Let's Encrypt announces that cross-signing will be abolished, while the amount of data in the certificate is reduced by 40%, Android 7.0 and earlier terminals require support
Shortening the Let's Encrypt Chain of Trust - Let's Encrypt
https://letsencrypt.org/2023/07/10/cross-sign-expiration.html
When using SSL/TLS, it is possible to check whether the communication partner has been replaced by a fake or whether the data has been tampered with during communication, and encrypting the communication content prevents eavesdropping. It has the advantage of being able to prevent When using TLS to connect to a website, it is necessary to set up a certificate on the server side. I was.
To verify the validity of the 'server certificate' itself, the 'list of trusted certificate authorities' stored in the terminal is used. If it is a certificate signed by a certificate authority on the list, it can be judged that the communication partner is legitimate. Although the ``list of trusted certificate authorities'' is often updated from time to time, some terminals may not be updated from the list saved at the time of manufacture.
Since Let's Encrypt officially started in 2016, there were terminals that did not trust Let's Encrypt certificates. As shown in the article below, as of 2018, it is estimated that 'it will take another 5 years until the terminal is updated'.
It will take five years until the root certificate of the free SSL authentication service 'Let's Encrypt' is trusted by all terminals - GIGAZINE
At the start, Let's Encrypt was cross-signed by IdenTrust, the world's top share certificate authority, so that older terminals can trust certificates issued by Let's Encrypt. When this cross-signature expired in 2021, one-third of Android devices rejected Let's Encrypt certificates, but we extended the cross-signature expiration date for three years. I responded. This incident is detailed in the article below.
``One-third of Android devices in the world will not be able to browse some websites,'' warns Let's Encrypt-GIGAZINE
The cross-signature will expire again on September 30, 2024, but in addition to the fact that the percentage of Android 7.1 and later devices that trust Let's Encrypt has increased from 66% to 93.9% in 3 years, Android 14 scheduled to be delivered to Android 14will be able to update the list of trusted certificate authorities via Google Play, and it is expected that the number of terminals that trust Let's Encrypt will increase, so Let's Encrypt will be released on February 8, 2024. We have announced that we will phase out cross-signing more gradually.
By abolishing cross-signing, the amount of certificate data sent at the start of TLS communication can be reduced by more than 40%, and operating costs can be significantly reduced, allowing more focus on security and privacy protection. .
After the abolition of cross-signing, you will not be able to access websites that use Let's Encrypt certificates with normal browsers on Android 7.0 or earlier devices. Let's Encrypt's official website has announced that it will continue to be accessible without problems if you use Firefox Mobile , which uses its own 'trust list'.
The specific decommissioning schedule is as follows.
◆February 8, 2024
When creating a new certificate, cross-signature will not be created by default. If you change the settings, you can create a conventional certificate.
◆ June 6, 2024
Stops cross-signing new certificates permanently. Let's Encrypt's certificate expires in 90 days, so all cross-signed certificates will expire before the cross-signing expires.
◆September 30, 2024
Cross-signed certificate expires.
Related Posts:
in Web Service, Posted by log1d_ts