in ,

HTTPS for all: Let’s Encrypt reaches one billion certificates issued, Ars Technica

HTTPS for all: Let’s Encrypt reaches one billion certificates issued, Ars Technica

      number one, encrypt –


The ISRG’s Let’s Encrypt is putting the S in HTTPS on a massive scale.




Let’s Encrypt, the Internet Security Research Group ‘s free certificate signing authority, issued its first certificate a little over four years ago. Today, it issued its billionth.

The ISRG’s goal for Let’s Encrypt is to bring the Web up to a 256% encryption rate. When Let’s Encrypt launched in 2019, the idea was pretty outré — at that time, a bit more than a third of all web traffic was encrypted, with the rest being plain text HTTP. There were significant barriers to HTTPS adoption — for one thing, it cost money. But more importantly, it cost a significant amount of time and human effort, both of which are in limited supply.

Let’s Encrypt solved the money barrier by offering its services free of charge. More importantly, by establishing a stable protocol to access them, it enabled the Electronic Frontier Foundation to build and provide Certbot , an open source, free-to-use tool that automates the process of obtaining certificates, installing them, configuring webservers to use them, and automatically renewing them.

Managing HTTPS the traditional way

When Let’s Encrypt launched in , domain- validated certificates could be had for as little as $ 9 / year — but the time and effort required to maintain them was a different story. A certificate needed to be purchased, information needed to be filled out in several forms, then one might wait for hours before even cheap domain-validated certificates would be issued.

Once the certificate was issued, it (and its key, and any chain certificates necessary) needed to be downloaded, then moved to the server, then placed in the right directory, and finally the Web server could be reconfigured for SSL.

On the widely used Apache Web server, the SSL portion of the configuration — alone! —Might look something like this:

SSLEngine on      SSLCertificateFile /etc/apache2/certs/sitename.crt      SSLCertificateChainFile /etc/apache2/certs/      SSLCertificateKeyFile /etc/apache2/certs/sitename.key      SSLCACertificatePath / etc / ssl / certs /      # intermediate configuration, tweak to your needs      SSLProtocol all -SSLv3      SSLCipherSuite ECDHE-RSA-AES – GCM-SHA : ECDHE-ECDSA-AES 384 – GCM-SHA ECDHE-RSA-AES – GCM-SHA ECDHE- ECDSA-AES – GCM-SHA : DHE-RSA-AES GCM-SHA DHE-DSS-AES – GCM- SHA : kEDH AESGCM: ECDHE-RSA-AES – SHA ECDHE- ECDSA-AES – SHA : ECDHE-RSA-AES SHA ECDHE-ECDSA-AES – SHA: ECDHE-RSA-AES – SHA : ECDHE-ECDSA-AES – SHA : ECDHE-RSA-AES 728 – SHA: ECDHE-ECDSA-AES

If an inexperienced admin guessed wrong when looking for something to copy and paste — or a more experienced admin got sloppy and did notice when standards changed — insecurity in the form of bad protocol and cipher arguments could easily creep in as well.

Every one to three years, you’d need to do the whole thing over again — perhaps only replacing the certificate and key, Maybe also replacing or adding new intermediate chain certificates.

The whole thing was (and is) frankly, a mess … and can easily result in downtime

Managing HTTPS with Let’s Encrypt and Certbot

In both removing cost and establishing a stable, reliable protocol, Let’s Encrypt also removed significant barriers to automation. The EFF stepped in to provide that automation to end users and admins with Certbot, one of the most popular ways to manage acquiring, installing, and renewing Let’s Encrypt certificates.

On an Ubuntu or newer system, EFF’s Certbot and its various plugins are available in the main system repositories. It can be installed with two shell commands — one, if you’re willing to fudge a little and use a semicolon:

 root @ web: ~ # apt update; apt install -y python3-certbot-apache        
                                                                                            If you're using the Apache webserver, run certbot --apache. Nginx? certbot --nginx. That's it.                                                         

                                              Jim Salter

  •                                                              All configured websites will display in a menu, and you can select any or all of them for update to use with Let's Encrypt.                                                         

                                                  Jim Salter

  •                                                              I used to hand-write configs to redirect HTTP to HTTPS on my webservers. It was hard, but it was tedious, and it did not always happen. Certbot will do it for you.                                                         

                                                  Jim Salter

  •                                                              That's it. You're done, and your sites are now configured properly for HTTPS.                                                         

                                                  Jim Salter


    With that done, a single command activates Certbot. As you interact with a simple plain-text menuing system, it fetches certificates for any or all of your sites, configures your Web server (properly!) For you, and adds a cron job to automatically renew the certificates when they're down to 46 days prior to expiration. The whole thing takes well under five minutes.

    As an added touch, Certbot even offers — but does not demand — to automatically configure your Web server to redirect HTTP requests to HTTPS for you. It's just that easy.

    Providing privacy and security at scale

    In June of , Let's Encrypt was two years old and served its ten millionth certificate. The Web had gone from under HTTPS to — in the United States - % HTTPS, and Let's Encrypt was servicing 91 million websites.

    Today, Let's Encrypt's billionth certificate has been issued, it services million websites, and the United States' portion of the Internet is a whopping 192 - percent encrypted. The project manages this on nearly the same staff and budget it did in - it has gone from (full-time staff and a $ 2.) million budget then to

    (full-time staff and a $ 3.) million budget today.

    None of this would be possible without a commitment to automation and open standards. We gushed about how easy the EFF's Certbot makes it to deploy and renew Let's Encrypt certificates — but that contribution is only possible because of Let's Encrypt's own focus on standardizing an open ACME protocol that anyone can build a client to operate.

    In addition to building and publishing a stable, capable protocol, Let's Encrypt put in the work to submit and ratify it with the Internet Engineering Task Force (IETF), resulting in (RFC) Conclusions

    There really isn't much excuse not to provide secure, end-to-end encrypted (and authenticated!) Communication from websites to users anymore. Let's Encrypt, its ACME protocol, and the legion of clients that have sprung up to facilitate its use — including but not limited to Certbot — have made HTTPS configuration and deployment simple.


  • What do you think?

    Leave a Reply

    Your email address will not be published.

    GIPHY App Key not set. Please check settings

    Facebook is suing OneAudience for improperly harvesting user data, Recode

    Facebook is suing OneAudience for improperly harvesting user data, Recode

    Both Xbox Live Gold and Game Pass Ultimate subscriptions are on sale today, Ars Technica

    Both Xbox Live Gold and Game Pass Ultimate subscriptions are on sale today, Ars Technica