[regecks]

On Android, the root was first added in Nougat (~half of devices according to Android Distribution Dashboard). But I think that browsers (like Firefox and Chrome) on Android tend to bring their own cacerts rather than using the device's, so it's probably not as bad as it looks.

To that end, it was added to NSS 3.26/Firefox 50 (November 2016) and to Chrome 57 (March 2017).

On iOS, it was first added in iOS 10 (2016).

The root itself was created in June 2015.

Edit: they also have a list on their website - https://letsencrypt.org/docs/certificate-compatibility/#know... . It lists Android < 2.3.6 as being incompatible .. I wonder if that's updated for the non-cross-signed intermediates.

[emj]

I was eating breakfast with a multitude of Android phones around me and four "older ones" could not access that site. The oldest that could connect was ~5 months old, all using new Mobile Chrome versions.

[londons_explore]

The reality is, for a bunch of usecases, you're gonna need to support 15 plus year old devices.

So Windows XP...

There are a lot of old systems out there running API's, automation, industrial systems, etc. They never get updates, and are expected to last decades. Most of them aren't on the public internet, but HTTPS would still be a good idea. This change is going to mean a bunch of them just get changed over to having no encryption.

[pcnix]

This is because the IdenTrust root is expiring though, it's not something LetsEncrypt can do anything about.

[profmonocle]

They could get a new cross-signed intermediate from a root with broader compatibility.

Though I imagine that's extremely expensive. I expect that has something to do with this decision - they are a non-profit after all.

[panarky]

> it's not something LetsEncrypt can do anything about

This is going to cause a lot of stuff to break, and it's 100% LE's responsibility.

HN's root cert is valid through 2038.

LE could have gotten cross-signed by a cert that didn't expire so soon, but they didn't.

[londons_explore]

> LE could have gotten cross-signed by a cert that didn't expire so soon, but they didn't.

And they still could.

[tcd]

If you want to use an old, unsupported OS then don't expect support.

Expecting XP or say Windows 98 to still work on modern day standards is just laughable.

Upgrade, or get left behind. The concept of 'never updating' isn't one that is practical and you'll pay the penalty for it later on.

[shawnz]

Consider that for mobile users, updated software might not be available for their hardware and they might not be able to afford new hardware.

[pard68]

Work for a university. We have a number of students in Africa, southeast Asia, and eastern Europe taking online courses. We do not support Windows XP or Vista, except for in the case of these students. Some of these guys don't have the resources for anything else.

I also know that we get a number of students connecting with Android v3 or earlier from these same locales.

[tomschlick]

Something like Ubuntu sounds like a great fit then.

[isostatic]

Anyone running XP or whatever for a good reason will be able to install the new root certificate

[aasasd]

Most industrial devices and even consumer kiosks probably access sites that are under the control of the device's owner or manufacturer. So the sites can just use self-signed certificates in the first place.

Or, for industrial use a hundred bucks on a certificate from an older CA is nothing.

[cpach]

Or, as 'vbezhenar hinted at elsewhere, the operators of the systems can distribute and install the ISRG root certificate to the devices that need them.

[panarky]

I built an app that's used on thousands of Android devices in an industrial setting. Most of the devices were acquired last year.

Just tested with the new LE root cert and it doesn't work.

LE says "it's CA problem, not a Let's Encrypt problem", but that's disingenuous.

Let's Encrypt chose to get cross-signed by a root that expires in a couple years.

For example, HN's root doesn't expire until 2038.

This is definitely a Let's Encrypt fuckup that will cause many sites and apps to break.

[nacs]

> I built an app that's used on thousands of Android devices in an industrial setting

If its that important to you or if its a commercial offering in an 'industrial setting', you should have no problems acquiring a cheap SSL certificate from another source. You can literally get them as low as $6 a year right now.

LE provides a great service and continues to do so. If you want to nitpick, then jump to a 'competitor'.

[panarky]

> If you want to nitpick, then jump to a 'competitor'

Sure, I can solve the problem by switching to a different CA, or by adding the ISRG root cert to each device.

But this is a problem that didn't need to happen. I blame myself for not anticipating it when I selected LE.

And I blame LE for cross-signing with a root cert that expires so soon. Not a good choice for a new CA that will take many years to be trusted on most devices.

[chronogram]

Good to know, which also is the most relevant test I imagine with all android phones coming with chrome. Thanks.

[lukasb]

I have a first-generation Pixel, so a couple years old now, and it accessed the test site fine.

[ripdog]

That's still getting updates, isn't it?

[lukasb]

Ah I didn't realize that's what he meant by five months old

[mkj]

That website list is for SHA-2 compatibility, not the new root.

[Ajedi32]

That page seems to be out of date. I've filed an issue asking them to update it: https://community.letsencrypt.org/t/please-update-the-certif...

[vbezhenar]

So iPhone 4S is out of luck. That's terrible move. Suddenly half of the Internet becomes inaccessible to a perfectly working device. Though I think that user can install new CA certificate, so it's possible to manuall work around that problem.

[bdhess]

The iPhone 4S has not received a security update in >2 years, and has >700 known security vulnerabilities, so it is not a "perfectly working device," it's a "probably compromised device."

https://nvd.nist.gov/vuln/search/results?adv_search=true&for...

[cpach]

”Though I think that user can install new CA certificate, so it's possible to manuall work around that problem.”

Good point. Generally it’s a bad idea for users to install any CA certificates on their devices, but in this case I think it makes sense.