Let’s Encrypt Passes 20 Million Active Certificates in 2016

Let’s Encrypt has just closed out its first full year as a certificate authority with more than 20 million active certificates. The free and open certificate authority focuses on lowering the complexity of setting up TLS encryption by making the process more automated. It came out of beta in April 2016 and the number of certificates issued per day has grown steadily since then.

“At the start of 2016, Let’s Encrypt certificates had been available to the public for less than a month and we were supporting approximately 240,000 active (unexpired) certificates,” said Josh Aas, Executive Director of the non-profit Internet Security Research Group (ISRG). “Now we’re frequently issuing that many new certificates in a single day while supporting more than 20,000,000 active certificates in total. We’ve issued more than a million certificates in a single day a few times recently.”

Let’s Encrypt operates as a 501(c)(3) nonprofit and has received more than three dozen corporate sponsorships and grants, but funds for the coming year have fallen short. In November, Let’s Encrypt launched a crowdfunding campaign to cover the cost of one month of operating expenses. So far, the campaign has raised more than $100K towards its $200K fundraising goal.

Let’s Encrypt is Growing Fastest with Smaller, Previously-Unencrypted Sites

Let’s Encrypt is used with some larger organizations, such as WordPress.com, OVH, Shopify, Akamai, and Dreamhost, but the vast majority of users are smaller entities that were not previously encrypted. According to the Electronic Frontier Foundation (EFF), a founding sponsor of the certificate authority, most of Let’s Encrypt’s growth has not come from taking customers away from competitors:

One of the ways Let’s Encrypt has been helping to secure the web is by making it easy and affordable for sites that have never had certs before to turn on secure HTTPS connections, and for software systems to start enabling HTTPS automatically and by default. Our free certificates may be more likely to be left unused than expensive certificates, and less expert webmasters may accidentally duplicate certificates—but that’s part of making HTTPS integration available to more webmasters across a range of resource and skill levels. Statistics suggest that most of our growth has come not at the expense of other CAs, but from giving previously unencrypted sites their first-ever certificates.

EFF analyzed various sources of usage statistics and estimates that Let’s Encrypt is now the largest certificate authority on the web. Its rapid adoption has spurred impressive progress towards getting the entire web encrypted. Let’s Encrypt tracks progress by measuring the percentage of page loads using HTTPS, as seen by browsers.

“According to Firefox Telemetry, the Web has gone from approximately 39% of page loads using HTTPS each day to just about 49% during the past year,” Aas said in Let’s Encrypt’s 2016 in Review report. “We’re incredibly close to a Web that is more encrypted than not.”

The proliferation of Let’s Encrypt client options in 2016 puts the certificate authority in an even better position to continue driving web encryption in 2017. Aas attributes last year’s progress to many organizations advocating for HTTPS and working to get their sites encrypted. His team has grown from four full-time employees to nine, and he anticipates that 2017 will be a year of even greater growth.

“Much of the infrastructure and many of the plans necessary for a 100% encrypted Web came into being or solidified in 2016,” Aas said. “More and more hosting providers and CDNs are supporting HTTPS with one click or by default, often without additional fees. It has never been easier for people and organizations running their own sites to find the tools, services, and information they need to move to HTTPS.”

29 Comments


  1. Does Let’s Encrypt vett the entities they give certs to in any fashion?

    Report


    1. There is a challenge-response check to make sure that you actually control the domain. Let’s Encrypt does not check identities (as the certificates are issued for the domain and not for any company or person).

      Report


  2. i wish i could use it too. but my crap host doesn’t support it. i’m going to change my host soon! what host do you recommend guys?

    Report


    1. Ron, I’ve been using SiteGround for years and just recently I decided to put Let’s Encrypt on my site. Still didn’t do it but I plan it – I checked the process and it’s literally a few seconds job.
      If you need some more details on this you can PM me on Facebook: https://www.facebook.com/ivica.delic

      Report


  3. Sounds like funding is an issue here… What happens if they go bust? I can imagine a very large number of websites going pear shape all over the world.

    Report


    1. Unlikely for such phenomenal growth. I’m sure it will attract more interests than not. If each website pays $1 for a year sub, they are more than good.

      Report


  4. Love the one-click cPanel install but unfortunately my host is not using it and not planning to use it.

    WordPress.org should take this into account when recommending hosts.

    Report


  5. This is awesome I am using Let’s Encrypt for me website.
    The only bit that is a bit annoying, it only works for your domain. If you want https on your sub domains you need to buy https certificate.
    But this is a minor trade off. :)

    Report


    1. Not true, you can get Let’s Encrypt for every subdomain. They don’t do wildcard certificates, but deploying multiple individual certificates is just as easy as deploying one.

      Report


  6. Something about this makes me nervous. First, they don’t even validate the entity they issue a cert to — so if this becomes the norm then over time the value of having a cert will be (very) diluted, as it will be a guarantee that scammers will take advantage of this setup. Public trust will dissolve.

    I believe certs should go the *other* direction, and have a cost that is affordable but meaningful – along with deep validation of the entity. I had to submit articles of incorporation and a utility bill, for my corporation when I got a certificate years ago. That seems ok to me.

    Second, 503(c) notwithstanding, they have no real way of making money so eventually this business model is going to collapse.

    Report


    1. I completely agree with you. There needs to be real vetting to ensure 1.) the applicants who receive the certs are who they say they are, and 2.) the cert is being used by a business/organization that’s operational. No one cares if the connection is secure if the connecting server is maintained by Guccifer 3.0! I foresee free DV type certificates being deprecated at some point.

      Report


    2. the certificate is issued to a domain not an entity

      Report


      1. I understand that. And, other than basic encryption across the wire, it is otherwise useless as a “trust” instrument. Which is contrary to what the vast majority of average users believe, when they see the padlock.

        Report


    3. AFAICT the certs they produce are the lowest grade of certs, not that anyone checks the quality of certs on the site he uses.

      Lets encrypt is all about the snowden induced privacy paranoia, not about real security of any kind

      Report


    4. Bottomline, the Let’s Encrypt application process could be automated for thin-page junk sites or even for email phishing scams. Imagine a scenario where you believe you’re logging into your Bank of America account. You see the green padlock, but it’s not Bank of America! Eventually, the only trustworthy SSL certificates will be the EV certs.

      Report


    5. Don’t be nervous. DV certs serve their purpose extremely well. A blog, for example, doesn’t need EV overkill. If your DNS is poisoned, you have much bigger issues than a low-level security chain.

      Successful 501(c)(3)’s make bajillion dollars every day embedded into the Econ landscape, reaping double rewards and won’t be vaporizing anytime soon.

      Report


  7. @Chuck: I do not think that “this business model is going to collapse” ;) because of the sponsors (have you seen?) . Let’s Encrypt might be just an “add-on” for some big providers. Maybe we’ll see a pro version in the future (?).
    Anyway, like other providers, we are offering Let’s Encrypt for free, but we have also Comodo’s certificates for all the others requests that L.E. cannot satisfy.
    (On Plesk Panel the installation on any SSL certificate is very easy, you do not need technical knowledge at all, just have to pay attention to put correct information on the right fields).

    Report


  8. We offer Let’s Encrypt SSL certs installed on both our customer’s VPS server panel backend and their website. The days of self-signed SSLs are finally behind us.

    Report


  9. Can’t beat the cost of free and considering how easy it is to install on webhosting accounts that support it, I can see 2017 being a huge year for Let’s Encrypt.

    Report


    1. Don’t you have to renew every 90 days or did they change that?

      Thats about 4 times a year PER domain. I have over 50 domains (of my own) plus clients.

      Report


      1. The limit is still there. However, the intended way to use Let’s Encrypt is via an automatted renewal. Once you’ve set that up on your server, it works quite well. I assume managed hosting companies providing Let’s Encrypt integration will do that for you.

        Report


      2. Yeah. Not sure how Hosting Providers automate it, but you can Cron/renew.sh to automate at setup.

        Report


  10. I am going to contact my hosting company to see if they support this. Fingers crossed…

    Report


  11. Just for the naysayers here, I believe the LE certificate is designed to stop passwords and other sensitive information from flying around in the clear. Especially over wireless connections. It serves that purpose well.

    Nothing is stopping anyone from using a “more secure” certificate from some other source.

    Report

Comments are closed.