Fallout from upcoming Let's Encrypt certificate changes
([Security] Nov 6, 2020 17:37 UTC (Fri) (corbet))
- Reference: 0000836497
- News link: https://lwn.net/Articles/836497
- Source link:
As described in [1]this Let's Encrypt blog entry , certificates issued by Let's Encrypt will soon be signed solely by that organization's own root certificate, which is accepted by all modern browsers. There is one little catch, though: versions of Android prior to 7.1.1 (released in late 2016) do not recognize that certificate and will start throwing errors. " Currently, 66.2% of Android devices are running version 7.1 or above. The remaining 33.8% of Android devices will eventually start getting certificate errors when users visit sites that have a Let’s Encrypt certificate. In our communications with large integrators, we have found that this represents around 1-5% of traffic to their sites. " There appears to be little to be done about this problem other than to encourage owners of older Android devices to install Firefox.
[1] https://letsencrypt.org/2020/11/06/own-two-feet.html
[1] https://letsencrypt.org/2020/11/06/own-two-feet.html
Fallout from upcoming Let's Encrypt certificate changes
Isn't it possible to install a root cert on these things? Granted, you get an annoying "your device may be monitored" message all the time, but that's still way better than "your web site isn't trusted".
Fallout from upcoming Let's Encrypt certificate changes
Isn't it possible to install a root cert on these things? Granted, you get an annoying "your device may be monitored" message all the time, but that's still way better than "your web site isn't trusted".
Fallout from upcoming Let's Encrypt certificate changes
They are not so clear on timing. On 2021-09-01 the root certificate that was cross-signed for Let's Encrypt expires, but from 2021-01-11 they switch for new certificates to their own root. In the mean time as a workaround one can use an alternative configuration allowing to get certificates with older cross-signed root.
But if one just gets a new certificates on 2021-01-10, it will last until 2021-04-10, so the workaround gets less then 5 months of an extra time. I do not see why they bother with that at all. They could just continue to issue the current setup for few more months and then switch to the new root.