CASE STUDY: LET'S ENCRYPT
Let’s Encrypt is a free, automated and open certificate authority, run for the public’s benefit and is supported organizationally by The Linux Foundation. The objective of Let’s Encrypt is to help acheive 100% encryption on the Web. Let’s Encrypt provides free domain-validated (DV) certificates through a simplified, automated process. These unique attributes make Let’s Encrypt ideal for large organizations, who need to alleviate financial burden and automate deployment at scale. Let’s Encrypt is also ideal for individual users, particularly those in underserved markets, who may lack funds and technical skill to otherwise deploy HTTPS.
Vital personal and business information flows over the Web more frequently than ever, and we don’t always know when it’s happening. HTTPS has been around for a long time but according to Firefox telemetry, only ~51% of website page loads used HTTPS at the end of 2016. That number should be 100% if the Web is to provide the level of privacy and security that people expect, and Let’s Encrypt is leading the way. In essence, everyone should use TLS (the successor to SSL) everywhere to protect their communications over the Web. Every browser in every device supports it. Every server in every data center supports it.
However, until Let’s Encrypt there was a potentially significant cost to administering server certificates. Let’s Encrypt is a free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.
Prior to Let’s Encrypt, getting even a basic certificate through conventional means was too much of a hassle for many server operators. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s difficult to update. Let’s Encrypt goes further than most in terms of end-to-end automation and extensibility, both getting certificates and in many cases installing them. This is an important strategy since major servers don’t yet have built-in support, and the team supporting Let’s Encrypt want to make sure it’s given a proper chance to thrive.
“Encryption is critical to security and privacy on the Web, and by working with Let’s Encrypt, OVH is showing our commitment to bringing the protections of HTTPS to Web users worldwide.”
– Pascal Jaillon Vice President of Product Management, OVH US
Mozilla Corporation, Cisco Systems, Inc., Akamai Technologies, Electronic Frontier Foundation (EFF), IdenTrust, Inc., and researchers at the University of Michigan started working through the Internet Security Research Group (“ISRG”) to create Let’s Encrypt and deliver this much-needed infrastructure in 2014. The Linux Foundation is providing the infrastructure and operational support for Let’s Encrypt using its collaborative model for open source projects.
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.
- Automatic: The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process, while renewal occurs automatically in the background.
- Secure: Let’s Encrypt serves as a platform for implementing modern security techniques and best practices.
- Transparent: All records of certificate issuance and revocation are available to anyone who wishes to inspect them. Twice annually a Legal Transparency
report will be published to ensure users have visibility regarding legal requests.
- Open: The automated issuance and renewal protocol is an open standard and as much of the software as possible will be open source.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.
“Cisco is committed to improving the security of the Internet, not only for our customers and partners, but for everyone else as well. Let’s Encrypt has been doing impressive work toward that goal. Our support of this community towards realtime, on-demand certificates will make the Internet more secure.”
– David Ward, CTO of Engineering and Chief Architect at Cisco
In September 2015 Let’s Encrypt issued their first certificate, and just seven months later, they issued there millionth certificate. At the close of 2016, Let’s Encrypt certificates secured over 25 million websites worldwide and ranked as one of the largest certificate authorities. Throughout this period of incredible growth, support for the effort has also increased. OVH joined Cisco and Akamai as Platinum sponsors with three-year commitments. Mozilla, Google Chrome and the EFF provide support through their Platinum contributions. The Ford Foundation also awarded Let’s Encrypt their first grant in 2016. Shopify, Facebook, SiteGround, Cyon and many others have joined the ranks of over 25 Silver sponsors.
Let’s Encrypt has received a considerable boost from industry endorsement, with major hosting companies like OVH, WordPress.com, Gandi, Dreamhost, and Squarespacehelping many sites move to HTTPS with Let’s Encrypt. Based on numbers Mozilla gathers from Firefox users, encrypted sites now account for more than 53 percent of page visits, compared with 39.5 percent just before Let’s Encrypt launched. WordPress.com and Squarespace started providing free HTTPS for all custom domains hosted on their respective platfroms, which helps protect users in various ways, including defending against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws.