Older Android phones will start failing on some secure websites in 2021
They may not be cool, and they’re certainly not up to date, but there are millions of old Android smartphones out there running 2016’s Android 7.1 Nougat or earlier. On Sep. 1, 2021, however, those phones will start failing when they try to connect with websites secured by Let’s Encrypt Secure-Socket Layer (SSL)/Transport Layer Security (TLS) certificates.
Let’s Encrypt is the enormously popular, free open-source certificate authority (CA). Thanks to its service, over a billion websites have been secured. It’s worked well, but Let’s Encrypt’s original root certificate, which relied on a cross-signature from IdenTrust, “DST Root X3,” will expire on Sept. 1, 2021.
With most operating systems, this wouldn’t be a problem. Let’s Encrypt now has its own root certificate, ISRG Root X1, and most operating systems and browsers can work with it. Alas, that’s not the case with Android.
It’s not like that Android doesn’t get updated often enough by vendors is news to anyone. After all, any Android phone running Android 6 or earlier hasn’t been getting any security updates since earlier this year. But, users, as the tens of millions still running Windows 7 show, won’t pay any attention to security until it bites them in the rump.
This coming problem, though, is one they won’t be able to ignore. At best, if you’re still using one of these older phones, you’ll get an error message asking if you still want to go to the site. At worst, you won’t be able to get into your favorite website at all.
So, what can be done about it? Well, don’t look to Let’s Encrypt for an easy answer. You see, it’s not really its problem. Since day one, Android hardware vendors have refused to update their systems. If you want an Android smartphone, which keeps up with the state of the operating system art, your only good choice is a Google Pixel phone, and to a lesser extent, Samsung phones.
As Jacob Hoffman-Andrews, lead developer on Let’s Encrypt, said:
Android has a long-standing and well-known issue with operating system updates. There are lots of Android devices in the world running out-of-date operating systems. The causes are complex and hard to fix: for each phone, the core Android operating system is commonly modified by both the manufacturer and a mobile carrier before an end-user receives it. When there’s an update to Android, both the manufacturer and the mobile carrier have to incorporate those changes into their customized version before sending it out. Often manufacturers decide that’s not worth the effort. The result is bad for the people who buy these devices: Many are stuck on operating systems that are years out of date.
And, besides, “We … can’t afford to buy the world a new phone.”
If you can’t afford to buy a new phone either — not everyone gets the latest and greatest phone no matter what the ads may lead you to believe — you can install Firefox Mobile. It currently supports Android 5.0. It helps because Firefox is the one web browser, which ships with its own list of trusted root certificates. So, if you use it, you get an up-to-date list of trusted CAs, even if your copy of Android is stuck on an out of date CA list.
If you’re a website owner, and you’re about to use Let’s Encrypt for the first time or renew an existing Let’s Encrypt certificate, you’re going to run into this problem sooner than Sept. 1.
That’s because, as of Jan. 11, 2021, Let’s Encrypt is changing its API so that Automatic Certificate Management Environment (ACME) clients will, by default, serve a certificate chain that leads to ISRG Root X1. That means your site’s going to give older Android smartphones a lot sooner than September.
You can, however, choose to use an alternate certificate chain for the same certificate that leads to DST Root X3. These will keep working on older phones until September. This is done with the ACME “alternate” link relation. Certbot, the most popular automated tool to use with Let’s Encrypt certificates to secure your site, supports this method starting with version 1.6.0 and newer. If you use a different ACME client, check to make sure the “alternate” link relation is supported.
You might “think” will there seriously be that many users coming to yell at me about my site not working on their old phones? I’m sorry to tell you, but, yes, there will be. Let’s Encrypt has found that major sites are still getting 1% to 5% of their traffic from these older devices. That’s a lot of annoyed users.
So, start writing up an automated document to let your users know that if they still want to use your site, they need to start using Firefox Mobile. All too soon, you’re going to be getting heated calls and e-mails about your site’s “failure.”