The Internet Security Research Group's (ISRG) automated open certificate authority (CA), Let's Encrypt, has hit a major milestone in their goal to make the Web 100% SSL protected: they're about to stand 100% on their own as a root CA, without cross-signing from another CA, for the first time.
Five years ago when Let's Encrypt launched their service they applied for, and received, a cross-signature (a signature from an already recognized CA) to more quickly begin issuing certificates, without having to wait for a all of the major software platforms to include the Let's Encrypt root certificate ("ISRG Root X1"). That certificate is not trusted by most platforms and Let's Encrypt is considered fully trusted and capable of "Standing on their own." There's just one problem - older devices.
Older devices, or more specifically older platforms (versions of iOS, Android, etc that have reached end-of-life) no longer receive updates to their certificate stores and therefore won't recognize the Let's Encrypt root certificate. This means that any certificates issued for websites that are only signed by the ISRG cert will not be trusted by these older platforms. In their "Standing on Our Own Two Feet" announcement on November 6th Let's Encrypt targeted older Android devices specifically as being a noteworthy concern as they still account for 1-5% of all internet traffic (according to their own inquiries).
Fortunately, the team at Let's Encrypt also provided a relatively easy workaround for most devices - using Firefox Mobile. Most browsers reference the certificate store provided by the Operating System installed on mobile devices, however Firefox deviates from standard by providing their own independent, and most important for this issue a continually updated, list of trusted certificate authorities. This means that in theory, even on a device running the today 5 year old Android 6.0 Marshmallow, installing or updating Firefox Mobile and using Firefox instead of the default browser could mitigate this issue until those devices can be replaced.
Cozaq advises all of our clients, friends, and contacts to consider communicating this upcoming change to your users, your staff, and your partners to ensure your business isn't negatively affected by this noteworthy change, and of course to let our Support Team know by Submitting a Request for support if you have any questions.
- Photo by Eirik Solheim on Unsplash