English

Let's Encrypt support for Android <7.1.1 ends in Sept-Dec 2020 (except in Firefox)

Hi all,

Let’s Encrypt have announced that they will change the root certificate for newly issued SSL certificates on the 29th of September, 2020. This is because their present root certificate will expire in a few years. As their certificates have a lifetime of 90 days, the last ones with the old root will be gone by the 28th of December, 2020.

This will mean that web services using Let’s Encrypt for encryption will no longer be reachable on older devices. It will affect the Android browser, Google Chrome, and other apps for online services if the server/website which it is contacting has a Let’s Encrypt certificate. This will affect Android below 7.1.1, which means all FP1, and any FP2’s that are still on Android 5/6.

Note that many of the affected websites and apps may already have stopped working before as a result of the end of support for TLS 1.0/1.1 by many websites in the past few years.

The good news: Firefox is, again, not affected. It uses its own certificate store on all operating systems. I don’t know the situation for the Firefox forks used by many Fairphoners, but there’s a good chance that they’ll work too as they were not affected either when TLS 1.0/1.1 got dropped.
If your favourite app has a browser-based version, you will probably still be able to use Firefox (or a derivative of it) to connect to it.

EDIT: If you want to know how your browser will respond to this, please open https://valid-isrgrootx1.letsencrypt.org/.

9 Likes

FWIW, this has been postponed. The first new certificates will be issues on January 11, 2021, and the last old ones will expire on April 11, 2021.

See also: https://community.letsencrypt.org/t/a-note-to-heavy-users-of-let-s-encrypt-change-affecting-android-users-starting-january-11-2021/134769

4 Likes

Hi,

As I can read here in french :
https://web.developpez.com/actu/310287/Sur-les-anciennes-versions-d-Android-de-nombreux-sites-securises-par-Let-s-Encrypt-pourraient-cesser-de-fonctionner-en-2021-un-tiers-des-appareils-Android-sont-concernes/

Let’s Encrypt will issue certificates that won’t work for old Android devices next year.

A way to continue accessing those websites will be to use Firefox Mobile or IceCat Mobile:

Happy browsing !

3 Likes

In addition, we can learn from the graphic chart that using an FP1 makes us belonging to the 0,8% of Android users that still uses 4.x version.

1 Like

Hi @siltaar, I moved your posts here as there was already a topic about it :slight_smile:

3 Likes

Hi siltaar,
I am still on FP1U :slight_smile:
And I often face websites not opening (“error”).
Do I understand it right that I can install [quote=“siltaar, post:3, topic:62089”]
Firefox Mobile or IceCat Mobile
[/quote] and probably get rid of these (certificate?) errors?
However, I tried to install these apps on my FP1 but I didn’t find them in (my) Play Store.
KR Michael

Firefox currently only supports Android 5 and up, sadly.

IceCat from F-Droid is still available for Android 4.1+: https://f-droid.org/en/packages/org.gnu.icecat/

Opera does appear to work as well - it’s not the most privacy-friendly browser though.

2 Likes

I use Ligthning as browser on my FP1.

I should add here: IceCat displays a blank page on a few sites because it doesn’t run JavaScript files without a free license. Would follow Lidwien’s suggestion if usability rather than FOSS software is your main goal - although I haven’t tried Lightning to be honest. More importantly, I can’t find whether it implements its own certificate store.

(I also don’t have an FP1, but a different phone of similar age has passed between family members in recent years. I know that it currently has Opera installed on it, which didn’t lead to complaints yet.)

Otherwise, if you activate the F-Droid archive repo in F-Droid, you can download the 68.12.0 version (the last one before the fenix upgrade), it runs on android 4.1+. That’s the version I run on my FP2 because I currently don’t like the last one (probably too rushed) and it runs perfectly fine.

The problem is postponed for another 3 years

But maybe by then there no phones with Android < 7.1.1 in operation anymore (or at least their share will have decreased significantly).

4 Likes

For anyone who is still worried, I think there is another solution as well:

As far as I remember, the systems certificate store isn’t a black-box at all. The user is able to install (and trust) any new certificate as he pleases or as well deactivate already installed certificates.
On Android 10 the menu entries for these actions are located at “Settings > Security > Encryption and Credentials”. I do not know the path for older Android versions, but I am pretty sure, these options are present since the first Android versions.
Given basic technical understanding, a user would be able to install the new Root certificate, once downloaded. LetsEncrypt publishes their current Root Certificate on their website to download, so it is reasonable that they’ll do so with the new one too.

Yet, I haven’t tried this myself, so I might miss some catch here and this obviously opens a possibility for scammers to mislead unaware users too. Hence, I think the announced extended compatibility are good news.

2 Likes

The catch here is that the SSL engine of Android 4.2 also does not support TLS 1.2 or 1.3, so you still need a browser that comes with a built-in SSL engine to access many sites (e.g. a Firefox derivative), regardless of the certificate. This has already been the case for over a year, however, so FP1 users have already adjusted to that.

Firefox also bundles a more recent store so it solves both problems if you find a version compatible with Android 4.2. Other browsers may only solve one of the two problems.

4 Likes