Millions of secure websites won’t load on smartphones that run Android 7.1 or older after September 2021, it has been revealed.
US-based certificate authority Let’s Encrypt said a change in its criteria from next September will mean old Android operating systems won’t trust its root certificates.
Root certificates are issued by a certified authorities like Let’s Encrypt to verify that the software or website owner is who they say they are.
Currently, around 66 per cent of Android devices are running version 7.1.1 – also known as Android Nougat – or above, Let’s Encrypt says.
The remainder that run Android 7.1 and older will start getting certificate error messages when they visit sites that have a Let’s Encrypt certificate on the default Android browser – Google Chrome.
As there are around 2.5 billion active Android users, the issue could affect more than 800 million users of the old Android operating systems.
Affected websites will be those certified by Let’s Encrypt – including Wikipedia, Open Street Map, and news sites such as Metro, Variety and the New York Post.
Millions of secure websites won’t load on smartphones that run Android 7.1 or older by September 2021, certificate authority Let’s Encrypt revealed
However, old devices that were launched with Android 7.1 or older may not be compatible with newer versions of Android software.
Let’s Encrypt therefore recommends affected users to install Firefox Mobile, which currently supports Android 5.0 and above.
‘Firefox is currently unique among browsers as it ships with its own list of trusted root certificates,’ Jacob Hoffman-Andrews, lead developer at Let’s Encrypt, said in a blog post.
‘So anyone who installs the latest Firefox version gets the benefit of an up-to-date list of trusted certificate authorities, even if their operating system is out of date.’
When Let’s Encrypt launched five years ago, it signed an agreement with fellow certificate authority (CA) IdenTrust for a cross-signature to get it started.
‘That cross-signature allowed us to start issuing certificates right away, and have them be useful to a lot of people,’ Hoffman-Andrews said.
IdenTrust’s ‘DST Root X3’ certificate had been around for a long time and still features in major software platforms such as Windows, Firefox, macOS, Android and iOS.
However, this DST Root X3 root certificate is due to expire on September 1, 2021.
From this point on, Let’s Encrypt will rely solely on its own root certificate, called ISRG Root X1.
Some of Let’s Encrypt’s older HTTPS certificates will no longer be recognised, the US firm said
‘However, this does introduce some compatibility woes,’ Hoffman-Andrews said.
‘Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our root certificate, ISRG Root X1.
‘Most notably, this includes versions of Android prior to 7.1.1.
‘That means those older versions of Android will no longer trust certificates issued by Let’s Encrypt.’
Let’s Encrypt is one of several different certificate authorities, which also include the likes of DigiCert and GlobalSign.
This is why some sites face compatibility issues and display a warning message if a web browser doesn’t support a particular certificate.
Let’s Encrypt issues certificates for almost 30 per cent, or 47.2 million, of web domains – more than any other registrar.