You might have seen the name “Let’s Encrypt” across the internet for the past week and it’s no surprise why that is. As one of the most-used and well-known HTTPS certificate providers (having issued billions since its inception), it’s almost unheard of that a company of such would allow its root certificate to expire. If that doesn’t sound like a big deal – it’s about to. For many people across the world, it means that some of their devices might break without an upgrade. Yes, that’s right. Actually, break.
Who is Let’s Encrypt and what exactly do they do?
Let’s Encrypt essentially provides a layer of security to your device to ensure that your data can’t be hacked by any malicious online threats. They do this by using HTTPS certificates to help encrypt connections between your iPhone and WiFi, for example.
So why has Let’s Encrypt root certificate expired?
Good question. It’s not known why Let’s Encrypt has allowed their root certificate to expire without having another ready but as of 30th September, it’ll no longer be valid. This means that all of your devices, web browsers, and so on that relied on Let’s Encrypt HTTPS certificates, will be open to all of those malicious threats it was supposed to protect you against as the certificates will no longer be “recognised”.
Let’s Encrypt has guaranteed it will have a new root certificate ready soon, but it’s arguably going to be a little too late to the party.
Who will this affect?
It’s important to note that the situation with Let’s Encrypt won’t affect everyone, but anything that uses any TLS/PKI, and those that are using devices that aren’t regularly updated, or on older software, are likely to encounter some issues. These include devices that rely on old versions of Macs, Windows, and Open SSL 1.0.2, to name just a few.
The biggest threat comes to the millions of Android users across the globe with Let’s Encrypt giving some extra advice to those owners:
“For an Android phone’s built-in browser, the list of trusted root certificates comes from the operating system — which is out of date on these older phones,” Let’s Encrypt explains. “However, Firefox is currently unique among browsers — it ships with its own list of trusted root certificates.”
Historical impact of root certificate expiries
This isn’t the first time something like this has happened; back in 2020, the AddTrust External CA Root expired which caused a huge ripple across some of the biggest websites in the world like Stripe, Roku, and hundreds more.
Effects already seen
Here at Scopify, we’ve already seen a massive spike in uptime monitoring alerts we’ve been sending out. Over the past week, we’ve sent 3x more uptime alerts than we would on average, showing the snowballing effect that the issue with Let’s Encrypt has had already.
Want to make sure you’re alerted if your website is affected? Sign up for a free account!
