SSL certified sites are important as they protect bad actors from snooping on user data in transit. According to a report from Google, 95% of traffic is now encrypted on its network.
Let’s Encrypt is one of the authorities that issues these HTTPS certificates to sites to make sure that traffic to that website passes through a safe route. The organization has issued more than 1 billion certificates and it serves more than 192 million sites today.
Since there are multiple certificate authorities, some sites might face compatibility issues if your browser or app doesn’t support a particular certificate. Android users with devices running version 7.1.1 or older might face that problem soon.
When Let’s Encrypt was born in 2015, apart from its own root certificate, it also used a cross-signed certificate from IdenTrust, another certificate authority.
However, the partnership between these two entities is coming to an end on September 1, 2021, and Let’s Encrypt will only use its own certificate to validate sites. Let’s Encrypt is taking a pre-emptive step and changing its API to use its own certificate by default from January 11.
Now, this will create an issue in older platforms such as devices running Android 7.1.1 or earlier. They haven’t been updated to accept Let’s Encrypt’s root certificate, and still rely on cross-signatures from authorities like IdenTrust:
However, this does introduce some compatibility woes. Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our root certificate, ISRG Root X1. Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let’s Encrypt.
According to stats pulled from Android Studio by the certificate authority, more than 34% of Android devices across the globe are running on version 7.1 or older. And after January, a lot of sites and apps might face compatibility issues on these devices.
As Android Police noted, a workaround for this problem is to install and use Mozilla’s Firefox browser on these devices as it uses its own root certificate list to validate sites. To be clear, apps depending on older certificates won’t be able to take advantage of this fix.
You can read more about Let’s Encrypt’s announcement here.
Published November 9, 2020 — 08:19 UTC