Publications suggest an apocalypse will befall millions of smartphones on September 30. In fact, a security certificate will expire. So errors could be displayed when visiting websites, but only very old devices that have not been updated for a long time should be affected. In the vast majority of cases, everything will be fine.
This is a very alarming warning that you may have come across in recent days in French and international news: press articles warn that as of September 30, 2021, millions of smartphones may no longer be able to operate. ‘to go on the Internet. The problem would be even larger still, because, it is reported, connected devices in shambles would be affected.
Things, seemingly very disturbing, are in fact much less critical. There should be no disaster on September 30 for the vast majority of products in circulation – at least for those under ten years old and properly updated. The situation is a little less encouraging for older devices, but measures exist to alleviate the problem.
The red flags came from a blog post written on September 20 by Scott Helme, a computer security researcher. He explains that on the 30th, the root certificate “IdentTrust DST Root CA X3” will expire. However, it is it that Let’s Encrypt uses within the framework of its activities to raise the general level of security on the web, thanks to a system which is used to verify the sites on which one goes.
A certificate story that will expire
The role of certificates is major on the net. These electronic documents are used to authenticate websites to verify that they are who they claim to be when visited. They also check the reliability and security of the connection established between the Internet user, via his browser, and the server that hosts the site, to avoid any interception or alteration of data.
In this context, the existence of Let’s Encrypt was decisive, since this initiative made it possible to provide certificates to as many people as possible free of charge, without excessive price barriers or too high technical constraints. The statistics speak for themselves: one billion of these documents were issued in February 2020. And in September 2021, the two billion mark has been crossed. In fact, Let’s Encrypt has since its birth in 2014 very largely contributed to democratizing the encryption of the web.
Just consult the dashboard that Google provides to track its rate of use of HTTPS (the acronym that says if a secure connection is established with a site, a closed padlock is also visible next to the URL). Over 90% of the pages viewed by Chrome are loaded using HTTPS (around 95% in France). Chrome is a good watchman in this area, given its great success.
But in fact, there is a certain flip side: by becoming such a big player, Let’s Encrypt mechanically gives a very important scale to the slightest glitch. And even the smallest of its decisions can have very broad repercussions. It’s exactly the same when a provider used by very large sites breaks down: it shows very quickly.
” Ordinarily, this event, namely the expiration of a root certificate of a CA, would not even be worth mentioning, because the switch from the old root certificate to the new one is completely transparent. Scott Helme notes. But this is only valid if the devices benefit from the updates in time that allow them to retrieve the new root certificate.
However, warns Scott Helme, this would not be the case here. ” The reason we have a problem is that the [applications qui s’appuient sur ce certificat, ndlr] are not updated regularly “. Therefore, if they are not updated, ” the new root CA that replaces the old, expiring root CA is not downloaded to the device. “
This IdentTrust DST Root CA X3 root certificate turns out to be the starting point of a chain of trust that goes through another certificate, ISRG Root X1, before arriving at intermediate certificates, such as Let’s Encrypt R3. However, Scott Helme alarmed, “ Once this root certificate has expired, clients, such as web browsers, will no longer trust certificates that have been issued by this certificate authority. “
In his blog post, Scott Helme believes that devices using the following platforms are affected:
- Windows XP Service Pack 3 or less;
- macOS 10.12.1 or less;
- iOS 10 or less;
- Android 7.1.1 or less;
- Ubuntu 16.04 or less;
- Debian 8 or less;
- Amazon FireOS (Silk browser);
- Mozilla Firefox 50 or less;
- Java 8 8u141 or less;
- Java 7 7u151 or less;
- OpenSSL 1.0.2 or less;
- NSS 3.26 or less.
What lead to a cascade of invalid certificates and, therefore, mass errors, even malfunctions that could prevent having Internet after September 29?
Worries maybe, the apocalypse no
It’s actually less critical than it sounds, even if devices could indeed experience occasional problems after September 30. Let’s Encrypt has indeed taken various measures in 2020 to mitigate the dire predictions of Scott Helme, in particular at the level of the ISRG Root X1 certificate. To put it in a nutshell, very few people should be really in trouble.
As Silicon explains, an agreement has been reached with the IdenTrust CA to sign the ISRG Root X1 certificate through DST Root X3 until early 2024, which leaves room for older devices to whether they are updated or renewed. In addition, solutions have been found to allow the compatibility of these certificates to be downgraded to a very old version of Android.
This reprieve until 2024 is allowed by the fact that Android, continues our colleague, does not take into account the expiration dates of the certificates used as roots. Therefore, the deadline of September 29, with the expiration of IdentTrust DST Root CA X3, is postponed until much later. Good news, given the huge fleet of devices that use Android around the world.
On the Let’s Encrypt forums, a team member confirmed in April that “ Android devices up to version 2.3.6 will continue to work “. However, it should be noted that smartphones and devices that use a version lower than branch 2.3.6 are in fact very old products, and today very little in circulation. Indeed, the 2.3.6 version was released on September 2, 2011!
Clearly, there will be no real concern for Android smartphones, because the park has changed considerably in ten years. This is what Lets Encrypt also wrote on Twitter September 26: ” Old Android devices will still be able to access Let’s Encrypt certificates, even if their Android operating system does not trust the root certificate. ISRG Root X1 “.
According to Google statistics in February 2021, the cumulative share of Android versions up to branch 4.0.4 (which was released on March 28, 2012) only weighs 0.2% of all distributions. In this crumb Android, the share that must weigh versions up to Android 2.3.6 must itself be infinitesimal … even if on the scale of Android, this probably represents tens of thousands of devices.
What about other devices, which are not on Android? They’ll show certificate errors, Let’s Encrypt says, which looks quite different from a login Armageddon. ” On some platforms, using Firefox will be a workaround, as Firefox receives updates even on many outdated operating systems. », Is it indicated.
Note for Android can be duplicated for Windows or iOS. Support for XP ended on April 8, 2014 (except in very exceptional cases) and there have been several other versions of Windows. There are certainly still stations equipped with it, but its use has fallen to 0.6%. As for iOS, 93% of the iPhone fleet is on iOS 13 or higher. iPhone 5 is the most distant model that accesses iOS 10.
To put it another way, given the average rate of new smartphones and the availability of updates, people who are still running Android 2.3.5 or iOS 10 aren’t running the streets. Ditto for computer workstations with very old branches of Windows, macOS or Linux (Ubuntu, Debian). Also, the problem can arguably be mitigated further through updates that certain devices are eligible for – just remember to make sure.
Some issues are postponed
There are mitigation solutions (checking for updates or using Firefox as a fallback browser to avoid certificate errors). However, the best thing may be to buy a recent machine. Some would say that it is obsolescence, but we are talking about products that are more than ten years old and which, moreover, are no longer maintained as a rule.
Regarding Android, the problem may rest in 2024, as the agreement with IdenTrust to extend the signature validity for the DST Root CA X3 certificate will expire. In this case, smartphones that do not have an OS version greater than branch 7.1.1 (released on December 1, 2016) will be faced with certificate errors. But in 2024, what will remain of this branch in distribution?
If the CA X3 DST Root certificate expires on September 29, 2021, what happens next? Besides the fact that Let’s Encrypt has found a solution with IdenTrust to extend it for three years for Android under certain circumstances, the other root certificate that Let’s Encrypt (ISRG Root X1) has been using since 2015 has been quiet for quite a while: it doesn’t ‘will not expire before 2035.
It now remains to observe what could possibly break during the seesaw from September 29 to 30. ” I feel like IdenTrust root expiration can cause quite a bit of trouble », Fears Scott Helme. ” One thing I do know, however, is that at least something, somewhere, is going to break “. But this break, prophesied for millions of devices, could ultimately be much less.