It’s weird to contemplate, I know, but it’s true: Starting in September of next year, those on Android versions 7.1 or earlier—that’s roughly one-third of everyone using Android right now—might be unable to connect to any website that uses an SSL certificate by Let’s Encrypt. Just to keep things consistent, that’s roughly one-third of the World Wide Web.
As to why, the short version is simple. Around 95 percent of the web uses HTTPS nowadays—a great metric for browser security. However, the process of launching a new Certificate Authority, which issues the digital certificates websites use as part of HTTPS, is a bit of a pain. As Jacob Hoffman-Andrews writes over at Let’s Encrypt:
“When a new Certificate Authority (CA) comes on the scene, it faces a conundrum: In order to be useful to people, it needs its root certificate to be trusted by a wide variety of operating systems (OSes) and browsers. However, it can take years for the OSes and browsers to accept the new root certificate, and even longer for people to upgrade their devices to the newer versions that include that change. The common solution: a new CA will often ask an existing, trusted CA for a cross-signature, to quickly get it into being trusted by lots of devices.
Five years ago, when Let’s Encrypt launched, that’s exactly what we did. We got a cross-signature from IdenTrust. Their “DST Root X3” had been around for a long time, and all the major software platforms trusted it already: Windows, Firefox, macOS, Android, iOS, and a variety of Linux distributions. That cross-signature allowed us to start issuing certificates right away, and have them be useful to a lot of people. Without IdenTrust, Let’s Encrypt may have never happened and we are grateful to them for their partnership…”
As you might have guessed, this initial DST Root X3 certificate is going to expire next year—on Sept. 1, specifically—and any operating systems that haven’t been updated to use the Let’s Encrypt’s ISRG Root X1 certificate are going to run into problems. Though you might encounter issues sooner, as Let’s Encrypt will be modifying its automatic certification process in January to serve websites ISRG Root X1 certificates instead. They’ll be able to set up a workaround that’s backwards-compatible with the DST Root X3 certificate, but it’s only a temporary fix.
What can you do about these incompatible SSL certificates?
In a perfect world, your old Android would receive an out-of-support update that allows it to use Let’s Encrypt’s newer certificate. I wouldn’t hold your breath for that one, given how loathe manufacturers can be to update “ancient” Android devices that might have never made it to Android 8.
You do have one tiny workaround, however: If you switch to Firefox Mobile from whatever browser you’re currently using, you’ll be able to access any website you want. Firefox Mobile uses its own root certificates instead of whatever your Android operating system supports, so you’ll have no issues viewing any website under the sun if, or when, your Android’s manufacturer balks on releasing an update.
However, don’t delete Chrome just yet—I believe Google will, at some point, switch over to a similar practice of using its own root certificates rather than the root certificates found on the underlying operating system. It’s unclear if this will launch within the next month or two, but I’m assuming it’ll definitely be ready to go by September of next year when the axe officially falls for older Androids.