Case Study

Let’s Encrypt

As the world’s largest certificate authority, Let’s Encrypt is a nonprofit project that makes the internet more secure and privacy-respecting for everyone who uses it. And they did it in just a little more than five years.

Let’s Encrypt is a free, automated and open certificate authority run by the nonprofit Internet Security Research Group (ISRG). The mission of ISRG is to reduce financial, technological, and educational barriers to secure communication over the internet.

Let’s Encrypt entered public beta in December 2015. Back then, websites using HTTPS made up just 39% of web page loads. Today, Let’s Encrypt serves 225+ million websites, issuing ~1.5 million certificates each day on average. HTTPS adoption has grown to 84% globally and it’s over 90% in the United States. But five years ago, the challenge of building a more secure web was not only daunting, it was downright crazy.

“Creating a new kind of certificate authority that gives out free certificates was a crazy idea.”

J. Alex Halderman, ISRG Board of Directors

Opportunity

HTTPS was introduced by Netscape in 1995, with the potential to make the web a secure and privacy-respecting platform. It protects data from surveillance and tampering.

A certificate authority (CA) provides the digital certificates (called TLS/SSL certificates) necessary for websites to encrypt communications (convert from HTTP:// to HTTPS:// – the S stands for ‘secure’).

Unfortunately, only 39% of web pages were encrypted 20 years later, in 2015. Since 1995 it has become clear that all web pages need to use HTTPS.

There were multiple barriers in the way of increasing adoption. The process to obtain a certificate was complex, it often had a financial cost, and the process had to be manually repeated each time a certificate expired. For one website or use case these barriers are clearly surmountable. But at the scale of the internet—even in 1995—the barriers to widespread adoption are obvious. A new approach was needed to eliminate barriers, to increase adoption.

 

Approach

Let’s Encrypt can serve at scale because of its approach, driven by these key principles:

Free Anyone who controls a domain can get a certificate validated for that domain at zero cost.

Automatic The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process, while renewal occurs automatically in the background.

Secure Let’s Encrypt serves as a platform for implementing modern security techniques and best practices.

Transparent All records of certificate issuance and revocation are available to anyone who wishes to inspect them. Twice annually a Legal Transparency report is published to ensure users have visibility regarding legal requests.

Open The automated issuance and renewal protocol is an open standard and as much of the software as possible is open source.

Cooperative Much like the underlying internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire public, its public benefit structure means that it operates beyond the control of any one individual or organization.

These principles have served as the foundation of Let’s Encrypt since the beginning. They allow people in need of TLS certificates, anywhere around the world, to get them quickly and easily.

And while this approach greatly benefits technologists seeking to obtain and manage TLS certificates, it serves a wider public benefit. Without this approach, the privacy and security of end users of the majority of websites would be greatly diminished. In other words, this approach directly serves hundreds of thousands of technologists, and indirectly serves billions of interactions on the web every day. The results of this approach mean a more secure internet, a more privacy-respecting web for everyone, everywhere.

“Let’s Encrypt, an alliance Mozilla helped found, now delivers greater security to over 85% of web transactions—proving that improved security is possible on a large scale.”

Mitchell Baker, CEO, Mozilla, The Independent, July 2020

Impact

In September 2015 Let’s Encrypt issued its first certificate, and just seven months later it issued its millionth. As of December 2020, Let’s Encrypt certificates secured more than 225 million websites. In five years, it has issued more than 1,422,440,000 certificates.

To put that last number into context: If Let’s Encrypt were to issue just one certificate per second, it would take 45.1 years to issue as many certificates as it has in just a little more than five years. That rate of change and global impact is a testament to ISRG’s approach with Let’s Encrypt: automation, as few barriers as possible for adoption, and open collaboration.

Let’s Encrypt certificates are used for more than websites, although Squarespace, WordPress, and Wix all provide Let’s Encrypt to their customers. It’s used by Oracle, Salesforce, Disney, and NGOs like Wikimedia, and Doctors Without Borders.