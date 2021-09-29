News See my news

You own a smartphone, computer or video game console ? Be careful, you may soon experience some sort of giant internet blackout for your devices.

This is what Scott Helme, a cybersecurity researcher, says in a blog post published on September 20. According to him, from September 30, 2021, from millions devices could potentially be displayed with errors when visiting websites. In question, the expiration of a digital security certificate: “Identrust DST Root CA X3”.

What is a security certificate?

“Identrust DST Root CA X3” is an electronic document that allows a website to be authenticated. More specifically, as an Internet user, when you launch your browser, this certificate is used to check the reliability of the site you want to consult.

The data is encrypted and the content of your e-mails protected by a encryption with public and private keys. The first can be shared with everyone. “Anyone with access to your public key can use it to send you encrypted data. Only you will be able to decrypt them because you have the private key ”, explains to actu.fr Corinne Hénin, cybersecurity expert.

For its part, your browser is responsible for retrieving the security certificate of the site you wish to consult “and to use its own certificate store to verify that the latter is trustworthy” adds the specialist. If the connection is not considered trustworthy, you will certainly receive this type of message:

Please note that you are accessing a website for which we have not been able to verify the certificate. Do you want to continue?

What is actually happening on Thursday, September 30?

As of that date, “IdenTrust DST Root CA X3” expires. Except that this certificate plays the role trusted authority for most websites that have been signed by Let’s encrypt. The latter is a certification authority launched in 2015 and which has made encryption of the web very widely accessible, where we find HTTPS connections in particular.





“You want to create a site and you want to obtain a certificate, you can go through this organization which will itself sign the certificate for your site”, continues Corinne Hénin. A kind of “buffer official ”allowing, when a person connects to your site not to receive an error message.

Except that when this certificate expires, things change. The other certificates will no longer have a trusted authority to check the reliability of your connection.

Your browser will start to moan telling you that the communication is not secure, this site is not trusted. Corinne HeninCyber ​​security expert

Which devices are affected?

In itself, the expiration only impacts old models smartphones, PCs or even game consoles whose manufacturers no longer deliver updates. Indeed, Let’s Encrypt has issued a new “ISRG Root X1” certificate which only works on newer devices.

On its site, Let’s Encrypt has issued a listing devices potentially affected by this issue (as well as earlier versions). It is :

Windows XP Service Pack 3

OpenSSL 1.0.2

macOS 10.12.1

iOS 10

Android 7.1.1

Mozilla Firefox 50

Ubuntu 16.04

Debian 8

Amazon FireOS (Silk Browser)

Java 8 8u141

Java 7 7u151

NSS 3.26

How do I access the Internet with my old device?

Do not panic if you are directly affected by the expiration of the Identrust certificate: after September 30, you will still be able to browse the web by installing the Firefox browser.

Other good news, concludes Corinne Hénin, you will have a bit of a break until 2024 if you browse on Android. “There was an agreement between IdenTrust and Let’s encrypt, so that Identrust, whose certificate will expire, regenerates new intermediate certificates until 2024”. As Android cell phones do not check the root expiration date, you will not be a priori not blocked as of September 30.

