Nov 09, 2020 11:40:00

Let's Encrypt warns that 'some websites will not be viewable on one-third of the world's Android devices'

Let's Encrypt , a certificate authority that issues SSL / TLS certificates for web servers for free, warned that 'Let's Encrypt certificates cannot be used on one-third of Android devices in the world.' ..

Standing on Our Own Two Feet --Let's Encrypt --Free SSL / TLS Certificates
https://letsencrypt.org/2020/11/06/own-two-feet.html

Let's Encrypt warns about a third of Android devices will from next year stumble over sites that use its certs • The Register
https://www.theregister.com/2020/11/06/android_encryption_certs/

Many websites will stop working on older Android versions in 2021
https://www.androidpolice.com/2020/11/07/many-websites-will-stop-working-on-older-android-versions-in-2021/

Founded by the Electronic Frontier Foundation and the Mozilla Foundation, Let's Encrypt is a non-profit organization that works to encrypt connections to all web servers. At the time of establishment, because the certificate of the new certification authority is not trusted, we obtained a cross-signature from the certification authority IdenTrust, which is already trusted by major browsers, and used the root certificate ' DST Root CA X3 '. I was taking steps to make it accepted by various browsers.

Chain of Trust --Let's Encrypt --Free SSL / TLS Certificate
https://letsencrypt.org/ja/certificates/

However, since DST Root CA X3 expires on September 1, 2021, Let's Encrypt will move to its own root certificate 'ISRG Root X1'. With this migration, Android OS versions prior to version 7.1.1 without the 'ISRG Root X1' root certificate pre-installed will display a warning screen when connecting to HTTPS after the DST Root CA X3 expires. I will.

'What is a root certificate?' And migration to ISRG Root X1 are explained in detail below.

What Happens When Let's Encrypt Root Certificate Changes to ISRG Root X1
https://www.dispatch-base.com/article/2020/lets-encrypt-changes-certificate-to-ISRG/

According to Let's Encrypt, Android devices prior to version 7.1.1 account for one-third of the total. According to Android Developers , the official website for Android app developers, 66.2% of all Android devices are compatible with version 7.1.1 or later, in other words, 33.8% are Android devices prior to version 7.1.1.

For Android devices version 5.0 and above, you can solve the certificate issue by using Firefox Mobile, which has its own trust in ISRG Root X1. However, there are about 2% of Android devices in the world before version 5.0, so you will end up with HTTPS pages that cannot be viewed on these Android devices.

Let's Encrypt will update the API for server administrators on January 11, 2021 to continue using DST Root CA X3. However, since DST Root CA X3 will expire on September 1, 2021, the API update will be considered as a temporary measure, and a banner recommending the use of Firefox for older Android users will be displayed. We are urging you to take steps such as switching to an HTTP connection or stopping using Let's Encrypt and switching to a trusted certificate authority on older versions of Android.