One of the largest providers of HTTPS certificates, Let’s Encrypt, will stop using an older root certificate next week — meaning you might need to upgrade your devices to prevent them from breaking.
Let’s Encrypt, a free-to-use nonprofit, issues certificates that encrypt the connections between your devices and the wider internet, ensuring that nobody can intercept and steal your data in transit. Millions of websites alone rely on Let’s Encrypt. But, as warned by security researcher Scott Helme, the root certificate that Let’s Encrypt currently uses — the IdentTrust DST Root CA X3 — will expire on September 30. After this, computers, devices and web clients — such as browsers — will no longer trust certificates that have been issued by this certificate authority.
For the overwhelming majority of website users, there is nothing to worry about and September 30 will be business as usual. Older devices, however, could run into some trouble, much like they did when the AddTrust External CA Root expired back in May. Stripe, Red Hat and Roku all suffered outages as a result.
“Given the relative size difference between Let’s Encrypt and AddTrust, I have a feeling that the IdenTrust root expiry has the potential to cause more problems,” Helme warned in a blog post, referring to the upcoming expiry.
“At least something, somewhere is going to break.” Scott Helme, security researcher
Devices likely to be affected by the certificate expiry are those that don’t get updated regularly, like embedded systems that are designed not to automatically update or smartphones running years-old software releases. Users running older versions of macOS 2016 and Windows XP (with Service Pack 3) are likely to face issues, along with clients dependent on OpenSSL 1.0.2 or earlier, and older PlayStations that haven’t been upgraded to newer firmware.
While Android, in Let’s Encrypt’s words, has a “long-standing and well known issue with operating system updates”, the nonprofit has a workaround that might prevent the majority of smartphones from being impacted by the expiry. The organization this year transitioned to its own ISRG Root X1 certificate, which doesn’t expire until 2035. While many Android devices still don’t trust this certificate — namely versions of Android (Nougat) 7.1.1 and earlier — Let’s Encrypt obtained a cross-signature for its own certificate that’s valid for longer than the signing root, meaning most Android devices should remain breakage-free for three more years.
Some Android devices may still run into issues, Let’s Encrypt said, and it’s recommending that users running Android (Lollipop) 5.0 install Firefox.
“For an Android phone’s built-in browser, the list of trusted root certificates comes from the operating system — which is out of date on these older phones,” Let’s Encrypt explains. “However, Firefox is currently unique among browsers — it ships with its own list of trusted root certificates.”
Let’s Encrypt, which as of early September issued more than two billion certificates since it was founded in 2014, told TechCrunch that users should look at how many clients are using affected versions of OpenSSL and years-old operating systems. Its advice for those who can’t upgrade is to “look into whether serving a certificate chain with our new cross-sign makes sense.”
It’s difficult to predict what will happen come September 30, but as Helme puts it: “At least something, somewhere is going to break.”