The widely preferred certificate authority, Let’s Encrypt, is parting its way from another authority IdenTrust. Except for its own root certificate, Let’s Encrypt has been using a cross-signed certificate from IdenTrust. However, the partnership will be ended by September 1, 2021.
This transition would cause a problem for millions of websites on over 30% of Android devices. The heart of the problem lies in the compatibility issue. The devices that are running Android 7.1.1 or older version will be facing a problem in loading. The root certificate of Let’s Encrypt will provide support to the updated versions, and thus devices with the older version still tend to rely on cross-signatures from authorities like former IdenTrust.
Five years ago, when Let’s Encrypt launched, that’s exactly what we did. We got a cross-signature from IdenTrust. Their “DST Root X3” had been around for a long time, and all the major software platforms trusted it already: Windows, Firefox, macOS, Android, iOS, and a variety of Linux distributions. That cross-signature allowed us to start issuing certificates right away, and have them be useful to a lot of people. Without IdenTrust, Let’s Encrypt may have never happened and we are grateful to them for their partnership. Meanwhile, we issued our own root certificate (“ISRG Root X1”) and applied for it to be trusted by the major software platforms.
via Let’s Encrypt
In its announcement, Let’s Encrypt dubbed its decision as the company is standing on its own two feet. According to statistics drawn from Android Studio, over 34% of Android devices worldwide are operating version 7.1 or older. So after January, a huge amount of sites and apps might face security and compatibility problems.
Google has been the torchbearer and constantly urging the website developers to obtain an SSL certificate for the domain directly from a Certificate Authority. Secure Sockets Layer or simply SSL is a type of digital certificate that renders authentication for a website and provides an encrypted connection. Google has also endorsed the services of Let’s Encrypt and ask users to obtain a free SSL certificate from this popular Certificate Authority. As per the Google Transparency Report, 95% of website traffic over the search engine is now encrypted on its network.
At first, the certificate was only necessary for e-commerce websites where users need to give their confidential details, but since more or less every website now asks for user’s information hence the Google made it mandatory for websites to obtain an SSL certificate.
Workaround for the problem
The answer to this problem is also suggested by some experts to install and use Mozilla’s Firefox browser on these older version devices because it utilizes its own root certificate list to check online web pages. As of the time of writing, Firefox Mobile is supporting Android 5.0 and above. But still, the apps that are likely to depend on older certificates will not be able to take advantage of this patch.
Leave a Reply