Old Macs, iPhones, PlayStation 3 and Nintendo 3DS gaming consoles, an unknown number of smart TVs, set-top boxes and other “smart” devices, and even some PlayStation 4s may lose some internet connectivity next week.
That’s because a widely used digital certificate used to verify secure internet connections expires on Sept. 30, and millions of older devices won’t be able to update to install newer certificates.
As a result, many activities that requires a secure internet connection — from watching Netflix to checking your email to reading regular websites — may not work on older devices.
If this sounds familiar, it’s because we got a heads-up back in June 2020 when security researcher and consultant Scott Helme warned of it on his blog. Later in 2020, it was estimated that one-third of all Android phones could be knocked offline.
“You may or may not need to do anything about this,” Helme wrote on his blog in an update this week, “but I’m betting a few things will probably break on that day [Sept. 30].”
What you can do to keep your older devices online
Fortunately for those older Android devices, a workaround has been devised to keep them up and running until September 2024 as long as they’ve got Android 2.3.6 Gingerbread or later. (After 2024, you’ll need at least Nougat 7.1.1.)
But that doesn’t help Macs running macOS 10.12.0 or earlier, iPhones and iPads running iOS 9 or earlier, PlayStation 4 consoles running firmware versions earlier than 5.00 and old PCs running Windows XP with Service Pack 2 or earlier. All are likely to be affected, according to this list of affected devices posted by the digital certificate authority Let’s Encrypt.
If you have one of these devices and can upgrade the OS or firmware, do so this week. For example, any PC running Windows XP SP2 can be upgraded to XP SP3, which will fix the issue. Macs need only upgrade to 10.13 High Sierra, and any iPhone 5 or later can install iOS 10. PS4s are already up to version 9.00, released just a few days ago.
PlayStation 3 consoles may or may not be able to be upgraded. Sony released PS3 firmware update 4.88 for the PS3 in June 2021, nearly 15 years after the console was first made available. We don’t know what’s in the firmware update — Sony just said it brought “additional features, improved usability and enhanced security” — but it’s possible it fixes this certificate issue.
If you can’t upgrade your Mac, PC or iPhone, then you can install the Firefox web browser to maintain some level of internet access, although standalone apps may not work. Unlike other browsers, Firefox isn’t dependent on the device’s OS for its security certificates — it brings its own.
As for smart TV, smart refrigerators, smart-home hubs, home Wi-Fi routers and so on, it’s hard to tell. Odds are that many devices released before 2017 may be affected, especially if they’ve never received a firmware update.
So if you can, open up or download the instruction manuals that came with your devices and try to upgrade the firmware or operating system.
What the heck is going on here?
This is complicated, but all those billions of secure internet connections that take place worldwide every second depend on what’s generally referred to as a “chain of trust.”
When a server — say a website — connects with a client like your PC, each presents digital certificates affirming identity. Because of this, your browser knows that it’s connecting to Chase Bank and not some hacker farm in Russia.
But how do you know these digital certificates are valid? Well, certificates depend on public-private key cryptography to prove there’s no forgery taking place, but that’s another issue. What also matters is that a higher authority affirms if that certificate was indeed issued to Chase Bank. And another authority vouches for that authority, and so on.
Eventually, you reach the end of the line and get to what’s called a root certificate. These are the backbone of encrypted web connections. Root certificate issuers have no one higher to vouch for, because it’s the ultimate trust authority, and root certificates can be valid for many years.
But like all certificates, root certificates eventually expire. And one very important one, called DST Root CA X3, expires Sept. 30, 2021. This root certificate is doubly significant because it “cross-signs” or validates another root certificate that’s even more widely used and called ISRG Root X1.
ISRG Root X1 is cross-signed because the authority issuing it, Let’s Encrypt, was brand-new in 2015 and as such, wasn’t widely trusted by browsers and devices. So it got the older, more widely accepted DST Root CA X3 to vouch for it and essentially tell devices that, “if you trust me, you can trust this one too.”
Technically speaking, ISRG Root X1 was functioning as an “intermediate” certificate while DST Root CA X3 was acting as the root certificate.
Since 2015, Let’s Encrypt has rapidly grown to become the largest certificate authority in the world. One big reason is because it’s free to use. Since 2015, most web connections have also become fully encrypted, and Let’s Encypt is a big reason for that.
Hence, the very first root certificate Let’s Encrypt issued, ISRG Root X1, is very widely used to vouch for thousands, perhaps millions, of shorter-term certificates used by websites and servers.
In fact, until the release of ISRG Root X2 in September 2020, it was the only root certificate Let’s Encrypt had issued (and it even cross-signs the newer certificate ). Many newer devices have received updates that let them trust the ISRG Root X1 root certificate by itself, which is good because it’s valid until June 2035.
But a lot of older devices still rely on the cross-singing root certificate, DST Root CA X3, to vouch for ISRG Root X1. And that’s a problem because when DST Root CA X3 expires Sept. 30, 2021, then those devices will no longer trust ISRG Root X1 or the jillions of downstream certificates that depend on it either.
Will I lose all internet connections?
It’s hard to say what this will mean for devices that haven’t been upgraded to trust ISRG Root X1. There are a couple of hundred valid root certificates in existence, and most devices and web browsers will support at least a few dozen.
So many older devices may still be able to make at least some web connections if those individual server certificates don’t lead back to ISRG Root X1 or DST Root CA X3.
However, ISRG Root X1 also backs version 1.02 of OpenSSL, a widely used (because it’s free) software library that establishes secure web connections. OpenSSL version 1.02 was issued in early 2015, and a lot of devices and operating systems released in 2015 and 2016 — such as iOS 9 and macOS 10.12 Sierra — rely on it.
Again, we won’t really know what’s going to happen until it starts to happen on Sept. 30. But Scott Helme thinks something definitely will.
“I don’t know what’s floating around out there on the web, and I don’t know what depends on those things [each certificate] either,” Helme wrote on his blog. “One thing that I do know, though, is that at least something, somewhere is going to break.”