User:Revi/LE-2021

HEY! This is a draft!

NOTE: This has quite a few first-person (I) notes. Fix them appropriately.

TL;DR for those who are not familiar with technical details[edit source]

Some technical details are obfuscated or over-simplified because people will not understand the technical details. If you know what I am saying below, ignore this section.

• Let's Encrypt (Hereinafter, LE) is migrating to their own infrastructure. (Previously, they leased from some other organizations)
• However, LE debuted around 2015, which means some old Android devices (Android version prior to 7.1.1) will display an error message when they try to browse any site served by LE (custom domains served by LE). This is because Android version prior to 7.1.1 doesn't have necessary data to understand LE certificates.
• There is currently two known mitigation.
  • You can get your own Custom domain with your own custom SSL certification. Domain is (mostly) not free, and SSL certifications outside of LE is not free.
  • You can direct your archaic Android users to use Firefox for Android. Firefox maintains their own list of certificates, and it includes LE.
• This change is announced to happen around 2021-01-11, however I have observed that new certificates without compatibility is being issued as of 2020-12-11.^{[needs edit]}
  • This likely means any certificates issued after 2020-12-11 or renewed after this date is likely to error on old Android devices. LE certificates are live for 3 months, and it's renewed every 2 months, so it is safe to assume that all websites will convert by Feb or March or 2021.

More technical details[edit source]

SSL Certificate is a top-down system. There is a "Root store", maintained by OS and browsers. (Microsoft, Apple, Linux: differs by distributions, Mozilla, Google Chrome, and more) "Root store" stores "Root Certificates", which is owned by various entities (They are called Certificate authority, also known as CA) who vets you are you who you claims to be, and then issues certificates for you. If your certificates are not traced to the trusted root certificate, OSes and browsers won't trust it, and display an error message. Before 2015, there was not much of a choice for free SSL (It was mostly CAcert.org (which is not trusted by most root stores) and StartSSL (which lost the trust due to their misbehavior, and subsequently ran out of business).) and it was not really accessible. Let's Encrypt (hereinafter LE) changed all this. It has automated tool to get certificates, which has removed most of the barriers around getting https://. This has made LE one of the largest CA in the world, issuing more than 1 million certificates every day.

As I said earlier, CA certificates has to be in a root store to not cause an error. LE, back in 2015, did not have time to get their root certificates to be included in root store (it is known to take a LONG time). So, they got vetted IdenTrust's certificate (known as Cross-Signature). This has ensured their certificates are trusted by almost all browsers and OS. However, all certificates expires, and IdenTrust's root that signed LE's certificates will expire by September 2021. LE decided not to get cross-signed this time.

The problem is, LE went operational since 2015, and it means there's no LE root certificate for older Android devices (because it has to be an OS update to add new Root Certificates, and because of Android fragmentation, there are lot of Android phones that is not getting the OS update for a long time), any Android phone without an version update since 2016 (when their cert started to be included in root stores) is vulnerable to this problem. According to LE and Google, 66.2% of the Android users are running version 7.1 or above, which is safe from this issue. That leaves us 33.8% of people vulnerable to this problem.

As of remove nowiki and timestamp here ~~~~~, our Matomo record indicates PUT THE MATOMO DATA HERE percent of people are using vulnerable version.