Let’s Encrypt has alerted users whose devices run older versions of Android that when accessing websites protected by its certificates, they may start getting errors next year.
Let’s Encrypt, which confirmed the issuance of over one billion certificates earlier this year after its introduction in 2015, initially relied on an IdenTrust cross-signature. It will take years for a certificate authority ( CA) to have a new root certificate approved by browsers and operating systems, and a CA can receive a cross-signature from a trustworthy CA in order to be able to automatically start issuing certificates that are trusted by devices.
Let’s Encrypt’s own root certificate is now mature and no longer needs the original certificate set to expire on September 1, 2021. While most users would not be impacted by this, software that has not been upgraded after September 2016 and may not trust Let’s Encrypt’s own root certificate is likely to trigger issues.
The CA claims Android, until version 7.1.1, will be one of the items most affected by this. The company reports that about one-third of Android devices are already running these older models, meaning that once the cross-signed certificate expires, their users will start having certificate errors. Major integrators reported that about 1-5 percent of their traffic is accounted for by these customers.
Although the situation could change until next year when the certificate expires, Let’s Encrypt believes there will still be multiple devices affected, so it’s trying to raise awareness.
What are we going to do with this? Ok, while we would love to change the condition with the Android update, there isn’t anything we can do there. We can’t afford to buy a new phone in the world, either,’ said Jacob Hoffman-Andrews, Let’s Encrypt’s lead developer.
Will we have a cross-signature again? This is an idea we’ve investigated and it seems impossible. It is a great risk for a CA to cross-sign the certificate of another CA, since they are responsible for all the CA does,’ he said. To be able to stand on our own is crucial for us. Also, it doesn’t appear like the Android upgrade issue is going anywhere. If we commit ourselves to maintaining old versions of Android, we will commit ourselves to continuously finding cross-signatures from other CAs.
Let’s Encrypt has urged users that are unwilling to update their Android devices to instal Firefox on their handset, so instead of using the operating system list, Firefox comes with its own list of trustworthy root certificates.
For website owners and customers who get licences from their hosting company, the association has also given guidelines.
The aim of Let’s Encrypt is to make the internet safer by allowing owners of websites to conveniently obtain an SSL / TLS certificate at no cost. However, sadly, cybercriminals have even exploited its facilities.