Last updated on March 9, 2021
The certificate change at Let’s Encrypt causes problems on one third of all Android devices. The solution is the Firefox.
The certificate change could cause problems with encrypted connections on old Androids.
In March 2021, the free certification authority Let’s Encrypt will switch to intermediate certificates signed by its own root certificate. Until now, Let’s Encrypt has relied on so-called cross-signing with the Identrust certificate authority. This upcoming change could cause problems for about one third of all Android phones still in use, as the team now announces. Because there are still many older devices that do not trust the root certificate of Let’s Encrypt, which was first introduced in 2016. According to the blog entry, devices with Android version 7.1.1 or older are especially affected. By default, this will cause devices to no longer establish a trusted connection to websites or services that use Let’s Encrypt certificates after the switch, as they will no longer be trusted after the switch. After all, these are around 220 million domains.
The chief developer of the certification body Jacob Hoffman-Andrews sees the reason for the upcoming problems mainly in the Android ecosystem, which has been failing for a long time to provide long-term operating system updates for sold devices. For example, Google no longer officially supports the Android 7-series. Furthermore, many hardware manufacturers hardly offer any version updates of the operating system for their devices.
With regard to certificate switching in Let’s Encrypt, this becomes a problem because the list of trusted certificates is an integral part of the operating system that other apps access. However, this list is no longer updated for older devices, which then leads to the error.
Owner Root-Store as solution
As a workaround, Let’s Encrypt recommends using the Firefox browser for Android, as it uses its own certificate store instead of the operating system’s. This already contains the root certificate of the free certificate authority, so the described error cannot occur here.
Also the team of Googles Chrome-Browser plans something similar. The manufacturer could also implement this for the Android webview package and thus also fix the bug for a large number of apps. Meanwhile, the Let’s Encrypt team hopes that the number of actual problems will be kept within limits, as the mentioned large number of old and still active Android devices is only responsible for 1 to 5 percent traffic.
Read the original article here.