'Things were touch-and-go for a while, but it looks like Let's
Encrypt's transition to a standalone certificate authority (CA) isn't
going to break a ton of old Android phones. This was a serious concern
earlier due to an expiring root certificate, but Let's Encrypt has
come up with a workaround.
Let's Encrypt is a fairly new certificate authority, but it's also one
of the world's leading. The service was a major player in the push to
make the entire Web run over HTTPS, and as a free, open issuing
authority, it went from zero certs to one billion certs in just four
years. For regular users, the list of trusted CAs is usually issued by
your operating system or browser vendor, so any new CA has a long
rollout that involves getting added to the list of trusted CAs by
every OS and browser on Earth as well as getting updates to every
user. To get up and running quickly, Let's Encrypt got a
cross-signature from an established CA, IdenTrust, so any browser or
OS that trusted IdenTrust could now trust Let's Encrypt, and the
service could start issuing useful certs.
When it launched in 2016, Let's Encrypt also issued its own root
certificate ("ISRG Root X1") and applied for it to be trusted by the
major software platforms, most of which accepted it sometime that
year. Now, several years later, with IdenTrust's "DST Root X3"
certificate set to expire in September 2021, the time has come for
Let's Encrypt to stand on its own and rely on its own root
certificate. Since this was submitted four years ago, surely every
Web-capable OS currently in use has gotten an update with Let's
Encrypt's cert, right?
That's true of every mainstream OS except for one. Sitting in the
corner of the room, wearing a dunce cap, is Android, the world's only
major consumer operating system that can't be centrally updated by its
creator. Believe it or not, there are still quite a lot of people
running a version of Android that hasn't been updated in four years.
Let's Encrypt says it was added to Android's CA store in version 7.1.1
(released December 2016) and, according to Google's official stats,
33.8 percent of active Android users are on a version older than that.
Given Android's 2.5 billion strong monthly active user base, that's
845 million people who have a root store frozen in 2016. Oh no.'
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 577-5304