Millions of Let’s Encrypt-certified websites could be blocked next year due to the score of mobile devices that are still running unsupported versions of Android.
IdenTrust’s DST Root X3, which is the root certificate used by Let’s Encrypt, is set to expire on September 21, 2021.
This expiration means that millions of Let’s Encrypt-certified websites could be blocked overnight.
Let’s Encrypt is the SSL/TLS certificate authority (CA) and the expiration of DST Root X3 will leave the CA reliant on its own certificate, ISRG Root X1.
The problem with leaving ISRG Root X1 on its own is that it is still not trusted by versions of Android prior to 7.1.1.
Let’s Encrypt is backed by Mozilla’s non-profit Internet Security Research Group which currently certifies around 225 million domains.
Beginning September 1st, Android users running versions from before 7.1.1 of their mobile operating system will receive a warning from their browser that these websites are not secure unless they upgrade or use Firefox.
Whereas Chrome, Android’s default browser, generates trusted root certificates via the OS, “Firefox is currently unique among browsers” in having “its own list of trusted root certificates”, said Jacob Hoffman-Andrews, lead developer for Let’s Encrypt.
“So, anyone who installs the latest Firefox version gets the benefit of an up-to-date list of trusted certificate authorities, even if their operating system is out of date.”
Currently, Firefox mobile supports versions going all the way back to Android 5.0 and above.
This is important because one in three Android users are still running pre 7.1.1 versions on their mobile device.
“It’s quite a bind,” he said. “We know that the people most affected by the Android update problem are those we most want to help – people who may not be able to buy a new phone every four years.”
Hoffman-Andrews said Android Studio shows that, as of September 2020, 33.8% of Android devices were running versions older than 7.1.1 – representing 1-5% of traffic to websites operated by large integrators and they don’t foresee a significant shift in these number by September 2021.