Older Android (pre 7.1.1) Will No Longer Trust Certificates Issued By Let's Encrypt

Forum Moderators: phranque

Message Too Old, No Replies

Older Android (pre 7.1.1) Will No Longer Trust Certificates Issued By Let's Encrypt

dstiles

12:03 pm on Nov 7, 2020 (gmt 0)

Root Certificates, used by web sites' certificates to enable the HTTPS mode, will soon expire. Specifically, this is Let's Encrypt, but other roots are due to expire over the next three or four years. They will, of course, be replaced by new ones.

Client OSs that are regularly updated should be ok as the certs are maintained in the OS, but some, notably older Android mobiles, are often not updated by their vendors and/or ISPs. This means those older devices (before Android 7.1.1) will not be able to view those web sites which have new Root certs. In the case of Let's Encrypt, this is a LOT of sites that will not be viewable by a surprising number of devices.

The specific solution for Android is to install Firefox, which includes the Root Certificates. I believe one or two other browsers are following suit.

It may be a good idea to detect old devices and add a warning banner to your site now, before it all happens.

Full story at Let's Encrypt at [letsencrypt.org...]

JorgeV

12:51 pm on Nov 7, 2020 (gmt 0)

Hello and thank you !

This is indeed an issue.

When there’s an update to Android, both the manufacturer and the mobile carrier have to incorporate those changes into their customized version before sending it out. Often manufacturers decide that’s not worth the effort.

This is where you see the advantage of closed OS like iOS over opened OS, where everybody is hacking things here and there, making it difficult to update later.

drop back to HTTP for older Android versions

I wonder how we can do that, since the TLS handshake is established at the beginning of the communication, I don't know how we can tell a browser to switch back to HTTP based on OS version.

I wonder if Chrome also comes with its own certificate vault, if so, the impact should be very minimal considering the market share of these browsers (Firefox + Chrome).

dstiles

1:58 pm on Nov 7, 2020 (gmt 0)

I think Chrome has just announced it - or it may have been MS. It's a bad idea in essence but useful in this circumstance.

You CAN run a non-HTTPS version of a site - I've seen several instances recently - but it's not an approved thing to do and I suspect those I've seen were upgraded to HTTPS ineptly. I think the web site would have to redirect from HTTPS to HTTP.

The point is, though, that the Android user who has not upgraded is probably one who is still running the native browser and has no idea about how to install a new one. There's going to be some really upset people around!

NickMNS

4:25 pm on Nov 7, 2020 (gmt 0)

I wonder how we can do that, since the TLS handshake is established at the beginning of the communication, I don't know how we can tell a browser to switch back to HTTP based on OS version.

You could probably use a service-worker, such as Cloudflare workers. You program it to intercept the request before it hits your server and then redirect it to the http site if the request meets the some criteria such as Android <= 7.1.1, all other requests are ignored and continue to https endpoint.

JorgeV

4:28 pm on Nov 7, 2020 (gmt 0)

Yes, it's easy to make a site HTTP and redirect users to the HTTPS version based on their OS / Browser version. The opposite is not possible, since the handshake happens without OS / Browser version information. Also, in all events, Google and other search engines will index the HTTPS version in priority. So visitors will enter by the HTTPS.

The bad side of all of this, is that, a user with an old Android version, will see a message that the certificate is expired, in case of use certificates using DST Root X3, and unsafe with ISRG Root X1. In both case, it sounds that this is the site owner which is faulty, whereas this is not the case.

The remaining 33.8% of Android devices will eventually start getting certificate errors when users visit sites that have a Let’s Encrypt certificate. In our communications with large integrators, we have found that this represents around 1-5% of traffic to their sites.

So 1-5% of traffic, is not a big-big deal. May be that users with "old" Android devices are not really surfing the web.

NickMNS

4:52 pm on Nov 7, 2020 (gmt 0)

The opposite is not possible, since the handshake happens without OS / Browser version information.

It is possible the way I described it above. Because using a worker is like placing another website in between the user and the target website. The user's request is received by the service-worker and then routed to the correct location (http or https).

That said, it seems like a lot of hoops to be jumping through for some small fraction of traffic. At some point it becomes time to upgrade, and if a user chooses not to then they need to expect that things will break along the way.

lucy24

4:59 pm on Nov 7, 2020 (gmt 0)

Come to think of it, that's why I finally had to stop using Camino, several years after it officially ended: It was no longer able to keep certificates up-to-date, and kicked up a fuss when I tried to visit some sites.

You CAN run a non-HTTPS version of a site

If your target market includes a significant number of users with very, very old browsers--I tend to think of reservation schools--you could always limit HTTPS redirects to visitors who send the Upgrade-Insecure-Requests header, instead of globally redirecting everyone. But it's definitely not anyone's default behavior.

dstiles

10:29 am on Nov 8, 2020 (gmt 0)

I doubt anyone with an obsolete device would have the knowledge to jump through hoops to get a web site.

I've just added a warning line at the top of my more important sites, saying next autumn and increasingly thereafter they're going to be stuffed.

ClosedForLunch

11:13 pm on Nov 9, 2020 (gmt 0)

Google's mobile crawler uses a "Android 6.0.1" user agent, and one of their Mediapartners crawlers uses a "Android 4.0.4" user agent.

phranque

1:42 am on Nov 10, 2020 (gmt 0)

Google's mobile crawler uses a "Android 6.0.1" user agent, and one of their Mediapartners crawlers uses a "Android 4.0.4" user agent.

i'm not sure that the existence of this identifier in the user agent string has any effect on how the requesting or responding systems handle the secure handshake.

engine

12:28 pm on Dec 23, 2020 (gmt 0)

It seems Let's Encrypt has a fix to extend the time with an unusual solution: 3-year cross-sign ISRG Root X1 from their DST Root CA X3.

We will not be performing our previously-planned chain switch on January 11th, 2021. Instead, we will be switching to provide this new chain by default in late January or early February.

[letsencrypt.org...]

dstiles

9:58 am on Dec 24, 2020 (gmt 0)

Yes. I wonder if they will have to extend it again? Or if they will? Old devices are economic if there is no need to replace them but in some cases are a pain. Shame there seems to be no way to revitalise them.

engine

10:08 am on Dec 24, 2020 (gmt 0)

We can't be expected to keep replacing these things at the same rate. i suspect they've realised it. My own phone is not quite that old, but is doing just fine. It must be five years old now, and the battery is doing ok.
I actually don't like the trend for new phones to be huge slabs with curved sides.
I'd be a bit annoyed if a whole bunch of sites become unavailable, or difficult to reach with the suggestion the certificate is out-of-date. It's be concerning.

iamlost

1:24 pm on Dec 24, 2020 (gmt 0)

Each site should do its own data analysis risk assessment, as usual every niche every site will vary.

That said, on initial reading (back when) the linked Let’s Encrypt post, I took comfort from the apparent discrepancy between one third of Android devices and one to five percent of site traffic. This indicated, to me, that many/most of the older (pre version 7.1) devices are NOT being used to browse but as phone/text devices.

My subsequent own sites analysis put older Android users as about 2-percent of Android visitors and, regarding conversion importance, almost totally in one section; I’ve been putting a modal explanation window in front of the older Androids, in that section only, for a month now.

Results? I’ll tell you when the rubber hits the road :)

dstiles

9:52 am on Dec 26, 2020 (gmt 0)

Until the reprieve I had a note on the top of web pages accessed by older androids to say they could run into problems. I don't know how many hits there were that displayed the message BUT...

When I changed to a new insurance provider a few years back I received a free gift (I did not know about it until after I'd signed up). Choice was between a free supply of pizzas for a period or a Fire tablet. Guess which I chose. It's the only mobile device I have and I seldom use it but, during the recent spate of changes I've made to a number of web sites, I've been using the tablet to view in mobile mode. I got the warning message!

I haven't chased an upgrade to the tablet - don't even know if there is one - but I wonder what will happen when the LE cert runs out.

engine

10:13 am on Dec 26, 2020 (gmt 0)

@dstiles, we'll have another three years to wait now they've found a fix.

JorgeV

11:39 am on Dec 26, 2020 (gmt 0)

I like the part :

This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors

Just because it's trusted at some point, it's trusted forever :)