Switch to Firefox Before Your Old Android Can No Longer Access Parts of the Internet
I know this is weird, but it’s true: starting in September next year, Android 7.1 or earlier users – roughly a third of all using Android right now – may not be able to connect to any website that uses SSL -certificate from Let’s Encrypt. Just to keep things consistent, that’s roughly a third of the world wide web.
As to why, the short version is simple. About 95 percent of the Internet currently uses HTTPS – an excellent indicator of browser security. However, the process of launching a new CA that issues digital certificate websites that they use as part of HTTPS is a little difficult. As Jacob Hoffman-Andrews writes in Let’s Encrypt:
“When a new certification authority (CA) comes on the scene, it is faced with a riddle: to be useful to people, it needs its root certificate to be trusted by a variety of operating systems (OS) and browsers. However, operating systems and browsers can take years to accept a new root certificate, and even longer for people to update their devices to newer versions that include this change. Common solution: A new CA often requests a cross-signature from an existing trusted CA in order to quickly gain the trust of multiple devices.
Five years ago, when Let’s Encrypt launched, we did just that. We received a cross-signature from IdenTrust. Their “DST Root X3” has been around for a long time, and all major software platforms already trust it: Windows, Firefox, macOS, Android, iOS and many Linux distributions. This cross-signature allowed us to start issuing certificates right away and make them useful to many. Without IdenTrust Let’s Encrypt might never have happened, and we are grateful for their partnership … “
As you might have guessed, this initial DST Root X3 certificate will expire next year – September 1st in particular – and any operating systems that have not been updated to use the Let’s Encrypt ISRG Root X1 certificate will run into issues. You may run into issues earlier though, as Let’s Encrypt will change its auto-certification process in January to serve websites with ISRG Root X1 certificates instead. They will be able to configure a workaround that is backward compatible with the DST Root X3 certificate, but this is only a temporary fix.
What can you do with these incompatible SSL certificates?
In an ideal world, your old Android would receive an unsupported update that would allow it to use the new Let’s Encrypt certificate. I wouldn’t hold my breath considering how hateful it can be for manufacturers to update “ancient” Android devices that may never have made it to Android 8.
You have one tiny workaround: if you switch to Firefox Mobile from whatever browser you’re currently using, you can access any website you want. Firefox Mobile uses its own root certificates instead of what your Android operating system supports, so you won’t have a problem browsing any website you want if or when your Android manufacturer declines to release an update.
And don’t uninstall Chrome just yet. At some point, Google will move to a similar practice of using its own root certificates, rather than the root certificates found in the underlying Chrome operating system. It’s unclear if it will launch within the next months or two, but my guess is that it will definitely be ready to go by September next year, when the ax officially drops to older Androids.