Android users will have to upgrade their phones before long if they still want to be visiting a lot of the secure web. According to Android Police, Certificate Authority Let’s Encrypt is warning that phones running Android versions before 7.1.1 Nougat won’t trust its root certificate starting in 2021. It will be locking them out of many secure websites.
The company said it will stop default cross-signing for the certificate that enables this functionality on January 11th, 2021, and will drop the cross-signing partnership entirely on September 1st of that year.
A partial workaround is available by installing Firefox (Mozilla is a partner in Let’s Encrypt) and using its own certificate store, but that won’t help with rival clients or functionality beyond browsers.
It’s entirely common for developers to drop support for older operating systems. However, this could be a sore point given Android update policies. Let’s Encrypt noted that about 33.8 percent of Android users on Google Play run a version older than 7.1, and some hardware vendors cut off support early.
It wasn’t uncommon for Android vendors to offer relatively few updates in previous years, and some devices (typically budget phones) would even be stuck with their shipping OS. You may have bought a phone in 2016 or even 2017 that could abruptly lose access to some websites, at least without workarounds.
The situation is improving. Samsung and other Android makers are committing to three years of OS updates. That won’t change the reality for many people with older hardware, though, and there may be few recourses if you can’t or won’t use Firefox.
Even though many other sites will keep working, the inconsistent support could be a hassle at the least and a major obstacle at worst.