Security Experts:

Let’s Encrypt Warns Some Android Users of Compatibility Issues

Let’s Encrypt has warned users whose devices are running older versions of Android that they may start getting errors next year when visiting websites secured by its certificates.

Let’s Encrypt, which earlier this year announced releasing over one billion certificates since its launch in 2015, initially relied on a cross-signature from IdenTrust. It can take a certificate authority (CA) years to get a new root certificate accepted by browsers and operating systems, and in order to be able to immediately start issuing certificates that are trusted by devices, a CA can get a cross-signature from a trusted CA.

Let’s Encrypt’s own root certificate is now mature and the initial certificate, which is set to expire on September 1, 2021, is no longer needed. While this will not impact most users, software that has not been updated since September 2016 and which does not trust Let’s Encrypt’s own root certificate will likely cause problems.

The CA believes one of the products most impacted by this will be Android, prior to version 7.1.1. The organization estimates that roughly one-third of Android devices are still running these older versions, which means their users will start getting certificate errors once the cross-signed certificate expires. Major integrators indicated that these users account for roughly 1-5% of their traffic.

While the situation might improve until next year when the certificate expires, Let’s Encrypt believes there will still be many impacted devices so it’s trying to raise awareness.

“What can we do about this? Well, while we’d love to improve the Android update situation, there’s not much we can do there. We also can’t afford to buy the world a new phone,” said Jacob Hoffman-Andrews, lead developer at Let’s Encrypt.

“Can we get another cross-signature? We’ve explored this option and it seems unlikely. It’s a big risk for a CA to cross-sign another CA’s certificate, since they become responsible for everything that CA does,” he added. “It’s important for us to be able to stand on our own. Also, the Android update problem doesn’t seem to be going away. If we commit ourselves to supporting old Android versions, we would commit ourselves to seeking cross-signatures from other CAs indefinitely.”

Let’s Encrypt has advised users who cannot upgrade their Android devices to install Firefox on their smartphone, as Firefox comes with its own list of trusted root certificates rather than using the list from the operating system.

The organization has also provided recommendations for website owners and users who get certificates from their hosting provider.

Let’s Encrypt’s goal is to make the internet safer by enabling website owners to easily obtain an SSL/TLS certificate at no cost. However, unsurprisingly, its services have also been abused by cybercriminals.

Related: Let's Encrypt Will Not Replace 1 Million Bug-Affected Certificates

Related: Bug Forces Let's Encrypt to Revoke 3 Million Certificates

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.