Let’s Encrypt has just closed out its first full year as a certificate authority with more than 20 million active certificates. The free and open certificate authority focuses on lowering the complexity of setting up TLS encryption by making the process more automated. It came out of beta in April 2016 and the number of certificates issued per day has grown steadily since then.
“At the start of 2016, Let’s Encrypt certificates had been available to the public for less than a month and we were supporting approximately 240,000 active (unexpired) certificates,” said Josh Aas, Executive Director of the non-profit Internet Security Research Group (ISRG). “Now we’re frequently issuing that many new certificates in a single day while supporting more than 20,000,000 active certificates in total. We’ve issued more than a million certificates in a single day a few times recently.”
Let’s Encrypt operates as a 501(c)(3) nonprofit and has received more than three dozen corporate sponsorships and grants, but funds for the coming year have fallen short. In November, Let’s Encrypt launched a crowdfunding campaign to cover the cost of one month of operating expenses. So far, the campaign has raised more than $100K towards its $200K fundraising goal.
Let’s Encrypt is Growing Fastest with Smaller, Previously-Unencrypted Sites
Let’s Encrypt is used with some larger organizations, such as WordPress.com, OVH, Shopify, Akamai, and Dreamhost, but the vast majority of users are smaller entities that were not previously encrypted. According to the Electronic Frontier Foundation (EFF), a founding sponsor of the certificate authority, most of Let’s Encrypt’s growth has not come from taking customers away from competitors:
One of the ways Let’s Encrypt has been helping to secure the web is by making it easy and affordable for sites that have never had certs before to turn on secure HTTPS connections, and for software systems to start enabling HTTPS automatically and by default. Our free certificates may be more likely to be left unused than expensive certificates, and less expert webmasters may accidentally duplicate certificates—but that’s part of making HTTPS integration available to more webmasters across a range of resource and skill levels. Statistics suggest that most of our growth has come not at the expense of other CAs, but from giving previously unencrypted sites their first-ever certificates.
EFF analyzed various sources of usage statistics and estimates that Let’s Encrypt is now the largest certificate authority on the web. Its rapid adoption has spurred impressive progress towards getting the entire web encrypted. Let’s Encrypt tracks progress by measuring the percentage of page loads using HTTPS, as seen by browsers.
“According to Firefox Telemetry, the Web has gone from approximately 39% of page loads using HTTPS each day to just about 49% during the past year,” Aas said in Let’s Encrypt’s 2016 in Review report. “We’re incredibly close to a Web that is more encrypted than not.”
The proliferation of Let’s Encrypt client options in 2016 puts the certificate authority in an even better position to continue driving web encryption in 2017. Aas attributes last year’s progress to many organizations advocating for HTTPS and working to get their sites encrypted. His team has grown from four full-time employees to nine, and he anticipates that 2017 will be a year of even greater growth.
“Much of the infrastructure and many of the plans necessary for a 100% encrypted Web came into being or solidified in 2016,” Aas said. “More and more hosting providers and CDNs are supporting HTTPS with one click or by default, often without additional fees. It has never been easier for people and organizations running their own sites to find the tools, services, and information they need to move to HTTPS.”