Insecure …again

Back in March, I wrote about a dilemma I was facing. I could make the certificates on The Session more secure. But if I did that, people using older Android and iOS devices could no longer access the site:

As a site owner, I can either make security my top priority, which means you’ll no longer be able to access my site. Or I can provide you access, which makes my site less secure for everyone.

In the end, I decided in favour of access. But now this issue has risen from the dead. And this time, it doesn’t matter what I think.

Let’s Encrypt are changing the way their certificates work and once again, it’s people with older devices who are going to suffer:

Most notably, this includes versions of Android prior to 7.1.1. That means those older versions of Android will no longer trust certificates issued by Let’s Encrypt.

This makes me sad. It’s another instance of people being forced to buy new devices. Last time ‘round, my dilemma was choosing between security and access. This time, access isn’t an option. It’s a choice between security and the environment (assuming that people are even in a position to get new devices—not an assumption I’m willing to make).

But this time it’s out of my hands. Let’s Encrypt certificates will stop working on older devices and a whole lotta websites are suddenly going to be inaccessible.

I could look at using a different certificate authority, one I’d have to pay for. It feels a bit galling to have to go back to the scammy world of paying for security—something that Let’s Encrypt has taught us should quite rightly be free. But accessing a website should also be free. It shouldn’t come with the price tag of getting a new device.

Have you published a response to this? :

Responses

2 Likes

# Liked by George Salib® on Wednesday, November 18th, 2020 at 1:06am

# Liked by Chris Taylor on Wednesday, November 18th, 2020 at 1:06am

Previously on this day

3 years ago I wrote Brighton conferences

Two weeks, four conferences.

4 years ago I wrote Less JavaScript

The Google developer relations team are dishing out some inconvenient truths.

5 years ago I wrote Brighton device lab

You should come by the Clearleft office and test your website on many many devices.

14 years ago I wrote Spoken

I delivered my spiel on microformats.

16 years ago I wrote Client communication

There’s a great interview with John Allsopp over at the Web Standards Group. John is the author of one of my all-time favourite articles over at A List Apart: Dao of Web Design.

17 years ago I wrote Sprint CSS

I got a nice email today from a very talented web developer named France Rupert telling me about the newly redesigned Sprint PCS site.

18 years ago I wrote Bringing Entertainment Home

After a long week of staring at code, I finally had some time this weekend to sit back and enjoy my new computer.

19 years ago I wrote The ugly world of PCs

Jessica and I got plenty of exercise today. We walked to the far end of town to look at the wares at PCworld.