The free open and automated certificate authority, Lets Encrypt, has issued a warning for Android users; 220 million websites will get flagged as not secure for Android users who utilize the software versions that came before 7.1.1. The alert comes from the senior staff technologist and lead developer at Lets Encrypt, Jacob Hoffman-Andrews. Hoffman. Andrews explains that the reason for the blocking for older Android users is that at the launch of Lets Encrypt back in 2016, they used an existing certificate authority to gain trust, instead of having a root certificate that would have to garner trust over time. The company used IdenTrust as the DST Root X3 certificate that already had the trust of Android, macOS, Windows and iOS. They also, back in 2016, issued their own ISRG Root X1 certificate that has since become trusted.
Which brings us to 2020 and the reason for the alert: the DST Root X3 certificate expires on September 1st 2021. Let’s Encrypt currently solely relies on their own root certificate, which is a good thing. The downside is that software that hasn’t been updated since 2016 won’t trust the Lets Encrypt ISRG Root X1 as the DST Root X3 one that is expiring. Unlike iOS, Android updates are dependent on factors like; make, model and network and any device running on a version that came before 7.1.1 will flag sites using Lets Encrypt as unsafe.
How will this Lets Encrypt Android block affect South Africa?
To bring this back home, South Africa’s documented internet behaviour is saturated by mobile phones.
The majority of our country’s internet use is on mobile, so it’s safe to say that South Africa is a mobile-driven economy. Going further than that, Android is the world’s most popular operating system. An article in The South African states:
‘Data collected from StatsCounter show that, for the past year, Android has consistently remained the favourite mobile operating system among South Africans’.
Google has also been working on adopting a mobile-first indexing approach for the whole web. The world is gradually moving towards mobile, and if your business website uses a Lets Encrypt SSL, then you might be in danger of losing potential revenue from the Lets Encrypt announcement. If a customer clicks on your website from their Android device that uses a version that is older than version 7.1.1 then your website will get flagged as not secure, and that customer will lose trust in your business. E-commerce businesses that work with sensitive information like credit card details are at more risk of losing said Android customers if their website gets flagged as unsafe.
Hoffman-Andrews also estimates that just under 34% of Android devices are not updated to 7.1 or above. He states that the percentage that is using older Android versions will:
‘Eventually, start getting certificate errors when users visit sites that have a Let’s Encrypt certificate.’
How can you protect your business website from getting flagged
If your website still uses Lets Encrypt, it may be time to invest in another mode of cybersecurity; preferably before the Android and Lets Encrypt block – prevention is always better than cure. Hoffman-Andrews advises businesses who utilize Lets Encrypt to switch to an alternative certificate that Lets Encrypt will make available to you in January 2021. It’s better to invest in credible, trusted website security and SSL certificates.
To avoid getting certificate errors, Android users whose devices still run on older software should consider upgrading their device. Or they should install Firefox Mobile web browser app because it supports Android 5, plus it recognizes the Let’s Encrypt root certificate.