The lives of those using an old Android phone may become more complicated from 2021 onwards. Let’s Encrypt, one of the largest certification authorities in the world, will not renew the partnership that allows its HTTPS certificates to work with devices based on Android 7.1.1 or earlier. This means that millions of websites may be inaccessible on these devices.
Today, the vast majority of sites have HTTPS. The adoption of this feature gained momentum after Google started flagging HTTP pages as not safe in Chrome. In addition, the certificate became a ranking criterion in searches: if two pages have equivalent content, the one with HTTPS will be more likely to appear in a privileged position in the results.
In February 2020, Let’s Encrypt celebrated the 1 billion mark of SSL / TLS certificates issued for enabling HTTPS. The initiative is not for profit and therefore does not charge for the service. It is not surprising, therefore, that 192 million sites benefit from the certificates issued by the organization. This based on the February figures.
2015 marked the beginning of the initiative’s effective operations. That year, Let’s Encrypt obtained its first root certificate, ISRG Root X1. This certificate is used to sign the Let’s Encrypt Authority X1 and Let’s Encrypt Authority X2 intermediate certificates, which in turn are used to issue the certificates that the organization provides for free.
Let’s Encrypt Authority X1 and Let’s Encrypt Authority X2 certificates are also signed by the DST Root X3 certificate, from IdenTrust, another certifying authority.
As the IdenTrust certificate was already recognized by the main operating systems and browsers in the market, Let’s Encrypt entered into a cross-signed partnership with the organization to facilitate the acceptance of its own certificates.
But the partnership between Let’s Encrypt and IdenTrust will expire on September 1, 2021 and will not be renewed. In fact, Let’s Encrypt will begin the process of closing the cross signature much earlier, on January 11, 2021. The plan of the organization is to work exclusively with its own root certificate, after all, it is already widely accepted.
But Let’s Encrypt itself warns that this change could cause a compatibility issue. Software not updated since 2016, when the entity’s certificates started to be widely adopted, recognize the root certificate of IdenTrust, but not that of Let’s Encrypt.
This means that, with the end of the cross-subscription, millions of sites with Let’s Encrypt certificates will no longer load correctly on old devices, especially those based on Android 7.1.1 or earlier. It is estimated that 33.8% of Android devices currently active may be affected.
Problem without solution
There is no trivial solution to this problem. At least for now, Let’s Encrypt rules out another cross-signing agreement because it understands that this type of partnership implies that a certification authority has to take responsibility for what the other does.
In a note, the organization also states that “if we commit to supporting older versions of Android, we will commit to cross-signing with other authorities indefinitely.”
So far, the only solution pointed out by Let’s Encrypt for those who have an old Android phone is the installation of Firefox, which, by using its own certificate storage system, already recognizes ISRG Root X1. The problem is that this is just a palliative. Firefox will not prevent compatibility issues related to other software.