Let’s Encrypt Passes 20 Million Active Certificates in 2016

Let’s Encrypt has just closed out its first full year as a certificate authority with more than 20 million active certificates. The free and open certificate authority focuses on lowering the complexity of setting up TLS encryption by making the process more automated. It came out of beta in April 2016 and the number of certificates issued per day has grown steadily since then.

“At the start of 2016, Let’s Encrypt certificates had been available to the public for less than a month and we were supporting approximately 240,000 active (unexpired) certificates,” said Josh Aas, Executive Director of the non-profit Internet Security Research Group (ISRG). “Now we’re frequently issuing that many new certificates in a single day while supporting more than 20,000,000 active certificates in total. We’ve issued more than a million certificates in a single day a few times recently.”

Let’s Encrypt operates as a 501(c)(3) nonprofit and has received more than three dozen corporate sponsorships and grants, but funds for the coming year have fallen short. In November, Let’s Encrypt launched a crowdfunding campaign to cover the cost of one month of operating expenses. So far, the campaign has raised more than $100K towards its $200K fundraising goal.

Let’s Encrypt is Growing Fastest with Smaller, Previously-Unencrypted Sites

Let’s Encrypt is used with some larger organizations, such as WordPress.com, OVH, Shopify, Akamai, and Dreamhost, but the vast majority of users are smaller entities that were not previously encrypted. According to the Electronic Frontier Foundation (EFF), a founding sponsor of the certificate authority, most of Let’s Encrypt’s growth has not come from taking customers away from competitors:

One of the ways Let’s Encrypt has been helping to secure the web is by making it easy and affordable for sites that have never had certs before to turn on secure HTTPS connections, and for software systems to start enabling HTTPS automatically and by default. Our free certificates may be more likely to be left unused than expensive certificates, and less expert webmasters may accidentally duplicate certificates—but that’s part of making HTTPS integration available to more webmasters across a range of resource and skill levels. Statistics suggest that most of our growth has come not at the expense of other CAs, but from giving previously unencrypted sites their first-ever certificates.

EFF analyzed various sources of usage statistics and estimates that Let’s Encrypt is now the largest certificate authority on the web. Its rapid adoption has spurred impressive progress towards getting the entire web encrypted. Let’s Encrypt tracks progress by measuring the percentage of page loads using HTTPS, as seen by browsers.

“According to Firefox Telemetry, the Web has gone from approximately 39% of page loads using HTTPS each day to just about 49% during the past year,” Aas said in Let’s Encrypt’s 2016 in Review report. “We’re incredibly close to a Web that is more encrypted than not.”

The proliferation of Let’s Encrypt client options in 2016 puts the certificate authority in an even better position to continue driving web encryption in 2017. Aas attributes last year’s progress to many organizations advocating for HTTPS and working to get their sites encrypted. His team has grown from four full-time employees to nine, and he anticipates that 2017 will be a year of even greater growth.

“Much of the infrastructure and many of the plans necessary for a 100% encrypted Web came into being or solidified in 2016,” Aas said. “More and more hosting providers and CDNs are supporting HTTPS with one click or by default, often without additional fees. It has never been easier for people and organizations running their own sites to find the tools, services, and information they need to move to HTTPS.”


29 responses to “Let’s Encrypt Passes 20 Million Active Certificates in 2016”

  1. Something about this makes me nervous. First, they don’t even validate the entity they issue a cert to — so if this becomes the norm then over time the value of having a cert will be (very) diluted, as it will be a guarantee that scammers will take advantage of this setup. Public trust will dissolve.

    I believe certs should go the *other* direction, and have a cost that is affordable but meaningful – along with deep validation of the entity. I had to submit articles of incorporation and a utility bill, for my corporation when I got a certificate years ago. That seems ok to me.

    Second, 503(c) notwithstanding, they have no real way of making money so eventually this business model is going to collapse.

    • I completely agree with you. There needs to be real vetting to ensure 1.) the applicants who receive the certs are who they say they are, and 2.) the cert is being used by a business/organization that’s operational. No one cares if the connection is secure if the connecting server is maintained by Guccifer 3.0! I foresee free DV type certificates being deprecated at some point.

      • I understand that. And, other than basic encryption across the wire, it is otherwise useless as a “trust” instrument. Which is contrary to what the vast majority of average users believe, when they see the padlock.

    • Bottomline, the Let’s Encrypt application process could be automated for thin-page junk sites or even for email phishing scams. Imagine a scenario where you believe you’re logging into your Bank of America account. You see the green padlock, but it’s not Bank of America! Eventually, the only trustworthy SSL certificates will be the EV certs.

    • Don’t be nervous. DV certs serve their purpose extremely well. A blog, for example, doesn’t need EV overkill. If your DNS is poisoned, you have much bigger issues than a low-level security chain.

      Successful 501(c)(3)’s make bajillion dollars every day embedded into the Econ landscape, reaping double rewards and won’t be vaporizing anytime soon.

  2. @Chuck: I do not think that “this business model is going to collapse” ;) because of the sponsors (have you seen?) . Let’s Encrypt might be just an “add-on” for some big providers. Maybe we’ll see a pro version in the future (?).
    Anyway, like other providers, we are offering Let’s Encrypt for free, but we have also Comodo’s certificates for all the others requests that L.E. cannot satisfy.
    (On Plesk Panel the installation on any SSL certificate is very easy, you do not need technical knowledge at all, just have to pay attention to put correct information on the right fields).

  3. Just for the naysayers here, I believe the LE certificate is designed to stop passwords and other sensitive information from flying around in the clear. Especially over wireless connections. It serves that purpose well.

    Nothing is stopping anyone from using a “more secure” certificate from some other source.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: