Smartphones older than 10 years risk losing internet access on Thursday, September 30. This is the day, according to security researcher and Hacking and Encryption trainer Scott Helme, that “the root certificate that Let’s Encrypt are currently using, the IdentTrust DST Root CA X3 certificate, will expire.”
For Helme, “You may or may not need to do anything about this Root CA expiring, but I’m betting a few things will probably break on that day.”
The devices concerned (smartphones, iPads or tablets, computers or video game consoles) will not be “cut off” from the internet but could encounter error messages when connecting to sites using the security certificate. It is not the manufacturing date to look out for but the date the device was updated as a newer smartphone or iPhone could be using an old operating system.
Most people in Monaco and France will not be impacted but anyone using an older iPhone, say an iPhone 4 or 5 that is not operating on iOS 10 (phones not updated for five years), who sees a security certificate error message while browsing can resolve the issue with a simple update to their operating system.
On his website, Helme describes the problem in detail: “Ultimately, all certificates that power HTTPS on the Web are issued by a CA, a trusted organisation recognised by your device/OS. These [Trusted Root Certificate Authorities] certificates are built into your OS and are generally updated as part of the normal process of updating your OS. The certificate that is going to cause a problem is the IdenTrust DST Root CA X3.
“The clock is ticking and we are getting close to the expiration date of Sep 30th 2021 but it’s not just an expiration date, it’s an expiration timestamp that we call ‘notAfter:’. Once this root CA has expired, clients, like web browsers, will no longer trust certificates that have been issued by this CA.”
Helme says this is not the first time a root CA certificate has expired. “I imagine it will follow the same trend as previous expirations where things break. If the root certificate that your certificate chain anchors on is expired then there’s a good chance it's going to cause things to fail. This happened last year, on May 30th at 10:48:38 2020 GMT to be exact, when the AddTrust External CA Root expired and took a bunch of things with it. Organisations like Roku, Stripe, Spreedly and many others had problems.”