At 16:01 CET, potentially millions of devices may have lost access to Internet pages and services.
Most of the affected products are several years old, and for the most part are old mobiles, Internet of Things devices, and even web servers. The good news is that it is a bug that can be solved just by keeping our devices up to date, or using modern web browsers; The bad news is that this is not always possible, and it is expected that an indeterminate number of devices will not be able to reconnect to the Internet.
The problem lies in the first certificate issued by one of the largest providers, Let’s Encrypt, which was born as an initiative to improve security on the Web. Initially, to access a web page the HTTP protocol was used, but it had the disadvantage that it was not secure; anyone who could capture our communications could obtain our data and it was possible to deceive the user with false pages.
HTTPS was born to solve this. With this version of the protocol, web browsers encrypt the connection to the server, and the server can guarantee its identity by presenting a certificate issued by a trusted source, such as Let’s Encrypt. In this way, we have the security that we connect to the page that we really want.
By their very nature, certificates are not forever: they have an expiration date to prevent someone malicious from taking advantage of them in the future. And the original Let’s Encrypt certificate, called “IdentTrust DST Root CA X3”, expired today, September 30, at 16:01 UTC + 2 (Spanish peninsular time).
Normally, none of this is a problem. For the average user, nothing will change, and we can continue browsing and using online services as usual, and it is not necessary to even think about things like “certificates”. That’s because there is a process to change your certificate to a newer one, and the vast majority of modern browsers and devices have already done so.
Which devices will not be able to connect
The problem is in those who have not. Those devices have lost or will lose connection to web pages and their services, or they will have problems running their software correctly: they are the ones that have not been updated, for one reason or another. Typically, because the manufacturer has dropped support for their product, and has not released the necessary update.
Therefore, although it is difficult to calculate the true impact of this problem, according to Let’s Encrypt , the older operating systems will be the most affected. Android stands out, which will not be able to connect if we still have a version lower than 2.3.6; It will also affect iPhones that cannot update to iOS 10, and computers that cannot install at least Windows XP SP3. On Macs, it will fail us if we can’t install macOS 10.12.1.
The problem even affects video game consoles, such as the PlayStation 3, the PlayStation 4 if we do not have the 5.00 firmware, and the Nintendo 3DS .
In many cases, the solution is simple: use a different browser. If we install the latest version of Firefox available for our computer, we will be able to continue browsing because it includes its own list of certificates, instead of depending on those that the system has. However, in many devices that is not possible, and they have not received updates from the manufacturers.
At this time, it is still a mystery to what extent the Internet will be affected by this. The last time something like this happened was on May 30, 2020, when an AddTrust certificate expired, causing the servers of services like Stripe to crash. But the Let’s Encrypt certificate is much more widely used, so the consequences may be greater.