The Android operating system is known for the fact that updates only arrive slowly or not at all for owners of older smartphones. Now this neglect is noticeable for the majority of Android users.
Almost all websites now use the secure communication protocol “HTTPS” (Hypertext Transfer Protocol Secure) to enable users to surf the Internet safely. But HTTPS needs certain certificates to establish a secure connection. An important certificate on many older Android smartphones will expire in 2021. The result: the majority of all Internet websites will no longer be accessible to owners of these smartphones.
Almost a third of all websites are no longer accessible
The Internet certificates are issued by so-called “Certificate Authorities” (CA, to German certification body “). One of the largest of these is “Let’s Encrypt”, which belongs to the California “Internet Security Research Group” (ISRG). The group’s certificates are used in around 30 percent of web domains worldwide. So far, the group had a partnership with another Certificate Authority called “IdenTrust”.
In principle, this partnership serves to cross-sign the root certificate “ISRG Root X1” from Let’s Encrypt with the root certificate from IdenTrust. This was necessary because IdenTrust’s root certificate “TrustID X3 Root” has been on the market longer and is therefore better compatible with older browsers. The root certificate from Let’s Encrypt alone would not be recognized as trustworthy by these browsers.
The partnership for cross-signing with IdenTrust will expire on September 1, 2021 and Let’s Encrypt is not planning an extension. This means that all browsers and operating systems without the Let’s Encrypt root certificate can no longer open any pages that use the group’s certificates.
Old Android versions no longer appear on websites
This has far-reaching implications for owners of older Android smartphones. In his announcement of wanting to break away from IdenTrust, Let’s Encrypt writes:
“Software that has not been updated since 2016 still does not trust our root certificate ISRG Root X1. This particularly includes Android versions prior to 7.1.1. This means that these older Android versions no longer trust certificates from Let’s Encrypt. “
In the announcement, Let’s Encrypt also points out that more than a third (33.8 percent) of Android smartphones with operating systems older than version 7.1.1. to run. This means that many devices that were purchased in 2017 or earlier will no longer be able to access a large part of the websites by next year.
The incident shows once again the inglorious practice of Android manufacturers who do not provide their smartphones with the latest updates. While Apple is providing four to five new iOS versions for its iPhones, cheap Android smartphones are currently only seeing one or two Android version updates – if at all.
Not an easy solution for owners of older Android devices
Unfortunately, there is no simple solution for owners of older Android smartphones. Let’s Encrypt recommends installing the Firefox browser, which already contains the ISRG Root X1 certificate. However, other services such as the Google Play Store and Play Services, which also access the Internet, cannot use them.
Alternatively, experienced Android users can subsequently install the root certificate as a user certificate. However, as this leaves room for malicious attacks, TECHNOLOGY BUTTON generally advises against it.