At 9:04am GMT today, the Let’s Encrypt Certificate Authority issued its millionth certificate. This is an amazing success, coming only 3 months and 5 days since a beta version of the service became publicly available. We’re very excited to be building a more secure and fully encrypted future for the World Wide Web.
Let’s Encrypt certificate issuance growthLet’s Encrypt certificate issuance over time
A million certificates is in itself pretty good progress. But a single certificate can cover multiple domain names, and the million certificates Let’s Encrypt has issued are actually valid for 2.5 million fully-qualified domain names, over 90% of which had never been reachable by browser-valid HTTPS before.
Much more work remains to be done before the Internet is free from insecure protocols, but this is substantial and rapid progress. It is clear that the cost and bureaucracy of obtaining certificates was forcing many websites to continue with the insecure HTTP protocol, long after we’ve known that HTTPS needs to be the default. We’re very proud to be seeing that change, and helping to create a future in which newly provisioned websites are automatically secure and encrypted.
EFF co-founded the Let’s Encrypt CA with Mozilla and researchers from the University of Michigan. Akamai and Cisco provided significant financial support for the launch, and many other organizations have stepped up to sponsor the project since launch. If you’d like to help, you can donate to EFF or ISRG, or if you’re a coder, help us to improve the server or client software.
LetsEncrypt is an initiative being sponsored by several different organizations including Mozilla and the Electronic Frontier Foundation following from recent privacy discussions in various communities last year. The key goal is to provide free, easy encryption via free SSL certificates to any public website.
On Thursday, December 3rd, 2015, LetsEncrypt entered a public beta, allowing anyone with a domain and a web server to receive their own valid SSL certificate at no cost.
History of LetsEncrypt
The principles of LetsEncrypt focus on an automatic, short lifetime and a highly transparent process of who is using the facilities. The protocol behind the service, ACME, is open source and is developed under an Internet Engineering Task Force (IETF) working group. The server and client implementations are both under open source licenses and are openly worked on atGitHub.
Although free SSL certificate providers appeared in the past, they had caveats restricting commercial use or needing to pay for revocations in the event of one being necessary. Usually, they also had numerous manual steps, adding a maintenance overhead to acquiring and then using a certificate.
Security of LetsEncrypt certificates
Free certificates are great, but usually the first question asked is about the potential for impersonation and how verification happens. The focus for this project is on domain validation rather than the greater depth of verifying individuals or companies. If there is a requirement for an enterprise level of encryption (the green tick that can be seen in URLs with the domain name), then extended validation is still required and a traditional SSL certificate vendor will have to be approached.
The validation of the domain is meant to be automatic by design. The A record of the domain is looked up by the LetsEncrypt ACME server, and then a secret key is provided by the ACME server at a specific location on the site to confirm ownership. For more details on how it works under the hood, see the technical overview at the LetsEncrypt site.
Get your own LetsEncrypt certificate
LetsEncrypt is available for public use now and can be used to get your own SSL certificates for any of your domains or subdomains. For help installing a certificate, read the LetsEncrypt documentation or find them on IRC at #letsencrypt on Freenode.