Press "Enter" to skip to content

Are you browsing secure sites?

Everything needs reformation with respect to the time and situation so, does the website. However, changes may not comply with all the devices. Companies update their site mostly because of security reasons. Furthermore, to get themselves competitive they change their UI and UX. The changes in the sites the Data exchange in unsecure routes. It can be a moment of interception by a third party. They gather information that you have is encrypt in the site. They can seak into details in the sitedesk. transferred exposing your privacy and confidential information. To combat this, websites are develop to upgrade into better version. Simply, encryption is the process of altering a certain file or data in such a manner. It renders unreadable through easy or conventional means. This means that as long as you visit secure websites, your data will be highly secure.

https://unsplash.com/photos/eMemmpUojlw?utm_source=unsplash&utm_medium=referral&utm_content=creditShareLink

The most commonly used and revered encryption system is the SSL certificate. This certificate dictates whether or not a website is trustful or not. When surfing the internet, you’ve probably come across terms like HTTP and HTTPS. While at first sight, one might confuse them to be the same thing, there is a very big difference—security. The main difference between HTTP and HTTPS is the presence of an SSL certificate. HTTPS denotes that the website has an SSL certificate whereas HTTP denotes a lack thereof.

An SSL certificate not only encrypts data transferred between a visitor and the web site’s server. Despite it gives the visitor peace of mind knowing that their information is safe while using said website. Even search engine Google announced website’s ranking will be better if switched from HTTP to HTTPS. Essentially incentivizing website owners to switch while also making the internet a safer place.

Let’s Encrypt is one of the giants in the industry that provide certificates for TLS/SSL encryption. A TLS encryption is basically SSL’s successor that functions more or less the same way except it’s more secure. However, SSL is still more widely used.

When Let’s Encrypt first started back in 2016, they partnered up with another group, IdenTrust, and conducted a cross-sign agreement. Certification such as Let’s Encrypt’s ‘ISRG Root X1’ , IdenTrust’s, ‘DST Root X3’ root are in Windows, macOS, Android and many other popular operating systems. For a CA to be accepted by OSes and browsers, it can take several dreadful years.

This is why Let’s Encrypt partnered up with IdenTrust, a group that had been around for much longer . And had its root certificate already accepted in the scene. However, Let’s Encrypt announced on their website on November 6, this contract they agreed to will expire on September 1, 2021. Furthermore, Let’s encrypt does not plan on extending it. Its root certificate is now widely trusted and at this point, they don’t need to rely on IdenTrust anymore. While this is fine and dandy for Let’s Encrypt and a great milestone for their team, it has created a small problem.

As stated in the same post, Let’s Encrypt has revealed that some software that hasn’t been updated since 2016—around the same Let’s Encrypt began— still don’t accept their root certificate. This creates a compatibility issue. This change is mostly going to affect Android phones with version older than 7.1.1. This means that the affected devices won’t trust certificates from Let’s Encrypt. While the current userbase of Android devices with a version higher than 7.1 is 66.2%, the rest of the 33.8%, which use lower than version 7.1, will start getting certificate errors whenever they visit a website that uses Let’s Encrypt’s certificate. About 30% of all web domains today use Let’s Encrypt’s certificate.

A small workaround to this is using Firebox browser as it is using its own certificate store. However, it’s only a band-aid solution as it isn’t entirely practical and pretty much useless when taking operations beyond a browser into account. So eventually, you’ll have to upgrade to a new device with an Android version higher than 7.1 or use mobile devices that don’t run Android OS, like an iPhone.

There isn’t really a single entity—individual or organization— that you can point your finger at and say, “Hey it’s because of this guy that we are vulnerable”. Keep in mind that Let’s Encrypt is a non-profit group and its services are for free-of-charge meaning they rely on donators and sponsors to operate. So, this wasn’t some corporate cash-grab move by Let’s Encrypt. Android itself has a history of big issues with operating system updates. Part of this problem falls on Google’s lack of foresight and planning.

If anything, Let’s Encrypt’s decision and announcement is to warn all parties about this change and how to prepare for it.

Using a device with an Android version older than 7.1? your best option is to simply upgrade your phone. This is something you should consider this change as if you are running a device with several years old OS. You are exposing yourself to several other cyber threats as outdated systems can’t tackle newer hacking methods. If you run a website, one can use a temporary fix to switch to an alternative certificate chain that leads to ISRG Root X1. As for app developers, you can implement updates that add ISRG Root X1 as a trusted root within the context of your app.

Be First to Comment

Leave a Reply

Your email address will not be published.