Anyone here work for/with Logitech? I'd love to know the nitty gritty behind the "encryption certificate expires" PR simplification and why a new one can't/won't be cut. (sole embedded root expiring? something else?)
Having worked for a flailing IoT startup before, I can tell you that it's not uncommon for products to ship with TLS certificates, but without any notion of a PKI or cert management infrastructure that would enable these devices to keep working in the future. As usual, a rush to launch leads to corners being cut. Sometimes these arguably crucial pieces are added later; other times, customers are left holding the bag when renewal of certificates turns out to be impossible for one reason or another.
Their doodad had all the features. Yours has a really great update framework. Guess which one gets funded at demo day, or makes it to retail shelves this christmas?
If your doodad has a weak enough update framework that it bricks itself a handful of years after production, good luck getting any revenue or funding going forward.
The phrase I read was not "encryption certificate" but "technology certificate" which sounded more like something along the lines of a license for some third party IP, or an API key for a subscription service that Logitech had been paying for. But I agree it's a vague simplification and more details would be interesting.
It could be similar to when YouTube stopped supporting shorter encryption keys, and a lot of streaming hardware suddenly became useless because they couldn't support longer keys.
I'd love to understand the thought process of the exec or product manager who sat in that meeting and said, "You know what we should do? We should just turn off the service and make all of our customers' devices not work anymore! And then see if they'll buy another similar device from us after hearing the news."
This is pure speculation, but if I had to guess, I'd bet they baked a Symantec-owned root into the product without an upgrade path, and they use a third-party provider who is moving their endpoint away from Symantec (or one of Symantec's other brands) because of the big distrust that's happening next month due to all of their misissuances. That means the devices won't be able to connect to the endpoint once the cert changes.
- Firmware is running SSL which doesn't support SHA-256, and a SHA-1 cert is expiring soon.
- Device (or other devices it communicates with) rely on cert pinning back to Symantec owned roots, and will somehow be affected by the Symantec distrust and Digicert acquisition.
