Let's Encrypt warns about a third of Android devices will from next year stumble over sites that use its certs
Expiration of cross-signed root certificates spells trouble for pre-7.1.1 kit... unless they're using Firefox
Updated Let's Encrypt, a Certificate Authority (CA) that puts the "S" in "HTTPS" for about 220m domains, has issued a warning to users of older Android devices that their web surfing may get choppy next year.
Let's Encrypt launched four years ago to make it easier to set up a secure website. To jumpstart its trust relationship with various software and browser makers – necessary for its digital certificates to be accepted – it piggybacked on IdenTrust's DST Root X3 certificate. As a result, the non-profit's certificates could be presented by websites and be trusted by all the major web browsers to connect to them securely.
The CA, overseen by the Internet Security Research Group (ISRG), subsequently issued its own root certificate (ISRG Root X1) and applied for it to be trusted with the major software platforms. By July, 2018, the ISRG Root X1 had been accepted by Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry, and it was no longer really necessary to have IdenTrust's DST Root X3 vouch for Let's Encrypt's character.
Next year, on September 1, 2021, the DST Root X3 certificate that Let's Encrypt initially relied for cross-signing will expire and devices that haven't been updated in the past four years to trust the X1 root certificate may find they're unable to connect to websites securely, not without throwing up error messages, at least. We're looking at you, Android.
"Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our root certificate, ISRG Root X1," explained Jacob Hoffman-Andrews, a lead developer on Let's Encrypt and senior staff technologist at the Electronic Frontier Foundation, in a notice on Friday.
"Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let’s Encrypt."
The trust lapse will hit about a third of the Android devices currently operating, Hoffman-Andrews claims. With more than 2.5bn active Android users, the impact will be noticeable, though not too much so – those aging Android devices account for only about one to five per cent of internet traffic, apparently. Still, it's worth mentioning.
Thought the FBI were the only ones able to unlock encrypted phones? Pretty much every US cop can get the job doneREAD MORE
The Android ecosystem, as Hoffman-Andrews observes, has long had a problem getting Google's mobile hardware partners to push software updates to their Android devices, particularly after a few years. And that remains the case today.
Unfortunately, Hoffman-Andrews says that there's not much that can be done to ensure Android hardware partners update their devices. And, he adds, buying everyone a new phone isn't a realistic option.
One meaningful thing that affected Android users can do is use Firefox, which comes with its own list of trusted root certificates and thus should recognize the ISRG Root X1 certificate. It may also be possible to install the necessary certificates yourself, by hand, on your device. We also wonder if Google could update Chrome on older Android devices to include the certs.
Hoffman-Andrews said that starting January 11, 2021, Let's Encrypt will implement a change in its API to allow Automatic Certificate Management Environment (ACME) clients like Certbot to serve a certificate chain pointing to the ISRG Root X1 by default. But the plan is to maintain an option to set up an alternate link relation tied to the older DST Root X3 certificate for the sake of compatibility.
Those who get Let's Encrypt certs from their hosting provider are advised to get in touch with the provider if there are issues with the root certificate being presented. ®
Updated to add on January 4, 2021
At the end of December, a spokesperson for Let's Encrypt got in touch to say the project had, with respect to older Android gear, "developed a new certificate chain that will prevent incompatibility with these devices to allow more time for them to age out of the market."
There are more details here.