Let's Encrypt – Many advantages, but also a small problem that you should be aware of

Let's Encrypt is a free and open Certification Authority (CA) for SSL/TLS certificates. This service has been provided by the non-profit Internet Security Research Group (ISRG) since 2015. Unlike commercial certification authorities, Let's Encrypt certificates are currently valid for 90 days and can be automatically renewed. An automated process replaces the manual actions that would otherwise be required when generating, validating, signing, setting up and renewing certificates. The regular manual renewal of certificates, as is currently the case, is no longer necessary with Let's Encrypt. Once set up properly, you no longer have to worry about the terms and validity of SSL certificates.

That sounds positive at first and it is. We at Marketing Factory Consulting GmbH have been using Let's Encrypt certificates successfully for years and the trend is increasing. However, there could be a small drop of bitterness in the coming year, which, however - so much can already be said at this point - will in most cases be really very small.

What is it about? When a new certificate authority (CA), like Let's Encrypt, enters the market, it inevitably faces the challenge that it will not be accepted as trustworthy by all operating systems and browsers overnight. A new CA usually counters this problem by cooperating with an established and trustworthy CA that serves as a temporary fallback. If the new CA has then developed into a recognized and trustworthy CA over time, this temporary workaround becomes obsolete.

This step is now pending for Let's Encrypt. From September 1st, 2021, the fallback solution will no longer exist and only Let's Encrypt's own RSA root certificate will be used for encryption. This is not a problem at first, since the Let's Encrypt root certificate has established itself over the last 5 years and is supported by all common operating systems and browsers. From all? Unfortunately not quite and that brings us to the core of the problem. Let's Encrypt certificates are not yet accepted by Android operating systems older than version 7.1.1. For the sake of completeness, it should be mentioned that such compatibility problems can also occur with commercial CAs.

It has been known for many years that Android has a problem with operating system updates. There are a lot of Android devices out there running outdated operating systems. The causes are varied and difficult to eliminate. For each device, the core Android operating system is typically modified by both the manufacturer and a mobile service provider before going on sale. If there is an update for Android afterwards, both the manufacturer and the mobile operator have to integrate these changes into their customized version. However, manufacturers often shy away from this effort and therefore prefer not to update. For the end customer, this means that he is often tied to an outdated operating system for years.

Currently, around 66% of Android devices are running version 7.1 or later. Thus, the remaining 34% of Android devices may receive certificate errors when the user visits websites secured by a Let's Encrypt certificate. Until the final changeover in September 2021, this ratio will certainly improve in favor of the newer versions, but even then there will still be outdated systems on the market.

What does this mean for all those who use Let's Encrypt certificates to encrypt their websites? As I have already indicated above, we consider the problem to be negligible. Users with outdated operating systems are usually used to minor impairments. In addition, we believe that looking too far backwards is an obstacle to progressive development. Should there be an increase in complaints, there is still the option of switching to an alternative certification body.

It's a known problem and there are solutions if necessary. The original problem is not with Let's Encrypt, but with some manufacturers of devices with Android operating systems who are unwilling to update. We recommend waiting and seeing if there are more complaints. Only then should you consider whether switching to an alternative CA makes sense.

If you have any questions about Let's Encrypt or encryption in general, talk to us - we love to support you!