It's official, millions of cell phones running a version of Android prior to Nougat 7.1.1 (launched in 2016) will no longer be able to access certain sites as of 2021. These are all websites that use Let's Encrypt certificates for https connections. Why such a change? Are there any solutions to get around this blocking? Let's see the answers!
Who is Let's Encrypt?
Since this change comes from a decision made by Let's Encrypt, we will first explain who it is.
Let's Encrypt is a certification authority founded in late 2015 by Internet Security Research Group (ISRG). It provides free X.509 certificates for the TLS cryptographic protocol. For this, it deploys an automated process to secure websites. According to statistics recorded in December 2019, Let's Encrypt provides 54,67% of TLS certificates worldwide.
The goal of Let's Encrypt is to democratize the use of secure connections on the web. The project allows to manage the implementation and maintenance of TLS encryption with much more ease. In other words, it eliminates the need for a manual process including payment, web server configuration, validation mails and certificate expiration management. On a GNU/Linux server, for example, only two commands are needed to set up https encryption and to acquire and install certificates. All this takes less than a minute.
Why will Android smartphones no longer access https sites?
Let's Encrypt and IdenTrust End Partnership
Let's Encrypt has partnered with IdenTrust for the DST Root X3 certificate. IdenTrust is also a renowned Certificate Authority that provides digital certificates to businesses, healthcare providers, financial institutions and government agencies. The DST Root X3 has been used by Let's Encrypt for the https transmission protocol. The https uses an authentication certificate for a better security of the communication between the Internet user and the website he visits. Its main objective is to prevent hackers from recovering and decrypting the data you transmit or consult on the site. The DST Root X3 certificate is free.
Let's Encrypt has announced that its partnership with IdenTrust will end on September 1, 2021. The group decided not to renew the cross-signature with IdenTrust because it managed to develop its own root certificate named ISRG Root X1.
Let's Encrypt will no longer need IdenTrust's Root X3 DST. The certificate authority has already requested approval of its new root certificate by software platforms providing operating systems such as Windows, Firefox, macOS, iOS and Android.
A question of incompatibility
Let's Encrypt explained that the deployment of its ISRG Root X1 will cause compatibility issues. It turns out that software that hasn't been updated since 2016 doesn't work with its new digital certificate. This naturally includes all versions of Android that date back to 2016 and earlier. In other words, these are versions of Android prior to Nougat 7.1.1. Let's Encrypt provides free TLS certificates to over 180 million websites worldwide. These sites will therefore no longer be accessible to phones and touch tablets running Android 7.1.1 or earlier.
Which smartphones are affected?
As we have already specified on several occasions, the victims of the launch of the new Let's Encrypt digital certificate are the smartphonesbut also the digital tablets running Android 7.1.1 or higher. Indeed, mobile devices using the DST Root X3 certificate to consult https sites will no longer be able to do so from September 2021 because the sites in question will switch to the ISRG Root X1. According to Let's Encrypt, 30% of websites (more than 180 million) use the certificate set up with IdenTrust.
On the other hand, 33.8% of the world's currently operational Android smartphones run on a version later than Nougat 7.1.1. This makes hundreds of millions of cell phones that will be deprived of access to 30% sites as mentioned above. These handsets will then display the following notification:
"Certificate errors when users visit sites that have a Let's Encrypt certificate."
As a result, if you are using a smartphone or tablet running a version prior to Nougat, you will be blocked as soon as you arrive on an https site using the new ISRG Root X1 certificate. In addition, the end of the partnership between the two certification authorities will prevent users of affected smartphones from using Android applications that need to connect to an https site to function.
What are the solutions?
The purchase of a new smartphone
The most obvious solution is to change your smartphone. You have some kind of deadline then, you can quite slowly invest in buying a new device by September 2021 if the one you currently have is still running a version of Android later than Nougat 7.1.1. In any case, Google is no longer performing security updates on all devices running Android 7.0 and earlier. This makes them obsolete and more susceptible to hacking. Besides, many malware often attack these devices to scam their owners. You don't necessarily have to spend a lot of money on the latest smartphone. All you need to do is buy a model running a version of Android newer than Nougat.
Install Firefox Mobile
If, for one reason or another, you don't want to part with your current smartphone, the solution Let's Encrypt offers you is toinstall the Mozilla browser, Firefox Mobile. The two institutions are in partnership and Mozilla has its own list of root certificates that are all trusted. The ISRG Root X1 is already one of them. This is the latest version of Firefox for Android that you need to download and install on your phone or tablet. It is available for free on Play Store. On the other hand, Let's Encrypt has no solution for applications that will then be unusable for you.