Let’s Encrypt Turns Ten *⇥ letsencrypt.org *
Josh Aas, of Let’s Encrypt:
On September 14, 2015, our first publicly-trusted certificate went live. We were proud that we had issued a certificate that a significant majority of clients could accept, and had done it using automated software. Of course, in retrospect this was just the first of billions of certificates. Today, Let’s Encrypt is the largest certificate authority in the world in terms of certificates issued, the ACME protocol we helped create and standardize is integrated throughout the server ecosystem, and we’ve…
Let’s Encrypt Turns Ten *⇥ letsencrypt.org *
Josh Aas, of Let’s Encrypt:
On September 14, 2015, our first publicly-trusted certificate went live. We were proud that we had issued a certificate that a significant majority of clients could accept, and had done it using automated software. Of course, in retrospect this was just the first of billions of certificates. Today, Let’s Encrypt is the largest certificate authority in the world in terms of certificates issued, the ACME protocol we helped create and standardize is integrated throughout the server ecosystem, and we’ve become a household name among system administrators. We’re closing in on protecting one billion web sites.
Via Ben Werdmuller:
A decade ago, only organizations with money, patience, and technical support could reliably encrypt their sites. Everyone else — small nonprofits, bloggers, community groups, activists — were effectively told that their work wasn’t important enough to deserve confidentiality. Let’s Encrypt leveled that playing field.
It truly changed the web, ushering in an era where most browsers effectively assume connections will be made over HTTPS and treating plain HTTP as an anomaly. The push for security has its critics, most notably Dave Winer who promises HTTP forever. On the whole, though, it is difficult not to see Let’s Encrypt as revolutionary. This very website has a certificate issued by them.
An ironic side effect of the popularity of Let’s Encrypt is that its Certificate Transparency Logs are a fruitful resource for bots and bad actors finding new domains to exploit. A 2023 paper by Stijn Pletinckx, et al. (PDF) describes how automated traffic began hitting test servers “just seconds after publishing the [certificate log] entry” compared to no attempts against domains without a certificate. This traffic typically looks like attempts to find unpatched vulnerabilities, like basic SQL injection strings and bugs in common WordPress plugins. This abuse of C.T. logs is not unique to Let’s Encrypt. But it is popular and free, and that makes its logs a target-rich environment. Neither is this a reason to avoid using Let’s Encrypt. It just means one needs to be cautious about what is on their server from the moment they decide to install an HTTPS certificate.