Let's Encrypt warns about a third of Android devices will from next year stumble over sites that use its certs

[steven36]

Expiration of cross-signed root certificates spells trouble for pre-7.1.1 kit... unless they're using Firefox

 

 

Let's Encrypt, a Certificate Authority (CA) that puts the "S" in "HTTPS" for about 220m domains, has issued a warning to users of older Android devices that their web surfing may get choppy next year.

 

Let's Encrypt launched four years ago to make it easier to set up a secure website. To jumpstart its trust relationship with various software and browser makers – necessary for its digital certificates to be accepted – it piggybacked on IndenTrust's DST Root X3 certificate. As a result, the non-profit's certificates could be presented by websites and be trusted by all the major web browsers to connect to them securely.

 

The CA, overseen by the Internet Security Research Group (ISRG), subsequently issued its own root certificate (ISRG Root X1) and applied for it to be trusted with the major software platforms. By July, 2018, the ISRG Root X1 had been accepted by Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry, and it was no longer really necessary to have IndenTrust's DST Root X3 vouch for Let's Encrypt's character.

 

Next year, on September 1, 2021, the DST Root X3 certificate that Let's Encrypt initially relied for cross-signing will expire and devices that haven't been updated in the past four years to trust the X1 root certificate may find they're unable to connect to websites securely, not without throwing up error messages, at least. We're looking at you, Android.

 

"Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our root certificate, ISRG Root X1," explained Jacob Hoffman-Andrews, a lead developer on Let's Encrypt and senior staff technologist at the Electronic Frontier Foundation, in a notice on Friday.

 

"Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let’s Encrypt."

 

The trust lapse will hit about a third of the Android devices currently operating, Hoffman-Andrews claims. With more than 2.5bn active Android users, the impact will be noticeable, though not too much so – those aging Android devices account for only about one to five per cent of internet traffic, apparently. Still, it's worth mentioning.

 

The Android ecosystem, as Hoffman-Andrews observes, has long had a problem getting Google's mobile hardware partners to push software updates to their Android devices, particularly after a few years. And that remains the case today.

 

Unfortunately, Hoffman-Andrews says that there's not much that can be done to ensure Android hardware partners update their devices. And, he adds, buying everyone a new phone isn't a realistic option.

 

One meaningful thing that affected Android users can do is use Firefox, which comes with its own list of trusted root certificates and thus should recognize the ISRG Root X1 certificate.

 

Hoffman-Andrews says that starting January 11, 2021, Let's Encrypt will implement a change in its API to allow Automatic Certificate Management Environment (ACME) clients like Certbot to serve a certificate chain pointing to the ISRG Root X1 by default. But the plan is to maintain an option to set up an alternate link relation tied to the older DST Root X3 certificate for the sake of compatibility.

 

Those who get Let's Encrypt certs from their hosting provider are advised to get in touch with the provider if there are issues with the root certificate being presented.

 

Source

 

[Karlston]

Android 7.1.1 or earlier devices will face connection issues next year

 

From September 1, 2021 forward, Android devices still running Android 7.1.1 or earlier will face connection issues for a large number of sites and services.

 

Sites and services that implement HTTPS need to use certificates for that. A popular choice is Let's Encrypt as it is offering free certificates. The service started five years ago and has since then become used widely on the Internet.

 

Let's Encrypt got a cross-signature from IdenTrust when it started to ensure that its certificates were trusted right away. With the partnership in place, Let's Encrypt managed to get on a lot of devices and systems in a short period of time.

 

The organization started to issue its own root certificate, called ISRG Root X1, and applied to have it integrated into the certification root stores of important software platforms. The original certificate is now trusted on major software platforms.

 

The cross-signature root certificate will expire on September 1, 2021. Expiration means that it cannot be used anymore. While that is not a problem for systems that have received the new root certificate of Let's Encrypt, it is a major problem for systems that ran out of support earlier.

 

On Android, that includes all devices running Android 7.1.1 or earlier. Let's Encrypt estimates that about a third of all Android devices are on that version or earlier versions of the operating system. Good news is that two-third of devices are up to date and will not face any connectivity issues. The remaining one third on the other hand will run into connectivity issues when they try to access sites that use a Let's Encrypt certificate. The number is lower right now already as Google has stopped publishing Android platform version distribution information in September 2020.

 

 

Fragmentation is a problem on Android, especially since many manufacturer's of Android devices provide only limited support in regards to updates.

 

The only solution, other than buying a new Android device that is using a newer version of the operating system, is to use a browser that uses its own certificate store. Let's Encrypt recommends Firefox for Android for that, as it is the only major browser that comes with its own certificate store. Firefox for Android requires Android 5 or higher currently.

 

Google did reveal recently that it plans to switch from using the operating system's root store to its own in the company's Chrome web browser to get more control over certificates and ensure that the experience is identical on all platforms in regards to security and accessing sites.

 

Whether Chrome for Android will start using its own root store before September 2021 arrives remains to be seen though.

Closing Words

The market share of Android 7.1.1 and older devices will shrink in the coming ten months but there is a good chance that a large number of devices will still be in use in September 2021.

 

 

Android 7.1.1 or earlier devices will face connection issues next year

 

[Karlston]

Similar topics merged.

 

(Today's score now tied at 1-all)