Update, 4/12/16, 10:15am PT: Let's Encrypt got out of beta after issuing more than 1.7 million certificates that are protecting more than 3.8 million websites. The non-profit group behind the Let's Encrypt Certificate Authority said that it has gained "tremendous operational experience and confidence" in its systems, so the beta label wasn't necessary anymore.
The group, which includes non-profit organizations such as EFF and Mozilla as members, as well as companies such as Cisco, Akamai, and OVH.com, recently added Gemalto as a Gold sponsor and HP Enterprise, Fastly, Duda, and ReliableSite.net as Silver sponsors. Cisco and Akamai also extended their platinum membership to another three years.
Let's Encrypt hopes to play a major role in encrypting 100% of the web, and so far it has received strong support from the industry and from web developers looking to encrypt their websites.
Let’s Encrypt issued certificate number 1 million since it launched as a public beta service about three months ago. Because one certificate can cover multiple domain names, the number of encrypted domains that used Let’s Encrypt certificates is actually 2.5 million.
The EFF, which is one of the founding members of Let’s Encrypt, said that 90 percent of these domains had previously never used HTTPS encryption. That means Let’s Encrypt’s free certificate service has had a major impact in getting web developers to encrypt their websites.
Those developers may have not adopted HTTPS encryption so quickly otherwise, due to the relatively high cost and difficulty of installing the certificate. Let’s Encrypt is completely free, easy to install, and can be auto-renewed every three months.
“It is clear that the cost and bureaucracy of obtaining certificates was forcing many websites to continue with the insecure HTTP protocol, long after we've known that HTTPS needs to be the default. We're very proud to be seeing that change, and helping to create a future in which newly provisioned websites are automatically secure and encrypted,” said the EFF in a recent announcement.
Although Let’s Encrypt has played a big role in making the transition to HTTPS from the insecure HTTP protocol easy, there have been other factors that made the recent high adoption of HTTPS possible.
The Chrome and Firefox browsers also played their part when their respective teams announced that many features that worked over HTTP would soon be deprecated, pushing developers to adopt HTTPS.
The arrival of the HTTPS/2 standard, thanks to Google and the IETF, and the improvement in hardware and Internet connectivity performance over the past few years also meant that HTTPS encryption didn’t have a prohibitive overhead in terms of CPU and bandwidth usage anymore.
Google was also the first search engine to give a boost to HTTPS websites, encouraging web developers yet again to encrypt their websites. All of these, and more, created some sort of perfect storm that made it so web developers had no excuse not to adopt HTTPS anymore.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.
There's not much more a third party certificate can do that that kind of setup won't, as a user having a client certificate is how you validate who they are. That said I personally don't like swapping password for client certificates, I prefer to use both together for the added security, but there are other options such as certificate + multi factor authentication.
Anyway, that's a bit of an aside; I'm using Let's Encrypt for my domains, though I'm currently having to issue some individual certificates for sub-domains due to the way that they're created, which I'll have to try to sort out at some point. It's possible other users are doing the same, and it's unclear if that 1 million metric includes renewals, since the recommendation for Let's Encrypt is to renew every month (well short of the 90 day expiration time).
About to get lots of really believable Banking Phishing emails