Actualités procab - 05 Jan, 2021 | by Procab

Millions of Android smartphones will no longer have access to websites from 2021

It's official, millions of cell phones running a version of Android prior to Nougat 7.1.1 (launched in 2016) will no longer be able to access certain sites as of 2021. These are all websites that use Let's Encrypt certificates for https connections. Why such a change? Are there any solutions to get around this blocking? Let's see the answers!

Who is Let's Encrypt?

Since this change comes from a decision made by Let's Encrypt, we will first explain who it is.

Let's Encrypt is a certification authority founded in late 2015 by Internet Security Research Group (ISRG). It provides free X.509 certificates for the TLS cryptographic protocol. For this, it deploys an automated process to secure websites. According to statistics recorded in December 2019, Let's Encrypt provides 54,67% of TLS certificates worldwide.

The goal of Let's Encrypt is to democratize the use of secure connections on the web. The project allows to manage the implementation and maintenance of TLS encryption with much more ease. In other words, it eliminates the need for a manual process including payment, web server configuration, validation mails and certificate expiration management. On a GNU/Linux server, for example, only two commands are needed to set up https encryption and to acquire and install certificates. All this takes less than a minute.

Why will Android smartphones no longer access https sites?

Let's Encrypt and IdenTrust End Partnership

Let's Encrypt has partnered with IdenTrust for the DST Root X3 certificate. IdenTrust is also a renowned Certificate Authority that provides digital certificates to businesses, healthcare providers, financial institutions and government agencies. The DST Root X3 has been used by Let's Encrypt for the https transmission protocol. The https uses an authentication certificate for a better security of the communication between the Internet user and the website he visits. Its main objective is to prevent hackers from recovering and decrypting the data you transmit or consult on the site. The DST Root X3 certificate is free.

Let's Encrypt has announced that its partnership with IdenTrust will end on September 1, 2021. The group decided not to renew the cross-signature with IdenTrust because it managed to develop its own root certificate named ISRG Root X1.

Let's Encrypt will no longer need IdenTrust's Root X3 DST. The certificate authority has already requested approval of its new root certificate by software platforms providing operating systems such as Windows, Firefox, macOS, iOS and Android.

A question of incompatibility

Let's Encrypt explained that the deployment of its ISRG Root X1 will cause compatibility issues. It turns out that software that hasn't been updated since 2016 doesn't work with its new digital certificate. This naturally includes all versions of Android that date back to 2016 and earlier. In other words, these are versions of Android prior to Nougat 7.1.1. Let's Encrypt provides free TLS certificates to over 180 million websites worldwide. These sites will therefore no longer be accessible to phones and touch tablets running Android 7.1.1 or earlier.

Which smartphones are affected?

As we have already specified on several occasions, the victims of the launch of the new Let's Encrypt digital certificate are the smartphonesbut also the digital tablets running Android 7.1.1 or higher. Indeed, mobile devices using the DST Root X3 certificate to consult https sites will no longer be able to do so from September 2021 because the sites in question will switch to the ISRG Root X1. According to Let's Encrypt, 30% of websites (more than 180 million) use the certificate set up with IdenTrust.

On the other hand, 33.8% of the world's currently operational Android smartphones run on a version later than Nougat 7.1.1. This makes hundreds of millions of cell phones that will be deprived of access to 30% sites as mentioned above. These handsets will then display the following notification:

"Certificate errors when users visit sites that have a Let's Encrypt certificate."

As a result, if you are using a smartphone or tablet running a version prior to Nougat, you will be blocked as soon as you arrive on an https site using the new ISRG Root X1 certificate. In addition, the end of the partnership between the two certification authorities will prevent users of affected smartphones from using Android applications that need to connect to an https site to function.

What are the solutions?

The purchase of a new smartphone

The most obvious solution is to change your smartphone. You have some kind of deadline then, you can quite slowly invest in buying a new device by September 2021 if the one you currently have is still running a version of Android later than Nougat 7.1.1. In any case, Google is no longer performing security updates on all devices running Android 7.0 and earlier. This makes them obsolete and more susceptible to hacking. Besides, many malware often attack these devices to scam their owners. You don't necessarily have to spend a lot of money on the latest smartphone. All you need to do is buy a model running a version of Android newer than Nougat.

Install Firefox Mobile

If, for one reason or another, you don't want to part with your current smartphone, the solution Let's Encrypt offers you is toinstall the Mozilla browser, Firefox Mobile. The two institutions are in partnership and Mozilla has its own list of root certificates that are all trusted. The ISRG Root X1 is already one of them. This is the latest version of Firefox for Android that you need to download and install on your phone or tablet. It is available for free on Play Store. On the other hand, Let's Encrypt has no solution for applications that will then be unusable for you.

Ask our SEO experts for advice

Cookie	Description
cookielawinfo-checkbox-necessary	This cookie is set by the GDPR Cookie Consent plugin. The cookies are used to record the user's consent for cookies in the "Necessary" category.
cookielawinfo-checkbox-non-necessary	This cookie is set by the GDPR Cookie Consent plugin. The cookies are used to record the user's consent for cookies in the "Not Required" category.
JSESSIONID	Used by sites written in JSP. General-purpose platform session cookies that are used to maintain user state during page requests.
PHPSESSID	This cookie is native to PHP applications. The cookie is used to store and identify a unique user session identifier in order to manage the user's session on the website. The cookie is a session cookie and is deleted when all browser windows are closed.
viewed_cookie_policy	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not the user has consented to the use of cookies. It does not store any personal data.

Cookie	Description
_ga	This cookie is set by Google Analytics. The cookie is used to calculate data about visitors, sessions, campaigns, and to keep track of site usage for the site analytics report. The cookie stores information anonymously and assigns a randomly generated number to identify unique visitors.
_gat_UA-10557947-2	This is a template cookie set by Google Analytics, where the template element of the name contains the unique identity number of the account or website to which it relates. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic websites.
_gid	This cookie is set by Google Analytics. The cookie is used to store information about how visitors use a website and to create an analytical report about the functioning of the website. The data collected includes the number of visitors, the source they came from and the pages visited in an anonymous form.