On 11 January 2021, Let’s Encrypt is making a big change to the way its SSL certificates work. While it’s a really positive step, there are likely to be hiccups for users running older versions of Android. So, what are we doing about it? And what should you be doing too?
SSL certificates: a quick recap
Bit woolly about what SSLs actually are? No problem. SSL is an encryption technology that protects sensitive data as it travels across the internet. It makes sure hackers can’t interrupt the connection between you and your customers, accessing personal information or bank details. An SSL certificate proves you’ve put that security in place and customers can trust your website.
Why we love Let’s Encrypt
Here at Nimbus, we use Let’s Encrypt SSL certificates (sometimes now called TLS certificates) to make your websites more secure. They give you HTTPS status, they help users and their browsers trust your sites and, rather handily, they’re free in STORM.
We choose Let’s Encrypt because we love what they do – making the internet a better, safer place for people, every day. They’ve got a really strong reputation for making smart, simple security accessible to as many people as possible and they’re constantly upping their game.
So what’s changing?
Let’s Encrypt launched as a Certificate Authority (CA) five years ago. Smart, agile and ambitious, they had a big vision, but they weren’t yet well enough known for their root certificate to be trusted by a wide variety of operating systems.
So, they did what new CAs often do – they got a cross-signature from another CA, called IdenTrust. It meant they could start issuing certificates straight away, helping a lot of people, fast.
A lot’s changed since then. Let’s Encrypt’s own root certificate, ISRG Root X1, has now been trusted by software platforms for years, so they’re ready to make the switch, stand on their own and rely on it completely. The original IdenTrust certificate is expiring, and they’re ok with that.
So what’s the problem?
It’s a compatibility thing. Some software that hasn’t been updated since Let’s Encrypt’s own root certificate was accepted (in 2016!) still won’t trust it. This includes versions of Android older than 7.1.1. So, the 30% of Android users worldwide who still use those older versions, will eventually start seeing warning messages saying sites with Let’s Encrypt certificates are no longer trusted.
Lots of Android devices all over the world are using out-of-date operating systems. It’s a well-known issue that’s been rumbling on for ages, and Let’s Encrypt are far from the only ones it affects. But knowing some people would have trouble with the new root certificate wasn’t something they took lightly. In fact, you can read their take on the story right here.
After a lot of soul searching, the Let’s Encrypt team decided moving to their own root certificate was still the best way to grow and be an independent force for good. So the switch is happening – but we’re here to get you ready.
What do I need to do?
If you’re not on one of our STORM Servers, you may need to move to Let’s Encrypt’s new root certificate, ISRG Root X1, on 11 January 2021, or take a little longer to make the transition and switch over in September instead. The original IdenTrust root certificate (DST Root X3) doesn’t expire until September, so Let’s Encrypt are making it possible to stick with it a little longer if you want to.
On the other hand if you’re one of our awesome STORM users, you won’t need to do or worry about a thing. All our SSL certificates renew automatically every 90 days, which means your SSL will move itself over to Let’s Encrypt’s new root certificate.
How will it affect my websites?
Whether you move over in January or September, your websites will be just as safe and secure as ever. In fact, even though older versions of Android may start displaying warnings, they’ll still be fully HTTPS sites, trusted by every major browser. There’s no change to the security of your customers’ data, at all.
What you might find, is that users of those older Android versions get in touch to ask why they’re seeing warnings on your websites. We’re recommending you tell them to download the Firefox mobile browser, which is fast, free and gets all the updates needed to support the Let’s Encrypt changes seamlessly.
It only takes a couple of minutes to get up and running on Firefox and there’s a link you can send them right here.
You could even get ahead of the queries and add a temporary banner to your website pointing older Android users straight to Firefox.
What if I need some extra help?
We’re right here. We know that’s a lot of tech to take in, so if you’d like to talk it through, just give us a ring on 0203 005 9180. And if you’ve got a quick question you’d like to fire over, don’t be shy. Just drop us a line or raise a ticket. We’ll jump straight on it.