Lets Encrypt removes compatilibility with older browsers
mikho
AdministratorHosting ProviderOG
Hello from the staff at Let's Encrypt.
On September 30, there will be a change in how older browsers and
devices trust Let's Encrypt certificates, resulting in a minor decrease
in compatibility. If you run a typical website, you won't notice a
difference. Devices and browsers running up-to-date software will
continue working fine, and we've taken steps to make sure the vast
majority of older devices will too. If you run a large website, or need
to support less common software (particularly non-browser software),
you'll want to read about the details at:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
In either case, no action is required from you. We're letting you know
so you can provide answers to any questions your site visitors may have.
Here is a sample hostname from one of your current Let's Encrypt
certificates:
Since 2015 we've served the world with 1.6 billion free certificates,
each one providing security and privacy to people on the Web. It's work
that's 100% funded by charitable donations since we are a nonprofit. If
your company is interested in sponsorship, please email
[email protected]. If you can make a donation, we ask that you
consider supporting our work today: https://letsencrypt.org/donate/
Thank you.
- The Let's Encrypt team
Comments
Well, most of the old old browser won't even support TLS 1.3.
Right now most websites support TLS 1.2 and TLS 1.3, some even force TLS 1.3.
I don't think that's gonna cut it that much, if LE drops old browser support.
Free NAT KVM | Free NAT LXC
Can't keep being bogged down by the past.
Has to move on at some point.
♻ Amitz day is October 21.
♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.
True
https://clients.mrvm.net
Be aware that Let's Encrypt has already updated/changed their certificate chain on May 4th. Applications that use an (old?) internal certificate store may not have this new intermediate certificate installed and thus complain about invalid certs. I'm looking at your Synology, get it together.
The old chain before May 3th was: End-entity certificate ← R3 ← DST Root CA X3
The new chain since May 4th is: End-entity certificate ← R3 ← ISRG Root X1 ← DST Root CA X3
Source: https://community.letsencrypt.org/t/production-chain-changes/150739
ISRG Root X1 is the new certificate which will take over when DST Root CA X3 expires on September 30th.
Glad to see that, people should really stop using obsolete OS/browsers.
That is the only way to get regular people to stop using obsolete things, remove everything around them, eventually people have no other choice.
https://clients.mrvm.net
It's not the Letsencrypt really removes anything. It's just that devices/browsers with outdated root certificates no longer have trust in certain certificates in the whole chain.
Technically any SSL-provider has this issue. After a certain amount of time root/intermediate certificates expire, which can cause issue on devices which will not trust the new root/intermediate certificates.
There are still people who cling to Windows XP direly. I don't get it.
One of their reasons for continuing to use XP was due to "privacy". Fak me. What fools.
♻ Amitz day is October 21.
♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.
I have a friend who still uses XP for her company.
She hates Win 10.
https://clients.mrvm.net
Bank ATMs and Airport self check-in kiosks use Win XP
VPS reviews and benchmarks |
I said people. Or have we gone so far left that we are treating machines as lifeforms now?
♻ Amitz day is October 21.
♻ Join Nigh sect by adopting my avatar. Let us spread the joys of the end.
The company I work for did actually receive the question if the system was supported on Windows XP not to long ago. Our answer: No, but you may develop something with our API's if you would want that! We're not gonna do that!
We still (for a few more months) take the effort to make most of our web-applications sorta work in IE11. Plenty of big sites no longer do so! Even Microsoft!
Sure, IE11 requires about LOTS of additional javascript to polyfill everything it does not support and there's plenty of comments "//Todo: remove IE11 support. Add/Remove this and that when IE11 support is dropped." and it is a shit load slower than any modern browser; but it does mostly work!
This. I get it having Windows XP running on a random VM but not as a main PC for God's sake.
I haven't checked recently, but a bike shop I often visit had a running PC with Windows XP.
People often don't want to change stuff that works - for as long as it works.
For the stuff connected to the Net, well, I'm not sure XP is a good idea today.
Of course, the opposite end of that extreme is the always-update crowd.
Updates for update sake. With zeitgeist that anything older than one year is considered ancient history.
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
People and machines are fungible.
VPS reviews and benchmarks |
This is good. All the people stuck in the 1990s/2000s need to upgrade their stuff. The world can't accommodate them forever. Force them to upgrade!
FrogeHost
Nice!
Their poor selection of a root certificate is likely to cost you much more than a paid certificate for years.
New root certificate is not trusted by default on Android 6 and older.
These pages allow to calculate that "minor" loss:
-- https://gs.statcounter.com/os-version-market-share/android
-- https://www.appbrain.com/stats/top-android-sdk-versions
Disable all versions newer than 6.0, summarize the remaining percentage and you will see that 11-12% of your visitors will not be able to access your site anymore.
Moreover, they will see not a "certificate expired" message, but something like "this site may be trying to compromise you and steal sensitive data".
BTW, Statcounter also allows to view the same stats for regions and particular countries.
Sane people still exist.
For too many zoomers updates is a fetish.
Flashing "NEW!" sign is kind of a drug, which distracts them for a short time from their inner emptiness.
Sadly looks at my android 4.2 device.
I'm just emotionally attached to it, okay?
https://phpbackend.com/
3.6% of yoursunny.com readers are running Android 6 or older.
They could just write me a letter and ask me to buy them a tablet.
Webhosting24 aff best VPS; ServerFactory aff best VDS; Cloudie best ASN; Huel aff best brotein.
Maybe, but in this case, until the expired signing cert trick was discovered, we were looking at disenfranchising handsets from just 2015/2016, and in less wealthy countries, mopping up older stock, probably those purchased later than that.
As far as I know, usage of TLS 1.2 and 1.3 is mandated by several security standards, and older TLS and SSL versions must be disabled (eg I think PCI-DSS may mandate this now, or soon), so older browsers/devices that only support TLS 1.1 or lower would likely already be having issues with "high security" sites (banking/financial, etc). https://github.com/gholliday/tls12-announcements
I had issues with some of my Github scripts a while back because Github started only accepting TLS 1.2 or above and apparently PowerShell uses an older TLS version by default (https://github.com/yarnpkg/yarn/pull/5422)
Daniel15 | https://d.sb/. List of all my VPSes: https://d.sb/servers
dnstools.ws - DNS lookups, pings, and traceroutes from 30 locations worldwide.
Seems to have started to "hit" some clients, with some providers.
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews