Old Android phones no longer affected by Let's Encrypt's big change next year

Using the Web might seem so simple but, like any magic trick, the really messy work happens behind the scenes and boy is it messy! In addition to the user-visible technologies at work, like HTML5, Javascript, WebGL, etc., the Internet and the Web operate on a system of trust, some of those revolving around root certificates and certificate authorities or CAs. When these things go down or go awry, it almost feels like the Internet gets broken. That's the scenario that phones running very old versions of Android would have been facing had Let's Encrypt, one of the biggest non-profit Certificate Authorities, not found a way to work around a big change it had been planning for 2021.

Certificates are pretty much the way websites can identify themselves as secure, making HTTPS possible at all. These are issued by certificate authorities whose root certificates are accepted by browser and software developers. What this practically means is that certificates issued by these CAs are automatically trusted by browsers and apps, foregoing the need for each website to seek approval from each and every browser out there.

Let's Encrypt is a non-profit CA that tries to make it easier and more economical for websites to get a trusted certificate. To that end, it used IdenTrust's DST Root X3 certificate at first but that quickly became obsolete. It eventually moved to its own root certificate under the Internet Security Research Group, the ISRG Root X1. Normally, that change would be seamless and uneventful, as most browsers will have already accepted the ISRG Root X1. That's not the case, however, for older software, especially older Android phones.

Let's Encrypt warned last month that phones running on older versions of Android prior to 7.1.1 might see their Internet activities broken by this change. Those phones have not been updated to accept the newer root certificate and would be flooded by warnings or even broken websites when the older DST Rot CA X3 expires next year. Fortunately, IdentTrust has agreed to extend the DST Root CA X3-ISRG Root X1 cross-sign by another three years despite its own root certificate expiring before that.

All this means is that older Android phones that still make up a third of the Android market won't have anything to worry about until 2024. The disruptive change will happen eventually but, by then, these phones probably be long gone.