The free SSL certificates from Let's Encrypt have triggered an important development on the German hosting market: The protection of personal data on one's own website is now almost everywhere free of charge. But how has the initiative, which issues free SSL certificates for everyone as a Certification Authority, fared so far? A detailed look at the development.
An SSL certificate brings many advantages, at the latest since the introduction of the HTTP/2 standard. Not only is personal data reliably encrypted, the website also loads faster. In addition, HTTPS - the secure variant of the Hypertext Transfer Protocol - makes websites future-proof. Because on September 8, Google announced that starting in 2017, Chrome will mark websites without an SSL certificate as insecure. Google is thus coming ever closer to its self-declared goal of "HTTPS everywhere".
- With the new display, even sites of absolutely trustworthy providers would be provided with a red warning signal. With media like t3n, this is usually not a problem because readers trust the medium. Less well-known sites , however, Google's warning signal can cost readers and customers.
Let's Encrypt plays an important role in this context. The initiative from California issues free SSL certificates to everyone. This makes it possible for every site operator to set up SSL free of charge and also relatively easily. And the US-American Certification Authority has already made an impact on the German hosting market. Because many host already offer free certificates. Some have integrated Let's Encrypt, others offer free certificates from other providers.
The success of Let's Encrypt is therefore not only relevant for site operators, but also for the German hosting market.
Let's Encrypt has issued more than 10,000,000 certificates to date
Since Let's Encrypt officially launched in May of this year, the milestones have been coming thick and fast: Two million, five million, then recently the ten millionth certificate. But these numbers are not synonymous with ten million certificates encrypted via Let's Encrypt sites . Rather, one must approach the actual number from several sites .
Already on April 23, 2016, i.e. a few days before the official launch, Let's Encrypt was able to issue its two millionth certificate. Just 19 days later, on 9 May, the three million mark was reached. On the third of June, there were already four million certificates, and the five million mark was then cracked on the 19th of June. At the end of July there were seven million, and currently Let's Encrypt has issued 10.86 million certificates, more than twice as many as in mid-June. That sounds like a brilliant start. But what is actually behind this number?
- In August and September, the number of certificates issued by Let's Encrypt increased particularly strongly. This is probably due to the 90-day term of the free SSL certificates. The official market launch was in May 2016. Source: https://letsencrypt.org/stats/
Of the ten million certificates issued, almost half have expired
The number 10,000,000 initially says very little. Because it contains data garbage: Certificate renewals, multiple certifications and expired certificates are counted. If you also know that the renewal cycle for Let's Encrypt certificates is 90 days, the number becomes increasingly relative.
More informative is the number of currently valid certificates: Let's Encrypt currently counts 5.51 million valid certificates. This does not mean that there are actually so many sites that are encrypted with Let's Encrypt. But the number already gives a first approximate value.
- It can be clearly seen that the number of valid Let's Encrypt certificates increased only moderately from August to September. In September, it even stagnated. This is also an indication that many certificates were renewed in August and September. Source: https://letsencrypt.org/stats/
7.88 percent of the certificates run on .de-sites
According to Let's Encrypts' own documentation, 7.88 percent of certificates run on .de top-level domains. However, the sample and population on which this figure is based, or to which this figure can be related, are not specified. This makes interpretation quite difficult, because nothing is known about how the figure was arrived at. It can probably be assumed that it is the number of sites from which Let's Encrypt knows the TLD.
One conclusion can be drawn from this, however: The european top-level domain is the strongest country code TLD with 28,083 counted sites . It is followed by .ru, .uk, .fr and also .cz. More popular are country code TLDs such as .com but also .ninja, of which the Certification Authority counts 30,967.
- Number of certificates by top-level domains. .de is currently the most popular TLD. Also popular are .ninja, .me and .io. The values probably refer to all sites , whose TLDs are known to the Certification Authority. Source: https://letsencrypt.org/stats/
Let's Encrypt ranked 14th in the world
Another good source is the data from w3techs.com. The service collects, based on the top ten million websites in the world issued by Alexa, the shares of certain Internet technologies. The corresponding websites are searched specifically for certain technologies. If a hit is achieved, this is included in the count. You can find out more about the sample used here.
According to w3techs, Let's Encrypt is currently still a very small certification authority with a market share of 0.185 percent and is in the bottom third of the market. Even if you only look at the certification authorities that have less than one percent market share, Let's Encrypt ends up at the bottom of the list. Both in terms of absolute usage and market share.
- Since the start of the beta, Let's Encrypt has been able to steadily gain market share. However, the big hit, i.e. the transition to exponential growth, is still a long time coming. Source: https://w3techs.com/technologies/details/sc-letsencrypt/all/all
However, IdenTrust, the certification authority that supplies the root certificates for Let's Encrypt, is in third place. This is a good sign. Because if the source of the root certificates enjoys high trustworthiness, then the services based on these root certificates also tend to be trustworthy.
- Let's Encrypt is clearly far behind in third last place among the Certification Authorities. IdenTrust, on the other hand, can secure third place. It should be noted, however, that no information is available on the completeness of this list of providers. Source: https://w3techs.com/technologies/overview/ssl_certificate/all
Especially smaller sites with less traffic use Let's Encrypt.
The biggest disadvantage of Let's Encrypt compared to fee-based certification authorities is still the very limited certificate selection. This is because the US certification authority only offers one type of certificate so far: a domain-validated one. Extended functions, such as the famous green address line and extended validations - e.g. of a company or an organization - are currently not possible with Let's Encrypt. Of course, this does not mean that Let's Encrypt certificates are less secure, just that their range of functions is limited.
- Let's Encrypt, for example, cannot issue such certificates. Whether higher validation levels will ever come is currently still uncertain.
An implementation of extended functions is currently not in sight. This is because the validation of organizations and companies requires man-hours and these in turn cost money. A detailed discussion about this can also be found in the Let's Encrypt forum.
Ergo, mainly smaller sites use Let's Encrypt, which can well do without an extended validation. The w3techs data clearly show that Let's Encrypt is currently mainly used by sites with low to medium traffic. The biggest players on the market, on the other hand, tend to serve sites with average traffic. This is because these certification authorities are profit-oriented companies that logically want to win over the large and therefore wealthy sites as customers.
- This plot shows the current ranking of the Let's Encrypt Certification Authority compared to other players. Noticeable: Both Let's Encrypt and IdenTrust are used more in the low-traffic area. Source: https://w3techs.com/technologies/details/sc-letsencrypt/all/all
Conclusion: Let's Encrypt still has huge potential in my opinion
For a look into the crystal ball, it is not so much the data on the sites with SSL certificate that is interesting, but rather the sites that do not yet have an SSL certificate. According to w3techs, this is 30.8 percent of sites . While the reasons for not having an SSL certificate are not broken down for these sites - for a good percentage of them, I think the cost combined with the technical hurdles are likely to be the main obstacles.
Both are now greatly simplified by Let's Encrypt and its integration into user interfaces, e.g. in the dashboards of hosting providers. The more familiar the Californian initiative becomes, the smaller the number of sites that do not have an SSL certificate is likely to become.
So far, it seems that Let's Encrypt has not yet managed to transition into exponential growth. This could change in 2017, when Chrome starts to mark websites without HTTPS. Also, the behavior of other browser vendors on this matter will have an impact going forward. However, the development that Let's Encrypt has initiated is to be welcomed in any case, both for the site operators and for the hosting providers.
Do you already use a Let's Encrypt certificate or have you had experience with it? Share your knowledge with us and other users. As Sys-Admin of RAIDBOXES I'm also happy to answer your questions about SSL.