Lets Encrypt removes compatilibility with older browsers

mikhomikho AdministratorHosting ProviderOG

Hello from the staff at Let's Encrypt.

On September 30, there will be a change in how older browsers and
devices trust Let's Encrypt certificates, resulting in a minor decrease
in compatibility. If you run a typical website, you won't notice a
difference. Devices and browsers running up-to-date software will
continue working fine, and we've taken steps to make sure the vast
majority of older devices will too. If you run a large website, or need
to support less common software (particularly non-browser software),
you'll want to read about the details at:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

In either case, no action is required from you. We're letting you know
so you can provide answers to any questions your site visitors may have.

Here is a sample hostname from one of your current Let's Encrypt
certificates:

Since 2015 we've served the world with 1.6 billion free certificates,
each one providing security and privacy to people on the Web. It's work
that's 100% funded by charitable donations since we are a nonprofit. If
your company is interested in sponsorship, please email
[email protected] If you can make a donation, we ask that you
consider supporting our work today: https://letsencrypt.org/donate/
Thank you.

  • The Let's Encrypt team

Get 4 or more NAT servers (mix/match between packages) and get a 30 % recurring discount. https://clients.mrvm.net

Thanked by (3)Ganonk benz jureve

Comments

  • Well, most of the old old browser won't even support TLS 1.3.
    Right now most websites support TLS 1.2 and TLS 1.3, some even force TLS 1.3.

    I don't think that's gonna cut it that much, if LE drops old browser support.

  • deankdeank OGOfficial Troll

    Can't keep being bogged down by the past.

    Has to move on at some point.

    Thanked by (2)Lee Wolveix

    The Amitz day is October 21. ♻ I call people by their soulname.

  • mikhomikho AdministratorHosting ProviderOG

    @deank said:
    Can't keep being bogged down by the past.

    Has to move on at some point.

    True

    Get 4 or more NAT servers (mix/match between packages) and get a 30 % recurring discount. https://clients.mrvm.net

  • Be aware that Let's Encrypt has already updated/changed their certificate chain on May 4th. Applications that use an (old?) internal certificate store may not have this new intermediate certificate installed and thus complain about invalid certs. I'm looking at your Synology, get it together.

    The old chain before May 3th was: End-entity certificate ← R3 ← DST Root CA X3
    The new chain since May 4th is: End-entity certificate ← R3 ← ISRG Root X1 ← DST Root CA X3
    Source: https://community.letsencrypt.org/t/production-chain-changes/150739

    ISRG Root X1 is the new certificate which will take over when DST Root CA X3 expires on September 30th.

  • Glad to see that, people should really stop using obsolete OS/browsers.

  • mikhomikho AdministratorHosting ProviderOG

    @Rengar said:
    Glad to see that, people should really stop using obsolete OS/browsers.

    That is the only way to get regular people to stop using obsolete things, remove everything around them, eventually people have no other choice.

    Thanked by (1)yoursunny

    Get 4 or more NAT servers (mix/match between packages) and get a 30 % recurring discount. https://clients.mrvm.net

  • It's not the Letsencrypt really removes anything. It's just that devices/browsers with outdated root certificates no longer have trust in certain certificates in the whole chain.

    Technically any SSL-provider has this issue. After a certain amount of time root/intermediate certificates expire, which can cause issue on devices which will not trust the new root/intermediate certificates.

  • deankdeank OGOfficial Troll

    There are still people who cling to Windows XP direly. I don't get it.

    One of their reasons for continuing to use XP was due to "privacy". Fak me. What fools.

    The Amitz day is October 21. ♻ I call people by their soulname.

  • mikhomikho AdministratorHosting ProviderOG

    @deank said:
    There are still people who cling to Windows XP direly. I don't get it.

    One of their reasons for continuing to use XP was due to "privacy". Fak me. What fools.

    I have a friend who still uses XP for her company.
    She hates Win 10.

    Get 4 or more NAT servers (mix/match between packages) and get a 30 % recurring discount. https://clients.mrvm.net

  • vyasvyas OGContent Writer

    @deank said:
    There are still people who cling to Windows XP direly. I don't get it.

    One of their reasons for continuing to use XP was due to "privacy". Fak me. What fools.

    Bank ATMs and Airport self check-in kiosks use Win XP

    Thanked by (2)bikegremlin Janevski
  • deankdeank OGOfficial Troll

    @vyas said:
    Bank ATMs and Airport self check-in kiosks use Win XP

    I said people. Or have we gone so far left that we are treating machines as lifeforms now?

    The Amitz day is October 21. ♻ I call people by their soulname.

  • The company I work for did actually receive the question if the system was supported on Windows XP not to long ago. Our answer: No, but you may develop something with our API's if you would want that! We're not gonna do that!

    We still (for a few more months) take the effort to make most of our web-applications sorta work in IE11. Plenty of big sites no longer do so! Even Microsoft!

    Sure, IE11 requires about LOTS of additional javascript to polyfill everything it does not support and there's plenty of comments "//Todo: remove IE11 support. Add/Remove this and that when IE11 support is dropped." and it is a shit load slower than any modern browser; but it does mostly work!

  • @deank said:
    There are still people who cling to Windows XP direly. I don't get it.

    One of their reasons for continuing to use XP was due to "privacy". Fak me. What fools.

    This. I get it having Windows XP running on a random VM but not as a main PC for God's sake.

  • I haven't checked recently, but a bike shop I often visit had a running PC with Windows XP.
    People often don't want to change stuff that works - for as long as it works.

    For the stuff connected to the Net, well, I'm not sure XP is a good idea today.
    Of course, the opposite end of that extreme is the always-update crowd.
    Updates for update sake. With zeitgeist that anything older than one year is considered ancient history.

    Thanked by (1)DataRecovery

    BikeGremlin
    Mostly harmless ™

  • vyasvyas OGContent Writer

    @deank said:

    @vyas said:
    Bank ATMs and Airport self check-in kiosks use Win XP

    I said people. Or have we gone so far left that we are treating machines as lifeforms now?

    People and machines are fungible.

  • edited May 21

    This is good. All the people stuck in the 1990s/2000s need to upgrade their stuff. The world can't accommodate them forever. Force them to upgrade!

  • edited May 22

    @mikho said: resulting in a minor decrease in compatibility

    Nice!
    Their poor selection of a root certificate is likely to cost you much more than a paid certificate for years.
    New root certificate is not trusted by default on Android 6 and older.

    These pages allow to calculate that "minor" loss:
    -- https://gs.statcounter.com/os-version-market-share/android
    -- https://www.appbrain.com/stats/top-android-sdk-versions

    Disable all versions newer than 6.0, summarize the remaining percentage and you will see that 11-12% of your visitors will not be able to access your site anymore.
    Moreover, they will see not a "certificate expired" message, but something like "this site may be trying to compromise you and steal sensitive data".

    BTW, Statcounter also allows to view the same stats for regions and particular countries.

    @bikegremlin said:
    I haven't checked recently, but a bike shop I often visit had a running PC with Windows XP.
    People often don't want to change stuff that works - for as long as it works.

    Sane people still exist.

    Of course, the opposite end of that extreme is the always-update crowd.

    For too many zoomers updates is a fetish.
    Flashing "NEW!" sign is kind of a drug, which distracts them for a short time from their inner emptiness.

    Updates for update sake.

    Dilbert: free software. Begs you to upgrade, makes other software slow (comic strip)

    Thanked by (1)bikegremlin
  • Sadly looks at my android 4.2 device. :'( I'm just emotionally attached to it, okay?

  • @DataRecovery said:
    Disable all versions newer than 6.0, summarize the remaining percentage and you will see that 11-12% of your visitors will not be able to access your site anymore.
    Moreover, they will see not a "certificate expired" message, but something like "this site may be trying to compromise you and steal sensitive data".

    3.6% of yoursunny.com readers are running Android 6 or older.
    They could just write me a letter and ask me to buy them a tablet.

  • @froge said:
    This is good. All the people stuck in the 1990s/2000s need to upgrade their stuff. The world can't accommodate them forever. Force them to upgrade!

    Maybe, but in this case, until the expired signing cert trick was discovered, we were looking at disenfranchising handsets from just 2015/2016, and in less wealthy countries, mopping up older stock, probably those purchased later than that.

  • DanielDaniel OG
    edited May 26

    @Neoon said: Right now most websites support TLS 1.2 and TLS 1.3, some even force TLS 1.3.

    As far as I know, usage of TLS 1.2 and 1.3 is mandated by several security standards, and older TLS and SSL versions must be disabled (eg I think PCI-DSS may mandate this now, or soon), so older browsers/devices that only support TLS 1.1 or lower would likely already be having issues with "high security" sites (banking/financial, etc). https://github.com/gholliday/tls12-announcements

    I had issues with some of my Github scripts a while back because Github started only accepting TLS 1.2 or above and apparently PowerShell uses an older TLS version by default (https://github.com/yarnpkg/yarn/pull/5422)

  • Seems to have started to "hit" some clients, with some providers.

    BikeGremlin
    Mostly harmless ™

Sign In or Register to comment.