[ad_1]
It’s weird to consider, I know, but it’s true: As of September of next year, those on Android 7.1 or earlier versions – that’s roughly a third of anyone currently using Android – might not be able to connect to a website using an SSL certificate from Let’s Encrypt. Just to keep things consistent, it’s roughly a third of the World Wide Web.
As to why, the short version is straightforward. About 95% of the web uses HTTPS nowadays—An excellent indicator for browser security. However, the process of launching a new certificate authority, which issues the digital certificates used by websites as part of HTTPS, is a bit of a pain. As Jacob Hoffman-Andrews writes to Let’s Encrypt:
“When a new Certificate Authority (CA) comes on the scene, it faces a conundrum: To be useful to people, it needs its root certificate to be trusted by a wide variety of operating systems (OS) and of browsers. However, it can take years for operating systems and browsers to accept the new root certificate, and even longer for people to upgrade their devices to new versions that include this change. The common solution: A new CA will often ask an existing and trusted CA for a cross signature, so that it can be quickly approved by many devices.
Five years ago when Let’s Encrypt launched, that’s exactly what we did. We obtained a cross signature from IdenTrust. Their “DST Root X3” had been around for a long time, and all the major software platforms already trusted it: Windows, Firefox, macOS, Android, iOS and a variety of Linux distributions. This cross signing allowed us to start issuing certificates right away and making them useful to a lot of people. Without IdenTrust, Let’s Encrypt might never have happened and we are grateful for their partnership … “
As you might have guessed, this initial DST Root X3 certificate will expire next year – September 1 in particular – and all operating systems that have not been updated to use the ISRG Root certificate. X1 from Let’s Encrypt are going to run into problems. Although you may run into issues sooner, because Let’s Encrypt will change its automatic certification process in January to serve ISRG Root X1 certificates from websites instead. They will be able to implement a workaround that is backward compatible with the DST Root X3 certificate, but this is only a temporary solution.
What can you do about these incompatible SSL certificates?
In a perfect world, your old Android would receive an out-of-media update that would allow it to use the new certificate from Let’s Encrypt. I wouldn’t hold your breath for that one, given how much manufacturers can hate to update “old” Android devices that might never have made it to Android 8.
G / O Media can get commission
You have a little workaround: If you go to Firefox Mobile No matter what browser you are currently using, you will be able to access any website you want. Firefox Mobile uses its own root certificates instead of whatever your Android operating system supports, so you’ll have no problem viewing the website you want if, or when the manufacturer of your Android is reluctant to release an update.
And Ddon’t remove Chrome yet. google will be, at one point, switch to a similar practice of using your own root certificates rather than the root certificates found on Chrome underlying operating system. It’s unclear if this will launch in a month or two, but I suspect it will definitely be ready to go by September of next year when the ax officially drops for older Androids.
[ad_2]
Source link