Older Android phones will start failing on some secure websites in 2021



[ad_1]

They might not be cool, and they certainly aren’t up to date, but there are millions of older Android smartphones running Android 7.1 Nougat from 2016 or earlier. On September 1, 2021, however, these phones will begin to fail when attempting to connect to websites secured by Let’s Encrypt Secure-Socket Layer (SSL) / Transport Layer Security (TLS) certificates.

Let’s Encrypt is the free and extremely popular open-source certification authority (CA). Thanks to its service, over a billion websites have been secured. This worked fine, but the original Let’s Encrypt root certificate, which was based on IdenTrust’s cross-signature, “DST Root X3”, will expire on September 1, 2021.

With most operating systems this wouldn’t be a problem. Let’s Encrypt now has its own root certificate, ISRG Root X1, and most operating systems and browsers can work with it. Alas, this is not the case with Android.

It’s not like Android isn’t updated often enough by vendors. After all, no Android phone running Android 6 or earlier has received security updates since the start of this year. But users, as the tens of millions of people still running Windows 7 show, won’t pay attention to security until it bites them in the rump.

This upcoming problem, however, is one they cannot ignore. At best, if you’re still using one of those older phones, you’ll get an error message asking if you still want to access the site. At worst, you won’t be able to access your favorite website at all.

So what can we do? Well, don’t look at Let’s Encrypt for an easy answer. See, that’s not really his problem. Since day one, Android hardware vendors have refused to update their systems. If you want an Android smartphone, which follows the state of the art operating system, your only good choice is a Google Pixel phone and, to a lesser extent, Samsung phones.

As Jacob Hoffman-Andrews, lead developer of Let’s Encrypt, said:

Android has a long-standing and well-known issue with operating system updates. There are many Android devices around the world with outdated operating systems. The causes are complex and difficult to resolve: For each phone, the base Android operating system is usually changed by the manufacturer and a mobile operator before an end user receives it. When there is an update to Android, the manufacturer and the mobile operator must incorporate these changes into their customized version before sending it. Manufacturers often decide that it is not worth the trouble. The bottom line is bad for people who buy these devices: many have been stuck on outdated operating systems for years.

And, on top of that, “We … can’t afford to buy the world a new phone.”

If you can’t afford a new phone either – not everyone has the latest and greatest phone no matter what the ads may have you think – you can install Firefox Mobile. It currently supports Android 5.0. This helps because Firefox is the only web browser, which comes with its own list of trusted root certificates. So if you use it, you get an up-to-date list of trusted CAs, even if your copy of Android is stuck on a list of obsolete CAs.

If you are a website owner and are about to use Let’s Encrypt for the first time or renew an existing Let’s Encrypt certificate, you are going to experience this issue before September 1.

Indeed, from January 11, 2021, Let’s Encrypt modifies its API so that customers of the Automatic Certificate Management Environment (ACME) serve, by default, a chain of certificates leading to ISRG Root X1. This means that your site will be offering older Android smartphones well before September.

You can, however, choose to use an alternate certificate chain for the same certificate that leads to DST Root X3. These will continue to work on older phones until September. This is done with the ACME “alternative” link relationship. Certbot, the most popular automated tool to use with Let’s Encrypt certificates to secure your site, supports this method from version 1.6.0 and newer. If you are using another ACME client, make sure that the “alternate” link relationship is supported.

You might seriously “think” that there will be a lot of users yelling at me about my site not working on their old phones? I’m sorry to tell you, but yes there will be. Let’s Encrypt found that the major sites still get 1% to 5% of their traffic from these older devices. That’s a lot of bored users.

So, start writing an automated document to let your users know that if they still want to use your site, they need to start using Firefox Mobile. Too soon you are going to receive impassioned calls and emails about your site’s “failure”.

Good luck.

Related stories:

[ad_2]

Source link