Breathe deep and relax, everyone. Your older Android devices, as well as some of your smart TV sets, set-top boxes and other internet-connected appliances will (probably) continue to work properly after September 2021.
That’s because Let’s Encrypt, one of the largest distributors of the digital certificates used to secure internet communications, has come up with a partial workaround to a looming problem that threatens to kick tens of millions of devices offline permanently.
Ironically, this is possible because Android is just as sloppy about enforcing digital certificate expiration dates as it is about enforcing device updates. Without this workaround, Android devices made prior to 2015 or thereabouts would not be able to connect to secure websites and servers.
So on Chrome on Android, you’d be able to see only websites that hadn’t switched over to HTTPS secure connections. Apps wouldn’t update. (Firefox on Android would still work.)
We had a taste of this in May 2020, when Roku devices and payment-processing systems Stripe and Speedify suddenly had trouble connecting due an expiring root certificate (not a Let’s Encrypt one). Those devices eventually got back online with firmware updates.
The Let’s Encrypt problem is bigger. Its earliest digital certificates are due to expire Sept. 29, 2021. Devices that have not replaced those certificates in the past few years will have trouble getting online.
That includes any Android phone that has not updated to 7.1.1 Nougat (issued December 2016) or earlier, which is estimated to be about one-third of all Android devices currently in use.
However, Let’s Encrypt said in a blog post Monday (Dec. 21) that it had pushed back the problem to early 2024, at least regarding Android devices.
This solution might not work for non-Android devices, however. Non-Android smart TVs made before 2017 might not be able to stream Netflix; smart-home devices of that vintage might not be able to connect to manufacturers’ servers. We’re a little worried about our 2013 Samsung smart TV.
If that’s all you need to know, stop here, because we’re about to get a bit technical.
So what the heck is a root certificate?
To put it as simply as possible, secure communications on the internet depend on a “web of trust.”
Your browser knows you’re connecting to TomsGuide.com and not CrazyIvan.ru because the Tom’s Guide server shows your browser a form of ID, a certificate verifying that it is indeed Tom’s Guide. That certificate was issued by a certificate authority, which you can think of as an internet DMV.
The certificate authority proved to Tom’s Guide that it was legitimate and authorized to hand out certificates by showing yet another certificate issued by yet another authority.
And that authority lets other certificate issuers know that the certificates it issues are good, and vice versa, so that holders and issuers of their certificates know they can all trust each other. (Think of how American states accept each other’s IDs so that you can get into a bar in Albuquerque with an Alaska driver’s license.)
This transference of trust goes a few more steps up the chain until you reach a root certificate, where the buck stops. Issuers of root certificates, which underpin the entire system, are implicitly trusted and do not need to be backed up by another authority.
Vouching for the new kid on the block
Let’s Encrypt is one of the most widely used certificate authorities, and like most certificate authorities, it issues both “intermediate” certificates that have to be vouched for by some other authority, and root certificates that stand on their own merits.
But it’s also one of the newest certificate authorities, issuing its first root certificate, ISRG Root X1, in only 2015. So how did it get people to trust that root certificate?
Let’ Encrypt “borrowed” the authority of another root certificate authority, IdenTrust, in a “cross-signing” agreement. IdenTrust’s root certificate, DST Root CA X3, has been vouching for Let’s Encrypt’s ISRG Root X1 and associated intermediate certificates ever since.
Let’s Encrypt has issued newer certificates since 2015, both intermediate and root, and those certificates have no immediate issues. But it takes years for each new certificate to be optimally distributed and accepted, and some older devices will never get them.
The IdenTrust DST Root CA X3 root certificate is itself due to expire in September 2021. For devices that still use the older Let’s Encrypt certificates, the entire web of trust will collapse.
This, of course, would not be ideal. At first, Let’s Encrypt was kind of resigned to the situation, throwing up its hands and stating that it couldn’t do anything about people using Android phones long past their shelf life.
But now Let’s Encrypt has come up with a solution, which is kind of baffling to us but is supposed to work. It’s extended the cross-signing agreement with IdenTrust until early 2024, which should also extend the life of the oldest Let’s Encrypt certificates.
The baffling bit is that the IdenTrust root certificate at the heart of all this will still expire in September 2021. So in theory, it should no longer work.
If it’s good enough for Android…
But, explains the Let’s Encrypt blog post, “this solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors.”
In other words, it turns out Android doesn’t really care when a root certificate expires. All it cares about is that root certificate is valid. So as long as the original IdenTrust root certificate backs up the Let’s Encrypt certificates, all will be good for older Android devices until early 2024.
“We will be able to provide subscribers with a chain which contains both ISRG Root X1 and DST Root CA X3, ensuring uninterrupted service to all users and avoiding the potential breakage we have been concerned about,” Let’s Encrypt says.
Okay. We’ll just have to trust Let’s Encrypt on this one, and we’re having a hard enough time understanding how this all works anyway.
Just glean three things from all this: One, if in 2024 you’re still using a pre-2015 Android device, for God’s sake get a new one.
Two, your smart-home devices may not be out of the woods if they’re older than 2017 and they’re not running Android. Other forms of Linux might be more stringent about enforcing certificate expirations, in which case it’s game over.
Three, there are plenty of other root certificates due to expire in the coming few years, so this overall problem will be with us for some time.