Let's Encrypt issued a billion certificates

On February 27, 2020, a free Let's Encrypt certification authority issued a billionth certificate .

In a festive press release, project representatives recall that the previous anniversary of 100 million issued certificates was celebrated in June 2017 . Then the share of HTTPS traffic on the Internet was 58% (in the USA - 64%). Over two and a half years, the figures have grown significantly: “Today, 81% of download pages worldwide use HTTPS, and in the United States we are at 91%! - the guys from the project rejoice. - An incredible achievement. This is a much higher level of privacy and security for everyone. ”

Let's Encrypt played a very important role in making HTTPS certificates a utilitarian standard, and reliable encryption of traffic - the perfect standard on the Internet.

Beta testing of the innovative Let's Encrypt certification authority began in December 2015. A unique feature of the new center was that the process of issuing certificates was initially completely automated.

Automatic configuration of HTTPS on the server occurs in two stages. At the first stage, the agent notifies the certification authority of the server administrator rights to the domain name. For example, a check may include creating a specific subdomain or installing an HTTP resource with a specific URI inside the domain.



Let's Encrypt identifies the web server with the agent running by the public key. The public and private keys are generated by the agent before the first connection to a certification authority. During automatic verification, the agent performs a number of tests: for example, it signs the one-time password with the public key and presents an HTTP resource with a specific URI. If the digital signature is correct and all the tests are passed, the agent is granted rights to manage certificates for the domain.



In a second step, an agent can request, renew, and revoke certificates. For automatic certificate issuance, a challenge-response authentication protocol (call-response, call-response) is used called Automated Certificate Management Environment (ACME). All certificate manipulations are performed without stopping the web server using the Certbot ACME client . It is easy to use, works on most operating systems and is well documented. There is an expert mode with an expanded set of settings. In addition to Certbot, there are many other ACME clients .

The important role of Let's Encrypt

Let's Encrypt has revolutionized a market where commercial certification authorities dominated. Now they’re practically out of the business of issuing DV certificates (Domain Validation Certificates, Domain Validation), although they continue to sell Organization Confirmation Certificates (Organization Validation, OV) and High Reliability Certificates (Extended Validation, EV), which Let's Encrypt does not issue, because they cannot be automated. However, this is a niche product, and free Let's Encrypt certificates reign supreme in the mass market.

Let's Encrypt made automatic re-issuance of certificates the standard. Despite their short lifespan (90 days), the automatic procedure eliminates the “human factor”, which traditionally represents the main security vulnerability. Domain administrators often simply forget to renew their certificates, which is why services fail. The last such incident occurred with Microsoft Teams. On February 3, 2020, this collaboration service went offline due to an expired certificate .

Automatic certificate replacement via ACME eliminates the possibility of such incidents.

Although the Let's Encrypt project serves half the Internet, in the physical world it’s a small non-profit organization: “Over the past two and a half years, our organization has grown, but quite a bit! They write. - In June 2017, we serviced about 46 million websites with 11 full-time employees and with an annual budget of $ 2.61 million. Today we serve almost 192 million websites with 13 full-time employees and an annual budget of approximately $ 3.35 million. This means that we serve more than four times as many sites with just two additional employees and a 28 percent increase in the budget. ”

Project support comes through donations and sponsorship .

To date, HTTPS has become the de facto standard on the Internet. Since last year, major browsers have warned users about the dangers of connecting to sites that do not encrypt traffic over HTTPS. The merit of Let's Encrypt is such a change in the security landscape.

To everything else, Let's Encrypt literally revived the infrastructure of public XMPP servers . Now Jabber works with strong encryption both at the client-server and server-server levels, and the absolute majority of certificates were issued by Let's Encrypt.



“As a community, we have done incredible things to protect people on the Internet,” the press release said . “The issuance of one billion certificates is a confirmation of all the progress we have made as a community.”