Lets Encryptissued its one billionth digital certificate a few weeks ago. Run by the nonprofit Internet Security Research Group (ISRG), the service provides these certificates to websites for free, allowing your browser to create a secure and validated connection to a server thats effectively impenetrable to snooping. The pandemic hasnt halted the groups progress: It says its now issued over 1,080,000,000 certificates.
That Lets Encrypt doesnt charge for this service is a big deal. A digital certificate for a websitealso useful for email servers and other client/server systemsused to cost hundreds of dollars a year for a basic version and even more for a more comprehensive one. For smaller sites, that cost alone was a barrier.
While the price had dropped significantly before Lets Encrypt began issuing its certificates at no cost in 2015, and some commercial issuers had offered free certificates on a limited basis, encrypting a site was no trivial matter. It required technical expertise and the ability to puzzle through command-line configurations. (Though Ive been running websites since 1994, renewing and installing certificates had remained one of my bugbears before Lets Encrypt.)
Lets Encrypt didnt set out to launch a price war and thereby destroy an existing marketplace. By making encryption free and simple, the organization has been a large part of an industrywide shift to encrypt all web browsing that has doubled the number of secure sites from 40 to 80 percent of all sites since 2016.
As executive director and cofounder of ISRG Josh Aas says, the organization wants everyone to be able to go out and participate fully in the web without having to pay hundreds of dollars to do something. Setting the cost at zero benefits each sites users and the internet as a whole.
Google tracks opt-in information from Chrome browser users about the type of connections they make. It shows that secure connections rose from 39 percent (Windows) and 43 percent (Mac) in early 2015 to 88 and 93 percent respectively on April 11, 2020. One source indicates that Lets Encrypt now supplies 30 percent of all website digital certificates. Two hundred million websites now use its certificates, the organization says.
This dramatic increase in web encryption protects people from some unwanted commercial tracking and snooping by malicious parties and government actors alike. It took Lets Encrypt as a catalyst to put it within the reach of every website.
After the revelation of the scope and nature of wide-scale, routine data collection by U.S. national security agencies added to the already-known and suspected habits of other democracies and repressive countries, tech firms shifted heavily into encrypting connections everywhere they could. That meant more encryption between data centers run by the same company (as Google added starting in 2013), encryption of data at rest stored on servers, and browser makers calling users attention to unprotected web sessions.
That last part was critical, as Chrome, Firefox, and Safari slowly increased warnings about nonencrypted connectionsand finally turned those warnings into outright error messages. But it could also have been unfair to smaller websites, especially those in developing nations and ones run by nonprofits, volunteer groups, and small companies lacking the wherewithal to implement encryption. Without an easy way for most organizations to secure their sites, it would have balkanized the net.
Lets Encrypt stepped into that growing void. Now financially supported by a host of major tech companiesthough Apples name is oddly and noticeably absentthe firm has scaled successfully from a million certificates a year to a million a day over just four years.
We want to make sure that when someone entrusts us with a dollar, we go out and do the most work we can with that dollar.
We want to make sure that when someone entrusts us with a dollar, we go out and do the most work we can with that dollar, Aas says. For instance, he says, the group relies on three very expensive, exceedingly reliable database servers. Each costs $100,000 or more, but the setup provides triple redundancy. Using more common, cheaper hardware would require more staffers to provide maintenance.
ISRG has also retained an extremely tight mission focus on certificate issuance. And it offers no customer support, though it has a rich and active community that it encourages and ever-improving online documentation. Not providing support results in a huge amount of internal pressure to ensure people dont need support, says Aas. Developing community is a huge part of our efficiency.
Some major hosting firms have adopted Lets Encrypt as an effectively no-cost method of adding digital certificates for their users sites with almost no overhead. They can automate the process of requesting a certificate, receiving it, and installing it, a dramatically less intensive process than any previous method. (Lets Encrypt has focused on automation and spent three years shepherding a relevant Internet Engineering Task Force draft through to a proposed standard in March 2019.)
The widely used cPanel administrative interface offers Lets Encrypt as a point-and-click option to install a certificate. But its equally trivial to use manually. To renew certificates across about 20 domains and subdomains I own, I type in a single command every three months, reminded by Lets Encrypts renewal email 30 days in advance. A few seconds pass and Im ready to go for another three months. If I were slightly less lazy, I could entirely automate the process through a recurring server-based task.
Most free things on the internet come with an expensive price tagusually involving giving up our privacy. Lets Encrypt is the rare organization that does something useful and controls its scope and budget, so it can be more efficient every day it operates. The organization knows virtually nothing about parties requesting certificatesit doesnt even ask for an email addressand retains almost nothing. It relies entirely on domain ownership as proof of a users identity. Thats enough, since all a certificate does is validate that someone runs the domain that the certificate is securing.
With its constrained mission, Aas says that ISRG has plenty of efficiencies yet to reap and improvements to make, even as it focuses on its day-to-day operations. We take the time to do it right, but we dont take more time than we need to get it right, he says. The group took years to become a certificate authority (CA), for instance, making it one of a few hundred organizations trusted by a handful of operating system and browser makers to be the root of trust for certificates.
And just before the billionth certificate was issued, Lets Encrypt implemented a security technique, the first by a CA, that effectively blocks the ability of a malicious party to subvert a flaw in the internets data routing system and obtain a domain certificate fraudulently. (It fully documented its new technology so others could benefit from it too.)
In many ways, Lets Encrypt is a throwback to the precommercial internet, when a combination of generosity, mutual benefit, and enlightened self-interest allowed for rapid improvements. Its free certificates are a ticket to that pastbut with modern technological efficiencies that keep it pointing toward the future.
Continued here:
How Let's Encrypt changed the web with free, easy encryption - Fast Company