News, Culture & Society

Pre-7.1 Android phones won’t load secure sites from September 2021

Millions of secure websites won’t load on smartphones that run Android 7.1 or older after September 2021, it has been revealed.  

US-based certificate authority Let’s Encrypt said a change in its criteria from next September will mean old Android operating systems won’t trust its root certificates. 

Root certificates are issued by a certified authorities like Let’s Encrypt to verify that the software or website owner is who they say they are.   

Currently, around 66 per cent of Android devices are running version 7.1.1 – also known as Android Nougat – or above, Let’s Encrypt says. 

The remainder that run Android 7.1 and older will start getting certificate error messages when they visit sites that have a Let’s Encrypt certificate on the default Android browser – Google Chrome. 

As there are around 2.5 billion active Android users, the issue could affect more than 800 million users of the old Android operating systems. 

Affected websites will be those certified by Let’s Encrypt – including Wikipedia, Open Street Map, and news sites such as Metro, Variety and the New York Post. 

 Millions of secure websites won’t load on smartphones that run Android 7.1 or older by September 2021, certificate authority Let’s Encrypt revealed

WHAT ARE ROOT CERTIFICATES? 

Root certificates are issued by a certified authorities like Let’s Encrypt to verify that the software or website owner is who they say they are.

They must be issued by a trusted certificate authority, such as Let’s Encrypt.

MalwareBytes calls them ‘the cornerstone of authentication and security in software and on the internet’. 

Forbes estimates that the problem will affect around 220 million websites as old systems will fail to recognise them as secure. 

Let’s Encrypt confirmed to MailOnline that phones with Android 7.1 will be affected, but 7.1.1 and anything higher will be safe. 

7.1 was released in October 2016, while the update, 7.1.1, was released merely two months later. 

Smartphone users who have Android 7.1 or older can overcome the issue by the time the changes come into force next September by trying to perform a software update.

However, old devices that were launched with Android 7.1 or older may not be compatible with newer versions of Android software.

Let’s Encrypt therefore recommends affected users to install Firefox Mobile, which currently supports Android 5.0 and above. 

‘Firefox is currently unique among browsers as it ships with its own list of trusted root certificates,’ Jacob Hoffman-Andrews, lead developer at Let’s Encrypt, said in a blog post.    

‘So anyone who installs the latest Firefox version gets the benefit of an up-to-date list of trusted certificate authorities, even if their operating system is out of date.’   

When Let’s Encrypt launched five years ago, it signed an agreement with fellow certificate authority (CA) IdenTrust for a cross-signature to get it started.

‘That cross-signature allowed us to start issuing certificates right away, and have them be useful to a lot of people,’ Hoffman-Andrews said.  

IdenTrust’s ‘DST Root X3’ certificate had been around for a long time and still features in major software platforms such as Windows, Firefox, macOS, Android and iOS.     

However, this DST Root X3 root certificate is due to expire on September 1, 2021.     

From this point on, Let’s Encrypt will rely solely on its own root certificate, called ISRG Root X1.  

Some of Let’s Encrypt's older HTTPS certificates will no longer be recognised, the US firm said

Some of Let’s Encrypt’s older HTTPS certificates will no longer be recognised, the US firm said

‘However, this does introduce some compatibility woes,’ Hoffman-Andrews said. 

‘Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our root certificate, ISRG Root X1. 

‘Most notably, this includes versions of Android prior to 7.1.1. 

‘That means those older versions of Android will no longer trust certificates issued by Let’s Encrypt.’  

Let’s Encrypt is one of several different certificate authorities, which also include the likes of DigiCert and GlobalSign.

This is why some sites face compatibility issues and display a warning message if a web browser doesn’t support a particular certificate. 

Let’s Encrypt issues certificates for almost 30 per cent, or 47.2 million, of web domains – more than any other registrar.  

Read more at DailyMail.co.uk


Comments are closed.