Switching to Firefox will address issue related to unsupported OS

One in three Android devices set to block Lets Encrypt-certified websites in 2021

UPDATED Access to millions of Let’s Encrypt-certified websites could be blocked overnight next year by the legions of mobile devices that still run unsupported versions of Android.

Let’s Encrypt, the SSL/TLS certificate authority (CA), has issued a warning that IdenTrust’s DST Root X3 – the root certificate used by Let’s Encrypt to gain a foothold in the CA market – is set to expire on September 1, 2021.

This will leave the CA reliant on its own certificate, ISRG Root X1, which is still not trusted by versions of Android prior to 7.1.1.

Let’s Encrypt, which is operated by the Mozilla-backed non-profit the Internet Security Research Group, currently certifies around 225 million domains.

Android users running pre-7.1.1 versions of their mobile OS – accounting for one in three active devices – will, from September 1, be presented with a warning from their browser that these websites are not secure – unless they use Firefox.

Firefox to the rescue

Whereas Chrome, Android’s default browser, generates trusted root certificates via the OS, “Firefox is currently unique among browsers” in having “its own list of trusted root certificates”, said Jacob Hoffman-Andrews, lead developer for Let’s Encrypt.

“So, anyone who installs the latest Firefox version gets the benefit of an up-to-date list of trusted certificate authorities, even if their operating system is out of date.”

Firefox Mobile supports Android 5.0 and above.

Hoffman-Andrews said Android Studio shows that, as of September 2020, 33.8% of Android devices were running versions older than 7.1.1 – representing 1-5% of traffic to websites operated by large integrators.

With manufacturers often neglecting to ship devices with the latest versions, Hoffman-Andrews didn’t foresee a significant shift in these numbers by September 2021.

RELATED DDoS attacks against SwissSign prompt temporary CA switch for ProtonMail

In a blog post published yesterday (November 9), Simon Hearne, a London-based web performance architect, suggested that some smart TVs might be similarly affected.

‘Quite a bind’

A durable solution appears elusive, with another cross-signature deal between Let’s Encrypt and a rival CA “unlikely”, admitted Hoffman-Andrews.

“It’s quite a bind,” he said. “We know that the people most affected by the Android update problem are those we most want to help – people who may not be able to buy a new phone every four years.”

However, Troy Hunt, founder of data breach notification website Have I Been Pwned?, suspects the impact might, ultimately, be modest, albeit the announcement highlights the problems associated with a fragmented Android ecosystem.

“It feels like the deprecation of SSL all over again except under less duress,” he told The Daily Swig. “There’s almost a year of notice involved here and we’re talking about very old (albeit still common) devices, by the time this actually hits and given the available mitigation strategies it doesn’t feel like it’ll be a massive thing.”

From January 11, 2021, “ACME clients will, by default, serve a certificate chain that leads to ISRG Root X1”, said Hoffman-Andrews, who urged site owners to switch to “an alternate certificate chain for the same certificate that leads to DST Root X3” while they consider a longer-term solution.

“We have been working with our subscribers to prepare them for this change” since April 2019, Sarah Gran, VP of communications at Let’s Encrypt, told The Daily Swig.

“Recently, we've communicated with many large integrators and individual subscribers to prepare them for the change. The feedback has been generally appreciative.”

The Daily Swig has also contacted Google for comment and will update the article accordingly if we receive a response.

This article was updated on November 10 with additional comments from Let’s Encrypt.

YOU MIGHT ALSO LIKE Let’s Encrypt deploys new domain validation technology to mitigate BGP hijacking risks