Submitted via IRC for Fnord666
The free-to-use nonprofit was founded in 2014 in part by the Electronic Frontier Foundation and is backed by Akamai, Google, Facebook, Mozilla and more. Three years ago Friday, it issued its first certificate.
Since then, the numbers have exploded. To date, more than 380 million certificates have been issued on 129 million unique domains. That also makes it the largest certificate issuer in the world, by far.
Now, 75 percent of all Firefox traffic is HTTPS, according to public Firefox data — in part thanks to Let's Encrypt. That's a massive increase from when it was founded, where only 38 percent of website page loads were served over an HTTPS encrypted connection.
"Change at that speed and scale is incredible," a spokesperson told TechCrunch. "Let's Encrypt isn't solely responsible for this change, but we certainly catalyzed it."
Source: https://techcrunch.com/2018/09/14/three-years-later-lets-encrypt-now-secures-75-of-the-web/
Previously: "Let's Encrypt" Has Issued 1 Million Certificates
Let's Encrypt Issues 100 Millionth Certificate
Let's Encrypt is Now Officially Trusted by All Major Root Programs
Related Stories
The Let's Encrypt Certificate Authority has issued its millionth certificate:
At 9:04am GMT today, the Let's Encrypt Certificate Authority issued its millionth certificate. This is an amazing success, coming only 3 months and 5 days since a beta version of the service became publicly available. We're very excited to be building a more secure and fully encrypted future for the World Wide Web.
A million certificates is in itself pretty good progress. But a single certificate can cover multiple domain names, and the million certificates Let's Encrypt has issued are actually valid for 2.5 million fully-qualified domain names, over 90% of which had never been reachable by browser-valid HTTPS before.
[...] EFF co-founded the Let's Encrypt CA with Mozilla and researchers from the University of Michigan. Akamai and Cisco provided significant financial support for the launch, and many other organizations have stepped up to sponsor the project since launch. If you'd like to help, you can donate to EFF or ISRG, or if you're a coder, help us to improve the server or client software.
Also at Tom's Hardware.
http://www.tomshardware.com/news/let-s-encrypt-100-million-certificates,34908.html
Let's Encrypt, a Certificate Authority (CA) managed by a non-profit organization whose members include Mozilla and the Electronic Frontier Foundation, among others, reached a milestone of 100 million issued certificates.
[...] When Let's Encrypt's service was first made available, less than 40% of the web was using HTTPS encryption, a milestone that took 20 years to reach, according to the nonprofit. Let's Encrypt has been available for less than two years, and due largely to its free service, 58% of the web now uses HTTPS encryption.
Previously: "Let's Encrypt" Has Issued 1 Million Certificates
[Ed. Note: SoylentNews uses Let's Encrypt certs for its development and Wiki pages, among others.
Submitted via IRC for SoyCow1984
Let's Encrypt announced yesterday that they are now directly trusted by all major root certificate programs including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Let's Encrypt is now directly trusted by all major browsers and operating systems.
https://www.securityweek.com/lets-encrypt-now-trusted-all-major-root-programs:
[...] At the end of July 2018, Let's Encrypt received direct trust from Microsoft products, which resulted in it being trusted by all major root programs. The CA's certificates are cross-signed by IdenTrust, and have been widely trusted since the beginning.
"Browsers and operating systems have not, by default, directly trusted Let's Encrypt certificates, but they trust IdenTrust, and IdenTrust trusts us, so we are trusted indirectly. IdenTrust is a critical partner in our effort to secure the Web, as they have allowed us to provide widely trusted certificates from day one," noted Josh Aas, Executive Director of ISRG.
[...] While some of these [older operating systems, browsers, and devices] are expected to be updated to trust the CA, others won't, and it might take at least five more years until most of them cycle out of the Web ecosystem. Until that happens, Let's Encrypt will continue to use a cross signature [from IdenTrust].
Professor J. Alex Halderman, the noted election security researcher, along with his co-authors, have published a summary of Let's Encrypt, its components, and what it does. (Warning for PDF.) The service Let's Encrypt is a free, automated, open certificate authority (CA) to provide TLS certificates. These are usually for web sites, enabling them to provide HTTPS connections.
Since its launch in late 2015, Let's Encrypt has grown to become the world's largest HTTPS CA, accounting for more currently valid certificates than all other browser-trusted CAs combined. By January 2019, it had issued over 538 million certificates for 223 million domain names. We describe how we built Let's Encrypt, including the architecture of the CA software system (Boulder) and the structure of the organization that operates it (ISRG), and we discuss lessons learned from the experience. We also describe the design of ACME, the IETF-standard protocol we created to automate CA–server interactions and certificate issuance, and survey the diverse ecosystem of ACME clients, including Certbot, a software agent we created to automate HTTPS deployment. Finally, we measure Let's Encrypt's impact on the Web and the CA ecosystem. We hope that the success of Let's Encrypt can provide a model for further enhancements to the Web PKI and for future Internet security infrastructure.
[...] Prior to our work, a major barrier to wider HTTPS adoption was that deploying it was complicated, expensive, and error-prone for server operators. Let's Encrypt overcomes these through a strategy of automation: identity validation, certificate issuance, and server configuration are fully robotic, which also results in low marginal costs and enables the CA to provide certificates at no charge. We designed Let's Encrypt to scale to the size of the entire Web. In just over three years of operation, it is well on its way: it has issued over 538 million certificates and accounts for more valid browser-trusted certificates than all other CAs combined. We hope that in the near future, clients will start using HTTPS as the default Web transport. Eventually, we may marvel that there was ever a time when Web traffic traveled over the Internet as plaintext.
Let's Encrypt: An Automated Certificate Authority to Encrypt the Entire Web, Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, Pages 2473-2487 (DOI: 10.1145/3319535.3363192
Earlier on SN:
Let's Encrypt to Transition to ISRG Root (2019)
Three Years Later, Let's Encrypt Has Issued Over 380 Million HTTPS Certificates (2018)
Let's Encrypt is Now Officially Trusted by All Major Root Programs (2018)
Let's Encrypt Takes Free "Wildcard" Certificates Live (2018)
Free Certs Come With a Cost (2017)
Let's Encrypt Issues 100 Millionth Certificate (2017)
Let's Encrypt Won its Comodo Trademark Battle - but Now Fan Tools Must Rename (2016)
Let's Encrypt Gets Automation (2015)
(Score: 5, Informative) by Anonymous Coward on Wednesday September 19 2018, @01:26PM (6 children)
320m certificates. That's about 80 million-years of certificates (assuming 3 month duration per certificate) and since generally those "domain-validations" were costing something like $20/year from many places, this is $1.6 BILLION is lost revenue for the poor, poor, oh so poor registrars....
Maybe we need realDonaldTrump to chime in on how this is robbing "good", "honest" business of so much money.
And yes, this is sarcasm. CA business should be no-business as very little value is added there and only many points of failure.
(Score: 5, Informative) by Pino P on Wednesday September 19 2018, @05:58PM (1 child)
Despite Let's Encrypt, there's still no public key infrastructure for the Internet of Things. So the real money is in domain names.
You need a fully qualified domain name to get a certificate. Though the annual fee for a domain name is a long-accepted part of the cost of operating a public website, it traditionally hasn't been seen as such for an appliance on a home local area network (LAN), such as a router, network printer, or network attached storage (NAS) device.
The Baseline Requirements for TLS CAs forbid issuing a certificate for an IP address in private network space reserved pursuant to RFC 1918 (10/8, 172.16/12, or 192.168/16) or for a hostname within a reserved top-level domain (such as .local or .internal). Let's Encrypt issues only 20 certificates per week under a particular registrable domain, as defined by Mozilla's Public Suffix List. This means a dynamic DNS user may not be able to obtain a certificate if the provider isn't on the PSL or does not support TXT records. So the only ways to obtain a certificate are A. use one of the few dynamic DNS providers that are on the PSL and support TXT records, B. pray that all your devices' browsers support checking the key fingerprint of a self-signed certificate, or C. pay money for a domain name from a commercial registrar and continue to pay to keep it renewed. This domain name registration fee introduces a new ongoing cost of operating an appliance on a LAN that did not exist before the movement to encrypt the web.
Some people have claimed that one need not worry about encryption on a LAN. The problem with just punting on HTTPS is that new web platform features work only in what the W3C has called "secure contexts" [pineight.com]. When a website served over cleartext HTTP uses a script API reserved for secure contexts, the browser will raise a security exception. The spec trusts localhost but not a LAN because user agents cannot distinguish your trusted home network from an untrusted coffee shop network using the same RFC 1918 space. Some, such as the Presentation API, already require a secure context, which may interfere with ability to stream video from your NAS to your TV. There are also indications that browser publishers will soon retrofit the requirement of a secure context to other APIs relevant to video, such as the Fullscreen API.
(Score: 2) by PartTimeZombie on Wednesday September 19 2018, @10:13PM
Thank you for taking the time to write that out.
I learned something new.
(Score: 2) by bob_super on Wednesday September 19 2018, @06:28PM
The registrars need to learn from the **AA how to get laws to transform every sale you don't get into an official actionable loss from theft.
(Score: 0) by Anonymous Coward on Wednesday September 19 2018, @09:39PM (2 children)
You're making the RIAA/MPAA mistake there, most of these sites would not have been using HTTPS without let's encrypt. So that's not really lost revenue.
(Score: 2) by takyon on Wednesday September 19 2018, @10:20PM (1 child)
Did sites adopt HTTPS because Let's Encrypt was free? Or was there another reason?
HTTPS Introduced as Google Search Ranking Criterion [soylentnews.org]
Mozilla Considers Phasing Out Unencrypted HTTP [soylentnews.org]
Mozilla: HTTPS is Coming. Get Out of the Way! [soylentnews.org]
Google to Start Punishing HTTP-Only Sites [soylentnews.org]
Google Chrome Will Mark Non-HTTPS Sites as "Not Secure" Starting in July 2018 [soylentnews.org]
Seems like sites were forced into adopting HTTPS, or at least if they wanted to stay relevant or revenue-generating.
Let's Encrypt is mainly a project of EFF and Mozilla, but Google's presence is easily felt:
https://en.wikipedia.org/wiki/Let%27s_Encrypt [wikipedia.org]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Thursday September 20 2018, @12:39AM
Google did these things after Let's Encrypt was already a thing (presumably they realized they could bully people into doing it at that point without repercussion).
(Score: 1, Disagree) by Anonymous Coward on Wednesday September 19 2018, @01:53PM (5 children)
Change at that scale may be incredible, but that didn't make it right. Did nobody really consider that Akamai, Google, Facebook, Mozilla, and more have a better shot at revenue when information is commoditized?
"What's that got to do with free information?"
Free information does not need encryption.
(Score: 2) by zocalo on Wednesday September 19 2018, @02:14PM
UNIX? They're not even circumcised! Savages!
(Score: 2, Interesting) by splenolymph on Wednesday September 19 2018, @02:24PM (3 children)
SSL doesn't have that much to do with freedom of information. The access to the certs is freely packaged. It's some sort of fallacy to think because the connection to retrieve info was cryptographically secured (hang on, did money change hands?), that the information transmitted securely wouldn't be free.
To put it another way, I'd rather see the page as the server intended it, rather than risk seeing someone a man-in-the-middle bad actor wanted me to see, which is very easily manipulated in an insecure connection and relatively harder with a server with letsencrypt-signed certs.
(Score: 4, Interesting) by theluggage on Wednesday September 19 2018, @03:31PM (2 children)
Mainly agree, except... the drive to effectively stamp out unencrypted http (which LetsEncrypt helps enable) does mean that anybody wanting to publish a website now has the additional hurdle of having to obtain a certificate - a service that can only be performed by someone with the power to get - and keep - their root certificate accepted by the big-name browsers and operating systems. You can't just fork your own CA service unless the Big Guys trust your certificates.
So, a few years down the line, Sirius Cybernetics Corp decides they've got a big enough monopoly to stop trusting LetsEncrypt certificates (because security!) and, suddenly, anybody trying to visit an independent website from their PhoneOMatic(tm) has, at best, to wade through a series of "Here be dragons!" warnings, if not be totally blocked. Or, the Bad Guys manage to infiltrate LetsEncrypt and shut it down or start charging...
OK, so that will have to join the queue with all the other "How the Bad Hats could destroy the Internet" scenarios - but like all apparently "good things", compulsory encryption has its possible risks.
The other slight danger is that the general public might be misled as to how much "security" HTTPS really offers (the phrase "putting a steel door on a tent" springs to mind) - really, we're getting to the point that for anything beyond everyday privacy, certainly any financial information, you should expect "Extended validation" - and even that isn't perfect (and could also be abused by The Man to regulate access to the internet).
Ultimately, the problem is that you can't have any sort of strong security that is 100% transparent for the end user.
That said, LetsEncrypt is a great service.
(Score: 0) by Anonymous Coward on Wednesday September 19 2018, @06:03PM (1 child)
I'm guessing that people would notice that their PhoneOMatics are the only things having this issue and would advise others not to buy that device. Or they could call up their Customer Complaints Department, which I hear is extensive.
(Score: 3, Funny) by theluggage on Wednesday September 19 2018, @09:25PM
Fortunately, the tech industry never spawns near-monopolies who can use their market dominance to extinguish smaller competitors and foist inferior products on the masses of customers - who mostly wouldn't give a fuck as long as their PhoneOMatics work with Facebook, Twitter and Youtube. Oh, wait...
...and Google would be finished if people found they suddenly couldn't access Soylent News from Chrome.
Apple weren't even in a dominant position when they released an iPhone that couldn't run Flash (SPOILER: Flash lost - good riddance, maybe, but it still lost) - what could they do now that they're a $1-trillion monster who can persuade their customers to pay $1200 for a phone with no headphone jack or SD slot?
Everybody seems to agree that Facebook is evil, but somehow they're still here.
Windows 10 serves adverts on the start menu and likes to reboot to install updates 10 minutes into your big presentation. Again, still here.
Yesterday, Tim Cook broke into my house, killed my pet rabbit and left it boiling on the stove... I'd dump my Mac in protest except I already ripped all of my CD library into iTunes and I've got all of these USB sticks in HFS format. The stew wasn't bad, either.
(Score: 4, Insightful) by splenolymph on Wednesday September 19 2018, @02:18PM (1 child)
One of the best things that happened to the internet. The people behind it deserve manifold more credit and thanks than they have received. If I knew they were in the room I'd just start clapping. :D
(Score: 2) by PartTimeZombie on Wednesday September 19 2018, @10:18PM
An Internet Security Nobel Prize would be of much more value than a Nobel Prize for Economics at least.
(Score: 2) by SomeGuy on Wednesday September 19 2018, @07:25PM (2 children)
"We are HTTPS of Borg. Your internet has been assimilated. Resistance is futile. Because security!"
What was that? All I could hear is "The site uses a security protocol which isn't enabled"
(Score: 2, Insightful) by Anonymous Coward on Wednesday September 19 2018, @08:01PM (1 child)
All I see is quite often websites I visit break down with certificate problems, browser refuses to go there so I lose that access. https is a genius way to censor the web!
(Score: -1, Troll) by Anonymous Coward on Thursday September 20 2018, @12:53AM
It may be censorship but the party at fault is your shitty browser... or the shitty you for using it.