Smartphones are one of the very first things people pick up every morning, and one of the last things they put down every night.
Among the many capabilities smartphones have, is allowing users to browse the web. Android is the most popular, and unfortunately for millions of people, their phones that use older versions of the mobile operating system won't be able to browse many secure websites starting September 2021.
This is because the Mozilla-partnered nonprofit Let’s Encrypt said that its partnership with certificate authority IdenTrust will expire on September 1, 2021. Since it has no plans to renew its cross-signing agreement, Let’s Encrypt will stop default cross-signing for IdenTrust’s DST Root X3 root certificate.
As the organization switches over to using its own ISRG Root X1 root, Android versions before 7.1.1 Nougat won’t be able to trust its root certificate.
The result of this, those older Android version won't be able to visit many secure websites.
A partial workaround is available, but only by installing Firefox. The web browser from Mozilla relies on its own certificate store that includes Let’s Encrypt’s root.
This workaround however, wouldn’t keep apps from breaking, and neither can it ensure functionality beyond that browser.
It’s very common for software developers to stop their product from supporting older operating systems.
Maintaining a software to support older operating systems means that the developers need to spend more of their resources to target a decreasing number of users. This won't be effective as their efforts would be better spent on supporting newer operating systems with increasing number of users.
Let's Encrypt is one of the world’s top certificate authorities.
And with it stopping support for root certificate targeting older Androids, users using devices powered by older versions of the mobile operating system will be cut off from a large portion of the secure web.
Since older software won’t trust Let’s Encrypt’s root certificate, this could “introduce some compatibility woes,” lead developer Jacob Hoffman-Andrews said in a blog post.
This is a huge shift, considering that Let's Encrypt's certificates are used by as much as one-third of all web domains on the web, and about 33.8% of Android users on Google Play are still version older than 7.1.
Jacob Hoffman-Andrews said that:
For website owners, it's possible for Let's Encrypt to serve an alternate certificate chain for the same certificate that leads to the DST Root X3 in order to offer a broader compatibility.
"This is implemented via the ACME “alternate” link relation. This is supported by Certbot from version 1.6.0 onwards," said Jacob Hoffman-Andrews.
If website owners use a different ACME client, they may have to check on their client’s documentation to see if the “alternate” link relation is supported.
Hosting providers may also be serving the DST Root X3 until September 2021. But there are chances that they may decide to switch to the certificate chain that leads to ISRG Root X1 after January 11, 2021.
"There will be site owners that receive complaints from users and we are empathetic to that being not ideal. We’re working hard to alert site owners so you can plan and prepare. We encourage site owners to deploy a temporary fix (switching to the alternate certificate chain) to keep your site working while you evaluate what you need for a long-term solution," added Jacob Hoffman-Andrews.
About a month later, IdenTrust issued a three-year cross-sign agreement for its ISRG Root X1 from IdentTrust's DST Root CA X3. The updated cross-sign extends beyond the expiration of DST Root CA X3, meaning that the initial expiration data is extended.
"We will be able to provide subscribers with a chain which contains both ISRG Root X1 and DST Root CA X3, ensuring uninterrupted service to all users and avoiding the potential breakage we have been concerned about," Let's Encrypt states.
"We will not be performing our previously-planned chain switch on January 11th, 2021. Instead, we will be switching to provide this new chain by default in late January or early February. The transition should have no impact on Let's Encrypt subscribers, much like our switch to our R3 intermediate earlier this month."