Older Android phone just dodged a big web browsing problem

All Android phones should now be able to access sites secured with certificates from Let's Encrypt until 2024.
Written by Liam Tung, Contributing Writer

Your older Android device will still be able to browse websites next year after Let's Encrypt came up with a way for these devices to be able to visit sites that use its certificates after September 2021.

As many as a third of existing Android smartphones were set to see error messages from websites secured by the certificate authority, but the non-profit now has a workaround for the issue.

On September 1, 2021, millions of Android phones running 2016's Android 7.1 Nougat or earlier would no longer be able to connect with websites using Secure-Socket Layer (SSL)/Transport Layer Security (TLS) certificates from Let's Encrypt.

SEE: Managing and troubleshooting Android devices checklist (TechRepublic Premium)

The key problem was that Let's Encrypt's original root certificate relied on a cross-signature from the certificate authority IdenTrust, which issued the "DST Root X3" which is set to expire on September 1, 2021.

Let's Encrypt now has its own root certificate, ISRG Root X1, but there has been concern because Android versions prior to 7.1.1 don't trust Let's Encrypt's ISRG Root X1. And because there are so many Android devices running versions prior to this, the situation could have translated into a lot less access to websites that rely on Let's Encrypt's digital certificates to provide HTTPS connections.  

According to Let's Encrypt, IdenTrust has now issued a three-year cross-sign agreement for its ISRG Root X1 from IdentTrust's DST Root CA X3. The move should buy sufficient time for people to replace these older Android devices that will then become a less significant source of web traffic. 

The new cross-sign extends beyond the expiration of DST Root CA X3. The workaround should function for Android because the Android does not enforce the expiration dates of certificates used as trust anchors. 

"We will be able to provide subscribers with a chain which contains both ISRG Root X1 and DST Root CA X3, ensuring uninterrupted service to all users and avoiding the potential breakage we have been concerned about," Let's Encrypt states

SEE: How do we stop cyber weapons from getting out of control?

"We will not be performing our previously-planned chain switch on January 11th, 2021. Instead, we will be switching to provide this new chain by default in late January or early February. The transition should have no impact on Let's Encrypt subscribers, much like our switch to our R3 intermediate earlier this month."

Let's Encrypt explains that its self-signed certificate which represents the DST Root CA X3 keypair is still expiring, but browser and OS root stores contain "trust anchors", and Android is designed to ignore the anchor that defines a date after which it should not be trusted. 

Editorial standards