Let’s Encrypt, the provider of free SSL certificates, has warned that issues with Google’s Android operating system could prevent the 220 million websites that use its encryption from working properly on a third of Android phones in 2021.
Let’s Encrypt’s free SSL certificates have become highly popular with website owners, making it free and easy for them to make their sites secure by encrypting browser to server data transfers. Ironically, Google is one of the main drivers behind the push to install SSL certificates by including them in its ranking criteria. Google’s Chrome is even a sponsor of the ISRG, the organisation that run’s Let’s Encrypt.
However, it seems that from September next year, those with older versions of the Android operating system might not be able to make secure connections with websites using Let’s Encrypt. According to the certificate authority, users of Android version 7.1.1 or older could find their devices will no longer trust Let’s Encrypt certificates, effectively breaking those websites for those users.
The issue at the heart of the matter is that, when Let’s Encrypt first launched back in 2016, it used an existing certificate authority, IdenTrust, as a cross-signature. This enabled it to have a trusted root certificate right from the outset, something that otherwise, would have taken years. IdenTrust’s root certificate was well-established and trusted by Android, iOS, macOS and Windows. To generate its own trust, Let’s Encrypt simultaneously issued its own root certificate, which over the last five years has become trusted itself.
However, IdenTrust’s root certificate expires on September 1, 2021, and this means that any software which hasn’t been updated since 2016 will no longer accept it nor, because of the software’s age, will it accept the Let’s Encrypt’s root certificate.
With Android’s ecosystem being splintered, it means there is a range of factors which affect whether a device gets updated. These can include the make and model of the phone or device and the telephone network they use. As a result, any device running on Android versions 7.1.1 or earlier will, from next September, no longer trust sites that have installed certificates from Let’s Encrypt. The issue can also affect apps that use data from websites with Let’s Encrypt certificates.
For website owners worried about the impact of this on their business, it is worth noting that 34% of all Android devices fall into this category. With 2.5 billion Android users, that amounts to 850 million devices that will start getting certificate errors when users visit these websites. Let’s Encrypt estimates this works out at between 1% and 5% of traffic visiting the sites they serve.
The solution for the users of the devices is to upgrade their Android OS to version 7.1.1 or later. However, that’s not possible on all devices, leaving owners with the choice to upgrade the device, find alternative websites to visit or install the Firefox Mobile web browser app, which works with Android version 5 upwards and accepts the Let’s Encrypt root certificate.
Until Let’s Encrypt find a workable solution, something they are working on, website owners not wanting to lose traffic may be best served by replacing the Let’s Encrypt SSL certificate with one that will be recognised by all Android devices.
If you are considering looking for an alternative SSL certificate for your website, WHUK offers a range of SSL certificates to suit differing needs and will take care of the installation for you. For more information, visit our SSL Certificates page.