UPDATE: There's now a workaround that postpones this issue for most older Android phones until September 2024. See the end of this story.
While new apps and features may be off-limits to your older Android phone, you might assume that you’ll continue to have unfettered internet access.
You would be wrong: Beginning in September 2021, a large number of websites will be off limits to older phones, thanks to a change in how websites are digitally verified.
- The best Android phones to buy now
- Our picks for the best Android antivirus
- Plus: This DMV scam tried to steal my information — here's what I did
As explained by Android Police (opens in new tab), it’s all thanks to changes at Let’s Encrypt — a digital-certificate authority used by around 30% of domains on the web. For years, Let's Encrypt's own ISRG Root X1 root certificate has been cross-signed with IdenTrust’s DST Root X3, which is present in every major operating system.
But this partnership with IdenTrust is set to expire on Sept. 1, 2021, and Let’s Encrypt has said it doesn’t intend to renew the arrangement. That means that any browsers or operating systems that use an IdenTrust root certificate will not be able to load the estimated one-third of all websites that use Let's Encrypt certificates.
In short, you'll have some trouble if your phone runs Android 7.1 Nougat or earlier. (The fix was introduced in Android 7.1.1, released in December 2016.)
“This does introduce some compatibility woes,” the Let's Encrypt wrote in a blog post (opens in new tab) last week. “Some software that hasn’t been updated since 2016 (approximately when our root was accepted to many root programs) still doesn’t trust our certificate, ISRG Root X1. Most notably, this includes versions of Android prior to 7.1.1.”
This, according to Google’s own figures, means that — short of a sudden spike in OS upgrades between now and September — a large fraction of Android phones and tablets will start generating errors when they visit sites with a Let’s Encrypt certificate.
How many Android phones will be affected?
According to statistics from April 2020 (opens in new tab), 33.8% of Android devices were running 7.1 or earlier. That percentage will certainly be less by September 2021, but hundreds of millions of Android devices will still be affected.
“What can we do about this? Well, while we’d love to improve the Android update situation, there’s not much we can do there,” Let's Encrypt wrote. “We also can’t afford to buy the world a new phone.”
This will affect smart-home devices too
If this sounds familiar to Tom's Guide readers, it should. Back in June 2020, British security researcher Scott Helme noticed that Roku set-top boxes and several online services had stopped functioning properly due to expired digital certificates that blocked many web connections.
That problem was only temporary, but Helme predicted that a big wave of website incompatibility would arrive in September 2021 due to Let's Encrypt issues. He mentioned not only older Android phones but also the millions of smart-home devices, such as light bulbs, wall plugs or even smart TV sets, that rarely or never receive firmware updates.
"This is going to be a problem," Helme said. "We are not on top of this."
How can I keep my older phone connected?
The company has some advice for site owners to limit the damage for older devices via an alternate certificate chain. It also recommends that those that can’t afford a new Android phone install Firefox Mobile, which can run on phones running Android 5.0 Lollipop onwards. Firefox will be able to load the problematic websites.
“Firefox is currently unique among browsers — it ships with its own list of trusted root certificates," Let's Encrypt explained. "So anyone who installs the latest Firefox version gets the benefit of an up-to-date list of trusted certificate authorities, even if their operating system is out of date.”
But this is, ultimately, just a temporary fix. A smartphone needs to access websites via more than just the web browser, and you may still end up with strange behavior in other apps as a result.
Are you affected? Android 7.1.1 was released in December 2016, so any phones bought after that are all but guaranteed to be safe, and even handsets bought in the year or so before are likely to have had a software update. If in doubt, it’s worth checking what version of Android you’re running, by digging into the system settings.
If you find that your phone is incompatible with Android 7.1.1 or later, it’s time to upgrade. The good news is this needn’t be as expensive as you think, and budget phones have improved immeasurably over the last few years. Here’s our current list of the best cheap phones you can buy.
UPDATE: Let's Encrypt devises a workaround
Thanks to Android's lax enforcement of security-certificate expiration dates, Let's Encrypt has found a way to work around this (opens in new tab).
The details are a bit complicated, but Let's Encrypt got IdenTrust to extend the cross-signing between DST Root CA X3 and ISRG Root X1 by another three years. Never mind that DST Root CA X3 still expires Sept. 30, 2021; Android doesn't care.
As a result, all devices running Android 2.3.6 Gingerbread and later will be able to connect to most websites until September 2024. After then, however, you'll need at least Android Nougat 7.1.1.
Sadly, this workaround applies only to Android. A whole bunch of other devices may lose most internet connectivity beginning Sept. 30, 2021.