CASE STUDY: LET'S ENCRYPT
Let’s Encrypt is a free, automated and open certificate authority, run for the public’s benefit as a 5019(c)(3) and is supported organizationally by The Linux Foundation. The objective of Let’s Encrypt is to help achieve 100% encryption of the Web. Let’s Encrypt provides free standard and wildcard domain validation (DV) certificates that enable a website to encrypt its communications via HTTPS. The Let’s Encrypt process is simplified, automated and available globally. These unique attributes make Let’s Encrypt ideal for large organizations, who need to alleviate financial burden and automate deployment at scale. Let’s Encrypt is also idea for individual users, particularly those in underserved markets, who may lack funds and technical skill to otherwise deploy HTTPS.
Personal and business information flows over the Web with the actions we take in our daily browsing and we often don’t know it’s happening. In essence, every website should use TLS (the successor to SSL) everywhere to protect their communications over the Web. Every browser in every device supports it. Every server in every data center supports it. HTTPS has been around for over 20 years, but only 68% of daily page loads were encrypted at the end of 2017. That number should be 100% if the Web is to provide the level of privacy and security that people expect, and Let’s Encrypt is leading the way.
Before the formation of Let’s Encrypt there was a potentially significant cost to administering server certificates. Let’s Encrypt is a free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.
There was also a problem with the difficulty of getting even a basic certificate through conventional means. It was simply too much of a hassle for many server operators. The application process was confusing. It usually cost money. It was tricky to install correctly and difficult to update. Let’s Encrypt removed these barriers by going further in terms of end-to-end automation and extensibility, both getting certificates and installing them.
Cisco is committed to improving the security of the Internet, not only for our customers and partners, but for everyone else as well. Let’s Encrypt has been doing impressive work toward that goal. Our support of this community towards real-time, on-demand certificates will make the Internet more secure.”
– David Ward, CTO of Engineering and Chief Architect at Cisco
Mozilla Corporation, Cisco Systems, Inc., Akamai Technologies, Electronic Frontier Foundation, IdenTrust, Inc., and researchers at the University of Michigan started working through the Internet Security Research Group (“ISRG”) to create Let’s Encrypt and deliver this much-needed infrastructure in 2014. The Linux Foundation is providing the infrastructure and operational support for Let’s Encrypt using its collaborative model for open source projects.
The key principles behind Let’s Encrypt are:
- Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.
- Automatic: The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process, while renewal occurs automatically in the background.
- Secure: Let’s Encrypt serves as a platform for implementing modern security techniques and best practices.
- Transparent: All records of certificate issuance and revocation are available to anyone who wishes to inspect them. Twice annually a Legal Transparency report will be published to ensure users have visibility regarding legal requests.
- Open: The automated issuance and renewal protocol is an open standard and as much of the software as possible will be open source.
- Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.
“Encryption is critical to security and privacy on the Web, and by working with Let’s Encrypt, OVH is showing our commitment to bringing the protections of HTTPS to Web users worldwide.”
– Pascal Jaillon, Vice President of Product Management, OVH US
In September 2015 Let’s Encrypt issued their first certificate, and just seven months later, they issued their millionth certificate. At the close of 2017, Let’s Encrypt certificates secured over 60 million websites worldwide and ranked as one of the largest certificate authorities.
Throughout this period of incredible growth, support for the effort has also increased. OVH joined Cisco and Akamai as Platinum sponsors with three-year commitments. Mozilla, Google Chrome and the Electronic Frontier Foundation (EFF) provide support through their Platinum contributions. The Ford Foundation also awarded Let’s Encrypt a two-year grant in 2017. Squarespace, DigitalOcean, Fastly, Automattic and many others have joined the ranks of over 35 Silver sponsors. Let’s Encrypt is actively seeking additional sponsorships and welcomes inquiries at: firstname.lastname@example.org.
Let’s Encrypt has received a considerable boost from industry endorsement, with major hosting companies like OVH, WordPress.com, Jimdo, and Sakura Internet helping many sites move to HTTPS with Let’s Encrypt. Based on numbers Mozilla gathers from Firefox users, encrypted sites now account for more than 68 percent of page visits, compared with 39.5 percent just before Let’s Encrypt launched. The automatic inclusion of HTTPS by hosting providers helps protect users against surveillance of content and communications, cookie theft, account hijacking, and other Web security flaws.