Site owners that use the free Let’s Encrypt SSL certificate have been warned that, from next September, their websites will no longer work on older Android operating systems. The issue, which will affect a third of all Android devices, including smartphones, could prevent over 220 million websites working properly.
Launched by the Internet Safety Research Group, ISRG, in 2016, Let’s Encrypt has played a crucial role in making the internet more secure by providing millions of free SSL certificates to websites across the globe. By encrypting data as it travels between a user’s browser and a website’s server, an SSL ensures that personal information and payment details are kept out of the hands of cybercriminals. At eukhost, we recognise the important contribution Let’s Encrypt is making and are proud to be a sponsor of its parent organisation, ISRG.
Another of its sponsors is Chrome, the Google-owned browser, while Google itself encourages the uptake of SSL certificates by including SSL installation in its ranking criteria and rewarding those websites that have them with higher rankings. This makes it a little ironic that the problem Let’s Encrypt faces is with Android, Google’s own operating system.
Though unintentional on Google’s behalf, the issue is that, from September next year, devices with older versions of the Android operating system (versions 7.1.1 or earlier) won’t be able to connect securely with websites using Let’s Encrypt. Anyone with one of these devices that attempts to visit a website with a Let’s Encrypt SSL will, instead, be shown a warning sign telling them that the website is not safe.
The cause of the problem is that, when ISRG launched Let’s Encrypt in 2016, its own root certificate had not been in existence long enough to have become trusted by operating systems. To overcome this challenge, it used an existing certificate authority, IdenTrust, as a cross-signature. IdenTrust’s root certificate had been firmly established for some time and was trusted and accepted by operating systems such as Windows, iOS, macOS and Android.
The use of IdenTrust’s root certificate was always seen as a short term solution, with Let’s Encrypt knowing its own certificate would be trusted by all operating systems by the time the IdenTrust certificate expired.
That expiration is set to take place in September next year and Let’s Encrypt’s SSL certificate is now trusted by the major operating systems. There is, however, a technical snag that affects older versions of Android. That snag is that these operating systems have not been updated since 2016 and, as a result, have not been configured to accept Let’s Encrypt’s root certificate; nor will they, after 1 September 2021, continue to accept the expired IdenTrust root certificate.
This means that devices running Android versions 7.1.1 or earlier will, from next September, no longer trust websites with the Let’s Encrypt certificates installed. This problem can also impact apps that gather data from websites using a Let’s Encrypt certificate.
Unfortunately, if you are a website owner using Let’s Encrypt, a third of all Android devices still in use fall into this category. That means that from September 2021, around 850 million devices, mainly smartphones, will start seeing certificate warning errors when their users visit your site. According to Let’s Encrypt, that works out at between 1 per cent and 5 per cent of the traffic that visits the websites they serve.
A temporary solution
For anyone with an affected Android device, there are three potential solutions: if possible, upgrade the OS to version 7.1.1 or later; if not, install the Firefox Mobile web browser app which accepts the Let’s Encrypt root certificate and works with Android versions 5 and later; or, alternatively, buy a newer device.
Let’s Encrypt is working hard to find a solution that will let websites using their certificates work with these older devices; however, with time running out, those concerned about losing traffic may need to replace their Let’s Encrypt SSL certificate, at least for the time being, with one that will be recognised by all Android devices as well as by other OS.
If you are considering installing an alternative SSL certificate on your website, eukhost offers a range of SSLs to suit the needs of different organisations. What’s more, we’ll take away the hassle and install and test it for you. For more details, visit our SSL Certificates page.