Let’s Encrypt Will Stop Working for Older Android Devices
upstart writes in with an IRC submission:
Let's Encrypt Will Stop Working For Older Android Devices:
Let's Encrypt was founded in 2012, going public in 2014, with the aim to improve security on the web. The goal was to be achieved by providing free, automated access to SSL and TLS certificates that would allow websites to make the switch over to HTTPS without having to spend any money.
The project has just announced that, come September 1, 2021, some older software will stop trusting their certificates. Let's look at why this has come to pass, and what it means going forward.
When Let's Encrypt first went public in early 2016, they issued their own root certificate, by the name ISRG Root X1. However, it takes time for companies to include updated root certificates in their software, so until recently, all Let's Encrypt certificates were cross-signed by an IdenTrust certificate, DST Root X3. [...]
The problem looming on the horizon is the expiration of DST Root X3, on September 1, 2021. Of course, for those running up-to-date operating systems and browsers, there's no major issue. But for those on platforms that haven't been updated since 2016 or so, and don't support the ISRG Root X1 certificate, things will break. [...]
Basically it's the same old issue that we see over and over again. Older handsets are not receiving OS updates from the vendors so security issues are not fixed, certificates expire, and newer algorithms are not implemented. As the article mentions, the vendors have little incentive to spend money supporting older handsets that they have already sold. They would rather you jump right back on the merry go round and buy a new one. Lather, rinse and repeat as needed.
Read more of this story at SoylentNews.