Let’s Encrypt was founded in 2012, going public in 2014, with the aim to improve security on the web. The goal was to be achieved by providing free, automated access to SSL and TLS certificates that would allow websites to make the switch over to HTTPS without having to spend any money.
The project has just announced that, come September 1, 2021, some older software will stop trusting their certificates. Let’s look at why this has come to pass, and what it means going forward.
When Let’s Encrypt first went public in early 2016, they issued their own root certificate, by the name ISRG Root X1. However, it takes time for companies to include updated root certificates in their software, so until recently, all Let’s Encrypt certificates were cross-signed by an IdenTrust certificate, DST Root X3. This certificate had been around much longer, and was already supported by the vast majority of OSes and browsers in regular use. This allowed Let’s Encrypt to hit the ground running while they waited for the majority of software to support their own root certificate.
The problem looming on the horizon is the expiration of DST Root X3, on September 1, 2021. Of course, for those running up-to-date operating systems and browsers, there’s no major issue. But for those on platforms that haven’t been updated since 2016 or so, and don’t support the ISRG Root X1 certificate, things will break. This affects any secure communication that uses their certificates, whether it be browsing websites with HTTPS enabled or making connections over SSL or SFTP.
The company notes that perhaps the biggest area of concern is the Android handset market. As most telecommunications networks customise Android software, along with the handset manufacturer themselves, it takes coordination between many organisations to put out an OS update for an Android phone. There’s also little financial incentive for companies to support phones that have already been sold. Thus, many users find themselves locked out from OS updates entirely as networks or manufacturers simply neglect to do the work.
Android users on versions older than 7.1.1 are the ones who will face issues when DST Root X3 expires on September 1 next year. Based on recent statistics, these users make up roughly a third of the Android userbase – a significant number. With a conservative estimate pegging Android users as a whole making up approximately 80% of the total smartphone installed base, and around 3 billion smartphone users worldwide, back of the envelope calculations show us that leaves around 750 million users that could have issues in the coming year.
Of course, workarounds are possible. While the Android OS, and presumably web browser, are long out of date, there’s nothing stopping users installing newer software that supports the ISRG Root X1 certificate. Firefox is available as a browser on the platform, and packs in its own list of trusted root certificates, so is a useful workaround for day to day web use. For developers, it’s possible to include ISRG Root X1 as a trusted certificate within an individual app, and discussions are ongoing among those taking to this route. After all, adding an new trusted certificate is just putting a file in a directory, but you need root permissions to do so, which on locked Android phones means a jailbreak.
Let’s Encrypt could also seek a cross-signature from another Certificate Authority, similar to when they started out. However, Certificate Authorities take on some responsibility for the certificates they sign, and it’s unlikely that another CA would wish to shoulder that burden for Let’s Encrypt. Particularly, as the entity is a non-profit, there is little money to be made. As a major pillar in the Internet’s shift towards HTTPS encryption as the norm, Let’s Encrypt consider it important that the project stand on its own, rather than relying on other for-profit organisations. Given that their root certificate is now widely recognised, outside these edge cases from 2016 and earlier, that seems like a sound decision.
With security on the Internet now more important than ever, this is a problem that isn’t going away. In order to play nice with all the other computers on the global network, regular updates are simply the cost of doing business. The benefit of having an open certificate provider like Let’s Encrypt around is that their transparency as to the issues and clear communication gives web hosts, developers, and end users more time to deal with the coming changes.