Let’s Encrypt Passes 20 Million Active Certificates in 2016

Let’s Encrypt has just closed out its first full year as a certificate authority with more than 20 million active certificates. The free and open certificate authority focuses on lowering the complexity of setting up TLS encryption by making the process more automated. It came out of beta in April 2016 and the number of certificates issued per day has grown steadily since then.

“At the start of 2016, Let’s Encrypt certificates had been available to the public for less than a month and we were supporting approximately 240,000 active (unexpired) certificates,” said Josh Aas, Executive Director of the non-profit Internet Security Research Group (ISRG). “Now we’re frequently issuing that many new certificates in a single day while supporting more than 20,000,000 active certificates in total. We’ve issued more than a million certificates in a single day a few times recently.”

Let’s Encrypt operates as a 501(c)(3) nonprofit and has received more than three dozen corporate sponsorships and grants, but funds for the coming year have fallen short. In November, Let’s Encrypt launched a crowdfunding campaign to cover the cost of one month of operating expenses. So far, the campaign has raised more than $100K towards its $200K fundraising goal.

Let’s Encrypt is Growing Fastest with Smaller, Previously-Unencrypted Sites

Let’s Encrypt is used with some larger organizations, such as WordPress.com, OVH, Shopify, Akamai, and Dreamhost, but the vast majority of users are smaller entities that were not previously encrypted. According to the Electronic Frontier Foundation (EFF), a founding sponsor of the certificate authority, most of Let’s Encrypt’s growth has not come from taking customers away from competitors:

One of the ways Let’s Encrypt has been helping to secure the web is by making it easy and affordable for sites that have never had certs before to turn on secure HTTPS connections, and for software systems to start enabling HTTPS automatically and by default. Our free certificates may be more likely to be left unused than expensive certificates, and less expert webmasters may accidentally duplicate certificates—but that’s part of making HTTPS integration available to more webmasters across a range of resource and skill levels. Statistics suggest that most of our growth has come not at the expense of other CAs, but from giving previously unencrypted sites their first-ever certificates.

EFF analyzed various sources of usage statistics and estimates that Let’s Encrypt is now the largest certificate authority on the web. Its rapid adoption has spurred impressive progress towards getting the entire web encrypted. Let’s Encrypt tracks progress by measuring the percentage of page loads using HTTPS, as seen by browsers.

“According to Firefox Telemetry, the Web has gone from approximately 39% of page loads using HTTPS each day to just about 49% during the past year,” Aas said in Let’s Encrypt’s 2016 in Review report. “We’re incredibly close to a Web that is more encrypted than not.”

The proliferation of Let’s Encrypt client options in 2016 puts the certificate authority in an even better position to continue driving web encryption in 2017. Aas attributes last year’s progress to many organizations advocating for HTTPS and working to get their sites encrypted. His team has grown from four full-time employees to nine, and he anticipates that 2017 will be a year of even greater growth.

“Much of the infrastructure and many of the plans necessary for a 100% encrypted Web came into being or solidified in 2016,” Aas said. “More and more hosting providers and CDNs are supporting HTTPS with one click or by default, often without additional fees. It has never been easier for people and organizations running their own sites to find the tools, services, and information they need to move to HTTPS.”

29

29 responses to “Let’s Encrypt Passes 20 Million Active Certificates in 2016”

  1. Aaron V.N. says:

    It’s what I use for my company site, and I love it!

    Report

  2. Ivica Delic says:

    It’s expected, I would dare to say…

    Report

  3. Peter says:

    Does Let’s Encrypt vett the entities they give certs to in any fashion?

    Report

    • pepe says:

      There is a challenge-response check to make sure that you actually control the domain. Let’s Encrypt does not check identities (as the certificates are issued for the domain and not for any company or person).

      Report

  4. Ron says:

    i wish i could use it too. but my crap host doesn’t support it. i’m going to change my host soon! what host do you recommend guys?

    Report

  5. Pete says:

    Sounds like funding is an issue here… What happens if they go bust? I can imagine a very large number of websites going pear shape all over the world.

    Report

    • Martin says:

      Unlikely for such phenomenal growth. I’m sure it will attract more interests than not. If each website pays $1 for a year sub, they are more than good.

      Report

  6. Keith Davis says:

    Love the one-click cPanel install but unfortunately my host is not using it and not planning to use it.

    WordPress.org should take this into account when recommending hosts.

    Report

  7. Sarunas says:

    This is awesome I am using Let’s Encrypt for me website.
    The only bit that is a bit annoying, it only works for your domain. If you want https on your sub domains you need to buy https certificate.
    But this is a minor trade off. :)

    Report

    • Not true, you can get Let’s Encrypt for every subdomain. They don’t do wildcard certificates, but deploying multiple individual certificates is just as easy as deploying one.

      Report

  8. Chuck says:

    Something about this makes me nervous. First, they don’t even validate the entity they issue a cert to — so if this becomes the norm then over time the value of having a cert will be (very) diluted, as it will be a guarantee that scammers will take advantage of this setup. Public trust will dissolve.

    I believe certs should go the *other* direction, and have a cost that is affordable but meaningful – along with deep validation of the entity. I had to submit articles of incorporation and a utility bill, for my corporation when I got a certificate years ago. That seems ok to me.

    Second, 503(c) notwithstanding, they have no real way of making money so eventually this business model is going to collapse.

    Report

    • peter says:

      I completely agree with you. There needs to be real vetting to ensure 1.) the applicants who receive the certs are who they say they are, and 2.) the cert is being used by a business/organization that’s operational. No one cares if the connection is secure if the connecting server is maintained by Guccifer 3.0! I foresee free DV type certificates being deprecated at some point.

      Report

    • Miroslav Glavic says:

      the certificate is issued to a domain not an entity

      Report

      • Chuck says:

        I understand that. And, other than basic encryption across the wire, it is otherwise useless as a “trust” instrument. Which is contrary to what the vast majority of average users believe, when they see the padlock.

        Report

    • mark k. says:

      AFAICT the certs they produce are the lowest grade of certs, not that anyone checks the quality of certs on the site he uses.

      Lets encrypt is all about the snowden induced privacy paranoia, not about real security of any kind

      Report

    • peter says:

      Bottomline, the Let’s Encrypt application process could be automated for thin-page junk sites or even for email phishing scams. Imagine a scenario where you believe you’re logging into your Bank of America account. You see the green padlock, but it’s not Bank of America! Eventually, the only trustworthy SSL certificates will be the EV certs.

      Report

    • Tada Burke says:

      Don’t be nervous. DV certs serve their purpose extremely well. A blog, for example, doesn’t need EV overkill. If your DNS is poisoned, you have much bigger issues than a low-level security chain.

      Successful 501(c)(3)’s make bajillion dollars every day embedded into the Econ landscape, reaping double rewards and won’t be vaporizing anytime soon.

      Report

  9. @Chuck: I do not think that “this business model is going to collapse” ;) because of the sponsors (have you seen?) . Let’s Encrypt might be just an “add-on” for some big providers. Maybe we’ll see a pro version in the future (?).
    Anyway, like other providers, we are offering Let’s Encrypt for free, but we have also Comodo’s certificates for all the others requests that L.E. cannot satisfy.
    (On Plesk Panel the installation on any SSL certificate is very easy, you do not need technical knowledge at all, just have to pay attention to put correct information on the right fields).

    Report

  10. Joshua says:

    We offer Let’s Encrypt SSL certs installed on both our customer’s VPS server panel backend and their website. The days of self-signed SSLs are finally behind us.

    Report

  11. Jeffr0 says:

    Can’t beat the cost of free and considering how easy it is to install on webhosting accounts that support it, I can see 2017 being a huge year for Let’s Encrypt.

    Report

  12. Jeffrey says:

    I am going to contact my hosting company to see if they support this. Fingers crossed…

    Report

  13. Just for the naysayers here, I believe the LE certificate is designed to stop passwords and other sensitive information from flying around in the clear. Especially over wireless connections. It serves that purpose well.

    Nothing is stopping anyone from using a “more secure” certificate from some other source.

    Report

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: