Things were touch-and-go for a while, but it looks like Let’s Encrypt’s transition to a standalone certificate authority (CA) isn’t going to break a ton of old Android phones. This was a serious concern earlier due to an expiring root certificate, but Let’s Encrypt has come up with a workaround.
Let’s Encrypt is a fairly new certificate authority, but it’s also one of the world’s leading. The service was a major player in the push to make the entire Web run over HTTPS, and as a free, open issuing authority, it went from zero certs to one billion certs in just four years. For regular users, the list of trusted CAs is usually issued by your operating system or browser vendor, so any new CA has a long rollout that involves getting added to the list of trusted CAs by every OS and browser on Earth as well as getting updates to very user. To get up and running quickly, Let’s Encrypt got a cross-signature from an established CA, IdenTrust, so any browser or OS that trusted IdenTrust could now trust Let’s Encrypt, and the service could start issuing useful certs.
When it launched in 2016, Let’s Encrypt also issued its own root certificate (“ISRG Root X1”) and applied for it to be trusted by the major software platforms, most of which accepted it sometime that year. Now, several years later, with IdenTrust’s “DST Root X3” certificate set to expire in September 2021, the time has come for Let’s Encrypt to stand on its own and rely on its own root certificate. Since this was submitted four years ago, surely every Web-capable OS currently in use has gotten an update with Let’s Encrypt’s cert, right?
That’s true of every mainstream OS except for one. Sitting in the corner of the room, wearing a dunce cap, is Android, the world’s only major consumer operating system that can’t be centrally updated by its creator. Believe it or not, there are still quite a lot of people running a version of Android that hasn’t been updated in four years. Let’s Encrypt says it was added to Android’s CA store in version 7.1.1 (released December 2016) and, according to Google’s official stats, 33.8 percent of active Android users are on a version older than that. Given Android’s 2.5 billion strong monthly active user base, that’s 845 million people who have a root store frozen in 2016. Oh no.
In a blog post earlier this year, Let’s Encrypt sounded the alarm that this would be an issue, saying “It’s quite a bind. We’re committed to everybody on the planet having secure and privacy-respecting communications. And we know that the people most affected by the Android update problem are those we most want to help—people who may not be able to buy a new phone every four years. Unfortunately, we don’t expect the Android usage numbers to change much prior to [the cross-signature] expiration. By raising awareness of this change now, we hope to help our community to find the best path forward.”
An expired certificate would have broken apps and browsers that rely on Android’s system CA store to verify their encrypted connections. Individual app developers could have switched to a working cert, and savvy users could have installed Firefox (which supplies its own CA store). But plenty of services would still be broken.
Yesterday, Let’s Encrypt announced it had found a solution that will let those old Android phones keep ticking, and the solution is to just… keep using the expired certificate from IdenTrust? Let’s Encrypt says “IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1 from their DST Root CA X3. The new cross-sign will be somewhat novel because it extends beyond the expiration of DST Root CA X3. This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors. ISRG and IdenTrust reached out to our auditors and root programs to review this plan and ensure there weren’t any compliance concerns.”
Let’s Encrypt goes on to explain, “The self-signed certificate which represents the DST Root CA X3 keypair is expiring. But browser and OS root stores don’t contain certificates per se, they contain ‘trust anchors,’ and the standards for verifying certificates allow implementations to choose whether or not to use fields on trust anchors. Android has intentionally chosen not to use the notAfter field of trust anchors. Just as our ISRG Root X1 hasn’t been added to older Android trust stores, DST Root CA X3 hasn’t been removed. So it can issue a cross-sign whose validity extends beyond the expiration of its own self-signed certificate without any issues.”
Soon Let’s Encrypt will start providing subscribers both the ISRG Root X1 and DST Root CA X3 certs, which it says will ensure “uninterrupted service to all users and avoiding the potential breakage we have been concerned about.”
The new cross-sign will expire in early 2024, and hopefully versions of Android from 2016 and earlier will be dead by then. Today, your example eight-years-obsolete install base of Android starts with version 4.2, which occupies 0.8 percent of the market.