One of the world’s top certificate authorities warns that phones running versions of Android prior to 7.1.1 Nougat will be cut off from large portions of the secure web starting in 2021, Android Police reported Saturday.
The Mozilla-partnered nonprofit Let’s Encrypt said that its partnership with fellow certificate authority IdenTrust will expire on Sept. 1, 2021. Since it has no plans to renew its cross-signing agreement, Let’s Encrypt plans to stop default cross-signing for IdenTrust’s root certificate, DST Root X3, beginning on Jan. 11 as the organization switches over to solely using its own ISRG Root X1 root.
It’s a pretty significant shift considering that as much as one-third of all web domains rely on the organization’s certificates. But since older software won’t trust Let’s Encrypt’s root certificate, this could “introduce some compatibility woes,” lead developer Jacob Hoffman-Andrews said in a blog post Friday.
“Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our root certificate, ISRG Root X1,” he said. “Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let’s Encrypt.”
The only workaround for these users would be to install Firefox since it relies on its own certificate store that includes Let’s Encrypt’s root, though that wouldn’t keep applications from breaking or ensure functionality beyond your browser.
Let’s Encrypt noted that roughly 34% of Android devices are running a version older than 7.1 based on data from Google’s Android development suite. That translates to millions of users potentially being cut off from large portions of the secure web beginning in 2021