Hello, welcome to the Tuesday, December 29th, 2020 edition of the Santernet Storm Center's

Stormcast. My name is Johannes Ulrich, and the air recording from Jacksonville, Florida.

January 11th was supposed to be originally a fairly critical date for old Android operating systems and Let's Encrypt.

Historically, Let's Encrypted not have its own root certificate authority.

Instead, they used a certificate authority based on IDEN trust.

Now, more recently, they used their own route certificate, but then also had it still

cross-signed with ident trust. And the reason for that was that not all operating systems yet

recognized Let's Encrypt's Own Certificate Authority. Well, this was supposed to change come January 11th, at which point

the original identtrust certificate authority expired and going forward, let's encrypt was no longer

going to use ident trust but only let's encrypt. Problem, while older Android versions did not include

the Let's Encrypt Set of Authority and as a result they would no longer trust any

Let's Encrypt certificate issued after January 11th.

All we're talking about Android versions that are quite old, pretty much anything prior

to 7.1.1.

It's still affected a significant percentage of the user population.

So what's actually going to happen now on January 11th is that Let's Encrypt will continue to use the expired ident trust certificate authority in addition to its own.

Now, you may ask, how can this work if identrust is expired?

Well, it turns out that Android actually ignores the expiration

for a set of authorities that are implicitly trusted. So this will still keep the older Android

versions in business. And of course, newer ones will just ignore the identrust one and then use the self-signed

set of authority that's now included as an anchor in Android and other operating systems.

This new arrangement will stay in place until 2004 when this expire

...