Let’s Encrypt is a project that, although you might not think about it often, plays a huge role in securing the websites that you use every day – including our own FOSSlife. In this article, as part of our open source success series, we’ll look at the history and impressive achievements of the Let’s Encrypt project.
Briefly, Let’s Encrypt is a free, automated, global certificate authority (CA) providing TLS certificates to 200 million websites. This service allows organizations to obtain, renew, and manage SSL/TLS certificates and thus enable secure HTTPS connections. According to the project website, their mission is “to create a more secure and privacy-respecting Web by promoting the widespread adoption of HTTPS.”
That rate of adoption has been nothing short of phenomenal. In February of 2020, the organization marked a major milestone, issuing one billion total certificates. Additionally, back in June of 2017, approximately 58 percent of page loads used HTTPS globally (with 64 percent in the United States). In 2020, according to the announcement, 81 percent of page loads used HTTPS globally (with 91 percent in the US). “This is an incredible achievement. That’s a lot more privacy and security for everybody,” the announcement stated.
As Josh Aas, the project’s co-founder, explained in the annual report, “I’ve tried to comprehend how much data about peoples’ lives this has protected, and tried even harder to comprehend what that means in human or privacy terms. It’s simply beyond my ability.”
History and Motivation
Let’s Encrypt was initially created as a way to advance HTTPS adoption and improve security across the entire World Wide Web. In a paper for the 2019 ACM Conference on Computer and Communications Security (CCS ’19), Aas and co-authors described the underlying concept of Let’s Encrypt, including the motivation for starting the project: “Prior to our work, a major barrier to wider HTTPS adoption was that deploying it was complicated, expensive, and error-prone for server operators.”
Back in 2015, the average price for a one-year single-domain certificate from the five largest CAs was $178 USD, and the average cost of a wildcard certificate was $766, according to the paper. Additionally, the process of obtaining a certificate and configuring an HTTPS server involved tedious manual effort. “Besides being difficult, manual HTTPS server setup carries the risk of introducing security vulnerabilities through misconfiguration. A study in 2013 found that only 45 percent of certificates on HTTPS servers were correctly configured,” the authors said.
"We needed to find a way to make certificates free and easy to get and manage," Aas said, in an interview with Tech Republic. "We needed the solution to be available globally, and we wanted the solution to help convert a large portion of the Web to HTTPS in five years or less."
Automation and Adoption
The Let’s Encrypt project was formed with the aim of solving these issues through automation. As the authors said, “Let’s Encrypt overcomes these through a strategy of automation: identity validation, certificate issuance, and server configuration are fully robotic, which also results in low marginal costs and enables the CA to provide certificates at no charge.”
In the paper, the authors detail the architecture of the CA software system (named Boulder) as well as the design of ACME, the IETF-standard protocol that was created to automate the process of issuing CA certificates.
“Nothing drives adoption like ease of use, and the foundation for ease of use in the certificate space is our ACME protocol,” this announcement said. “ACME allows for extensive automation, which means computers can do most of the work. It was also standardized as RFC 8555 in 2019, which allows the Web community to confidently build an even richer ecosystem of software around it.”
The reason for Let’s Encrypt’s success is simple, according to the CCS paper: It is free, easy to use, and automated. “Automation is necessary to have a free CA and free certificates make automation practical,” the authors state. And its widespread adoption is undeniable. Since its launch in 2015, Let’s Encrypt has become the world’s largest HTTPS CA, “accounting for more currently valid certificates than all other browser-trusted CAs combined.”
Support Let’s Encrypt
As a nonprofit organization, Let’s Encrypt depends on contributions from the community to provide these services. You can find out how to become a sponsor of Let’s Encrypt or how to make an individual contribution on the project website.