Free and open Certificate Authority (CA) Let’s Encrypt announced this week that it has issued more than 1 million certificates since issuing its first Digital Certificate last year.
Originally proposed by the Electronic Frontier Foundation (EFF), the initiative has already attracted support from industry leaders such as Mozilla, Cisco, Akamai, Automattic and IdenTrust, among others. Backed by the Linux Foundation, its goal is to encrypt website traffic using Transport Layer Security (TLS) to protect user data from eavesdroppers.
The organization issued its first free live digital certificate in mid-September 2015, while receiving cross signature for it only in October. Before Let’s Encrypt, CloudFlare was offering digital certificates at no cost, but the launch of this new CA was seen as a big step toward improved privacy and authentication online.
The CA launched publicly last fall and came out of private beta in early December, but its certificates have already been abused by cybercriminals. The one million certificates that Let’s Encrypt has issued in the 3 months and 6 days since launching its service in public beta are valid for 2.5 million fully-qualified domain names.
According to the EFF, 90 percent of the 2.5 million domain names that take advantage of Let’s Encrypt one million free certificates had never been reachable by browser-valid HTTPS before. Users accessing those websites can now enjoy a more secure, encrypted browsing experience.
While the initiative ultimately aims at bringing encryption to all areas of the web, there are still many more websites that are still affected by insecure protocols. Domain owners continue to rely on HTTP because of the costs and bureaucracy involved in obtaining certificates, but Let’s Encrypt wants to eliminate this hurdle by offering certificates for free and by automating the issuance and renewal process.
Internet giants such as Google also support the move to HTTPS and more secure Internet protocols, and the company has made various changes lately to encourage site owners adopt better security. It even announced that it will favor HTTPS pages over their HTTP counterparts in search results.
Despite its good intentions, Let’s Encrypt’s existence, which has already sparked Amazon to start offering free certificates too, didn’t manage to convince everyone.
David Holmes, an evangelist for F5 Networks’ security solutions, has long suggested that the CA will not make the Internet more trustworthy, and argues that it will challenge the CA industry.
In a recent SecurityWeek column, Holmes explains why there was a high demand for free certificates when Let’s Encrypt launched in public beta. He also voiced fears that, because Let’s Encrypt certificates are valid for only 90 days, some website operators might forget to renew their certificates in due time, and that the overall “good” that LE is supposedly bringing along might be nothing more than a Placebo Effect.
