Let's Encrypt, a Certificate Authority (CA) that puts the "S" in "HTTPS" for about 220m domains, has issued a warning to users of older Android devices that their web surfing may get choppy next year.
Let's Encrypt launched four years ago to make it easier to set up a secure website. To jumpstart its trust relationship with various software and browser makers – necessary for its digital certificates to be accepted – it piggybacked on IndenTrust's DST Root X3 certificate. As a result, the non-profit's certificates could be presented by websites and be trusted by all the major web browsers to connect to them securely.
The CA, overseen by the Internet Security Research Group (ISRG), subsequently issued its own root certificate (ISRG Root X1) and applied for it to be trusted with the major software platforms. By July, 2018, the ISRG Root X1 had been accepted by Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry, and it was no longer really necessary to have IndenTrust's DST Root X3 vouch for Let's Encrypt's character.
Next year, on September 1, 2021, the DST Root X3 certificate that Let's Encrypt initially relied for cross-signing will expire and devices that haven't been updated in the past four years to trust the X1 root certificate may find they're unable to connect to websites securely, not without throwing up error messages, at least. We're looking at you, Android.
"Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our root certificate, ISRG Root X1," explained Jacob Hoffman-Andrews, a lead developer on Let's Encrypt and senior staff technologist at the Elec ..