3 Lessons in Web Encryption from Let’s Encrypt

23

As exciting as 2016 was for encryption on the Web, 2017 seems set to be an even more incredible year. Much of the infrastructure and many of the plans necessary for a 100 percent  encrypted Web really solidified in 2016, and the Web will reap the rewards in 2017. Let’s Encrypt is proud to have been a key part of that.

But before we start looking ahead, it’s helpful to look back and see what our project learned from our exciting first full year as a live certificate authority (CA). I’m incredibly proud of what our team and community accomplished during 2016. I’d like to share how we’ve changed, what we’ve accomplished, and what we’ve learned.

At the start of 2016, Let’s Encrypt was supporting approximately 240,000 active (unexpired) certificates. That seemed like a lot at the time! Now we’re frequently issuing that many new certificates in a single day while supporting more than 22 million active certificates in total.

We added several new features during the past year, including support for the ACME DNS challenge, ECDSA signing, IPv6, and IDN.

We were accepted into the Mozilla, Apple, and Google root programs. And we’re close to announcing acceptance into another major root program. These are major steps towards being able to operate as an independent CA. You can read more about why here.

Finally, supporting the kind of growth we saw in 2016 meant adding staff, and during the past year Internet Security Research Group (ISRG), the non-profit entity behind Let’s Encrypt, went from four full-time employees to nine. We’re still a pretty small crew given that we’re now one of the largest CAs in the world (if not the largest), but it works because of our intense focus on automation, the fact that we’ve been able to hire great people, and because of the incredible support we receive from the Let’s Encrypt community.

Let’s Encrypt is a Linux Foundation collaborative project whose mission is to help create a 100 percent encrypted Web. Our own metrics can be interesting, but they’re only really meaningful in terms of the impact they have on progress towards a more secure and privacy-respecting Web. Here are three big takeaways from our work in 2016 that we plan to build on this year in pursuit of our goal.

3 Lessons from Let’s Encrypt in 2016

1. Getting and managing certificates needs to be easy

The metric we use to track progress towards full Web encryption is the percentage of page loads using HTTPS, as seen by browsers. According to Firefox Telemetry, the Web has gone from approximately 39 percent of page loads using HTTPS each day to just about 49 percent during the past year.

We’re incredibly close to a Web that is more encrypted than not.

We’re proud to have been a big part of that, but we can’t take credit for all of it. Many people and organizations around the globe have come to realize that we need to invest in a more secure and privacy-respecting Web, and have taken steps to secure their own sites as well as their customers’.

What many of these efforts have in common is that they focus on making the switch to HTTPS easy, and that’s why so many sites have switched in the past year. Some providers moved sites to HTTPS by default, without site owners having to do anything. Some providers made HTTPS a one-click option. Others made the switch easier in various ways and greatly improved documentation. Let’s Encrypt offers a simple API for everyone to use, and our community has created great tools to make life easier.

2. Bugs happen and transparency is key

We learned some technical lessons this year. When we had service interruptions they were usually related to managing the rapidly growing database backing our CA. Also, while most of our code had proper tests, some small pieces didn’t and that led to incidents that shouldn’t have happened.That said, I’m proud of the way we handle incidents promptly, including quick and transparent public disclosure.

We’ve done a lot of optimization work, we’ve had to add some hardware and improve our testing, and there have been some long nights for our staff, but we’ve been able to keep up and we’re ready for another year of strong growth.

3. We need a strong community to create a diverse set of great ACME clients

We also learned a lot about our client ecosystem. At the beginning of 2016, ISRG/Let’s Encrypt provided client software called letsencrypt. We’ve always known that we would never be able produce software that would work for every Web server/stack, but we felt that we needed to offer a client that would work well for a large number of people and that could act as a sort of reference client.

By March of 2016, earlier than we had foreseen, it had become clear that our community was up to the task of creating a wide range of quality clients, and that our energy would be better spent fostering that community than producing our own client. That’s when we made the decision to hand off development of our client to the Electronic Frontier Foundation (EFF). EFF renamed the client to Certbot and has been doing an excellent job maintaining and improving it as one of many client options.

We thank everyone who contributed to our client ecosystem and also those who have installed a Let’s Encrypt certificate. Each of these conversions from HTTP to HTTPS make the Web a little bit more secure. Let’s Encrypt is a 501(c)3 nonprofit, so we are also grateful to our sponsors, for making our successes this past year possible.

Please consider getting involved or making a donation, and if your company or organization would like to sponsor Let’s Encrypt, please email us at sponsor@letsencrypt.org.