Related to this: one of the very few good reasons to offer unencrypted HTTP is that in some parts of the world, old devices are in widespread use, and support for modern HTTPS cannot be taken for granted.
It’s kinda annoying that I can barely use my 2013 iPad Mini because of this kind of issue, even though I absolutely love that thing (I even used it as my primary smartphone using voip for a few years!).
Are you sure that's the issue, and not cipher/protocol support? The root CA needed for lets encrypt is "DST Root CA X3" which is supported by iOS 7 https://support.apple.com/en-ca/HT203065 (and has a validity start date in 2000, so i imagine goes earlier). Now there are lots of other CAs, but lets encrypt is probably the most popular, i would be kind of surprised that the root certificate store is the limiting factor as opposed to not supporting any GCM ciphers
I have the same problem with a BlackBerry Playbook tablet - great form factor but it doesn’t handle websites using modern SSL.
I believe you can work around this using another machine as an SSL proxy - though setting that up is beyond my ability. Perhaps someone else can elaborate?
Indeed, proxies can work around the problem. I made this for Macs, but you could run it on a Mac and connect from a Playbook, or set up Squid yourself on a Raspberry Pi. https://jonathanalland.com/legacy-mac-proxy.html
I know Google tried to address this by giving Chrome its own independently upgradable certificate store and thought Apple would do something similar, especially since they don't have to rely on OEMs to push system updates.
I took a deep dive into this after I was unable to access my blog on my iOS 6 device. I concluded that I don't really need a ssllab's A. It is much more likely someone will try visiting my blog with a older device than someone will MITM one of the visitors.
About years ago I saw a phone that could no longer connect to Play Store, probably because of lacking support for newer TLS versions. It was a rebranded Chinese phone, with no firmware update available.
I managed to install Firefox and a couple of apps by transferring the APKs from my phone using Bluetooth, but it's a popular brand in my country and I'm sure a lot of people are in the same situation.
I actually dug out my old Nexus One last week because I had an idea for a project and yeah, can't do anything on that phone anymore. It still connects to my WiFi, but it can't open Google play any more and of course there are no updates available to make it work. Most websites don't open in the browser.
Funnily enough, Google maps still work. I'm impressed that their APIs have remained the same for a very long time now.
And yes, I can probably still install APKs manually or find a custom firmware with more modern version of Android where Google play will work. But that requires certain amount of skill and time, so for most owners this phone is only slightly more functional than a dumbphone.
I’ve heard this complaint before, but couldn’t you just put an HTTPS to HTTP proxy somewhere with good bandwidth to cut out the latency without hurting the security of people with good bandwidth/devices? Sure, a proxy costs money, but it’s not much compared to other infrastructure costs and it could be shared.