management one of the most common tech debt. (Score:5, Informative)
Everywhere I go certificate management is always on the tech debt pile. Left for some poor guy in Ops to panic and fix at 3:00am.
Automated certificate management systems have now been around for years. But rarely do I see it rolled out in the edge devices and software systems. It's always bundled into the firmware or as part of an application package. So it's often difficult to fix. Especially once a product reaches end of life. It becomes a ticking time bomb. Most companies just go. Ooops sorry we bricked your toy. At least google is trying to fix it.
I always make sure the ticket is on the kanban/sprint backlog. But funny thing is the card seems to vanish near release time. So do a bunch of other cards. Hmmmm.
It doesn't help that most shops barely maintain their central secrets management store. I've seen these things out right deleted blowing away any chance of recovering lost key pairs.
Re: (Score:2)
Especially if the certificate was set up with a quite long expiration time like 10 years so that the person that did set it up has left for greener pastures and didn't document it because the tech was never intended to live that long.
DANE (Score:2)
its 2025 use DNSSEC and DANE
https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
Certificate expiration causes more problems (Score:2)
Certificate expiration offers theoretical security improvements and real, practical pain at defined intervals across the entire tech industry.
It wasn't worth it.
Re: (Score:2)
Strict we don't support this version of TLS or SSL anymore policies are similar. Planned obsolesence, waste of time, money, environmental damage, effectively bricked hardware for largely hypothetical gains. Use the best version that the device supports, don't cut people who own older devices off from the Internet. That does for SSH versions as well - it doesn't matter how locked down your network is, the developers of software like OpenSSH have a policy of making it as painful as possible for you to use
Re: (Score:3)
Uh no. Our certificate model, while flawed, is still one of the best mechanisms for validating who you're communicating with. Expirations can create havoc, but they're a necessary evil. Some companies have products and services to manage certificate renewal and deployment. Why Google didn't avail itself of at least one of those solutions is a mystery.
There are some issues with certificates, largely, it's in the CA trust, i.e., deliberate organizationally installed MITM devices that spoof certificates in the
Hilarious (Score:2)
Re: (Score:2)
Almost like using certificates with expirations when you have no automated solution to update them is a bad idea, and amounts to putting a time bomb in every product you ship.
Haven't used my Chromecast in years.... (Score:2)
but pushing 90 day max for servers (Score:2)
They (Google) are the same people pushing 90 day max expiration dates for all "server" certs after they ranged through the 1 year limit a couple of years back.
(and WERE pushing 7 year max CA certs before being beaten back to 14)
(https://www.digicert.com/blog/chromes-proposed-90-day-certificate-validity-period)
So I'm enjoying the schadenfreude on this one.
Re: but pushing 90 day max for servers (Score:2)
Presumably this is so they can catch cert renewal issues during the QA cycle and never have problems like this in the future.
Re: (Score:2)
Nah, it's (imo ofc), the same kind of runway security for it's own sake thinking that led to a generation of forced password expiration every 90 days until suddenly the gender broke 2 or 3 years ago. And pwd "complexity" rules where it's still getting worse.
I'm curious when people are going to start requiring an expiration date on SSH keys toorotating SSH keys. Say every 90 days.
Also on TOPS. reset every entry in the authenticator app every few months.
Also every API token (including the one that allows