Friday, 13 November 2020

Accessing The Company's website from older Android phones

The Headlines:

A red triangle with an exclamation mark inside followed by the text "Your connection is not private". Screen captured from the chrome SSL certificate error page.

If you use an older Android phone or tablet, specifically one that has a version of Android older than 7.1.1[1] then at some point next year thecompanysheffield.co.uk will stop working for you. This is because older Android phones will no longer recognise The Company's website as being secure. Unless you use Firefox mobile. 

Why?

The organisation we get out secure certificates from, Let’s Encrypt, is making changes to their hierarchy. This is the route your browser follows to ensure that there is a chain of trust from the website you are accessing up to a list of trusted organisations it or your computer already knows about. They are doing this for two reasons, the first is that they have now been operating for long enough that they are trusted in their own right (when they started another certificate issuer vouched for them) and to reduce the amount of your data allowance is used checking that a website is secure. It is because versions of Android older than 7.1.1 don't trust Let’s Encrypt outright, but only because they were vouched for by someone else that the site will stop working on those phones.

Why just Android?

It isn't really just Android, but Android is by far the biggest group of users this will affect, and even then that translates to only a tiny number of people who visit our website. The problem is that Android devices are far less likely to have been kept up to date with the latest updates that other phones or tablets or laptop/desktop computers. The large numbers of different devices made by different manufacturers, that means there is a lot of choice out there, also means it can be a bit pot-luck as to if any specific one keeps being updated. Unlike Windows based computers there is no direct route for operating system updates to be pushed to users, they all go through the phone manufacturer. Apple have the devices as well as the operating system under their control so older devices tend to be more up to date. Just for completeness I should mention Windows Phone[2]. There. We expect there might be a few odd cases on the edges, but for most of those people they know where they are at and why.

What is special about Firefox?

Unlike most browsers, especially on phones, Firefox on mobile[3] keeps its own council on who to trust rather than relying on the list built into Android and it is up-to-date so it trusts Let’s Encrypt. It currently works on Android 5 (Lollypop) or newer devices, so I am sorry to say we have no work around if you use an older phone than that other than to suggest you use another device.

What are the specifics?

The long answer is in this blogpost from Let’s Encrypt. There is also an even longer detailed explanation on the changes.


[1]Unfortunately this doesn't line up directly with the dessert based codenames Android versions were given until recently. 7.1.1 was an update to “Nougat” that came out December 5, 2016
[2]I'm sorry I don't know if you still get security updates, maybe ask cortana?
[3]We're not getting any money to promote them, they have just been highlighted as a way to work around the problem. As the person you usually ask for IT support for help if you aren't sure if it is right for you.(Hi mum!)