Five months Let's Encrypt: Here is the Certification Authority from California today

Tobias Schüring Last updated 21.01.2020
7 Min.
Certification Authority Lets Authority

The free SSL certificates from Let's Encrypt have triggered an important development on the German hosting market: The protection of personal data on one's own website is now almost everywhere free of charge. But how has the initiative, which issues free SSL certificates for everyone as a Certification Authority, fared so far? A detailed look at the development.

An SSL certificate brings many advantages, at the latest since the introduction of the HTTP/2 standard. Not only is personal data reliably encrypted, the website also loads faster. In addition, HTTPS - the secure variant of the Hypertext Transfer Protocol - makes websites future-proof. Because on September 8, Google announced that starting in 2017, Chrome will mark websites without an SSL certificate as insecure. Google is thus coming ever closer to its self-declared goal of "HTTPS everywhere".

Certification Authority Let's Encrypt - Google Chrome HTTPS Marking
With the new display, even sites of absolutely trustworthy providers would be provided with a red warning signal. With media like t3n, this is usually not a problem because readers trust the medium. Less well-known sites , however, Google's warning signal can cost readers and customers.

Let's Encrypt plays an important role in this context. The initiative from California issues free SSL certificates to everyone. This makes it possible for every site operator to set up SSL free of charge and also relatively easily. And the US-American Certification Authority has already made an impact on the German hosting market. Because many host already offer free certificates. Some have integrated Let's Encrypt, others offer free certificates from other providers.

The success of Let's Encrypt is therefore not only relevant for site operators, but also for the German hosting market.

Let's Encrypt has issued more than 10,000,000 certificates to date

Since Let's Encrypt officially launched in May of this year, the milestones have been coming thick and fast: Two million, five million, then recently the ten millionth certificate. But these numbers are not synonymous with ten million certificates encrypted via Let's Encrypt sites . Rather, one must approach the actual number from several sites .

Already on April 23, 2016, i.e. a few days before the official launch, Let's Encrypt was able to issue its two millionth certificate. Just 19 days later, on 9 May, the three million mark was reached. On the third of June, there were already four million certificates, and the five million mark was then cracked on the 19th of June. At the end of July there were seven million, and currently Let's Encrypt has issued 10.86 million certificates, more than twice as many as in mid-June. That sounds like a brilliant start. But what is actually behind this number?

Number of free SSL certificates from the Let's Encrypt Certification Authority
In August and September, the number of certificates issued by Let's Encrypt increased particularly strongly. This is probably due to the 90-day term of the free SSL certificates. The official market launch was in May 2016. Source: https://letsencrypt.org/stats/

Of the ten million certificates issued, almost half have expired

The number 10,000,000 initially says very little. Because it contains data garbage: Certificate renewals, multiple certifications and expired certificates are counted. If you also know that the renewal cycle for Let's Encrypt certificates is 90 days, the number becomes increasingly relative.

More informative is the number of currently valid certificates: Let's Encrypt currently counts 5.51 million valid certificates. This does not mean that there are actually so many sites that are encrypted with Let's Encrypt. But the number already gives a first approximate value.

Valid certificates of the Let's Encrypt Certification Authority
It can be clearly seen that the number of valid Let's Encrypt certificates increased only moderately from August to September. In September, it even stagnated. This is also an indication that many certificates were renewed in August and September. Source: https://letsencrypt.org/stats/

7.88 percent of the certificates run on .de-sites

According to Let's Encrypts' own documentation, 7.88 percent of certificates run on .de top-level domains. However, the sample and population on which this figure is based, or to which this figure can be related, are not specified. This makes interpretation quite difficult, because nothing is known about how the figure was arrived at. It can probably be assumed that it is the number of sites from which Let's Encrypt knows the TLD.

One conclusion can be drawn from this, however: The european top-level domain is the strongest country code TLD with 28,083 counted sites . It is followed by .ru, .uk, .fr and also .cz. More popular are country code TLDs such as .com but also .ninja, of which the Certification Authority counts 30,967.

Shares of the TLDs in the known Let's Encrypt certificates
Number of certificates by top-level domains. .de is currently the most popular TLD. Also popular are .ninja, .me and .io. The values probably refer to all sites , whose TLDs are known to the Certification Authority. Source: https://letsencrypt.org/stats/

Let's Encrypt ranked 14th in the world

Another good source is the data from w3techs.com. The service collects, based on the top ten million websites in the world issued by Alexa, the shares of certain Internet technologies. The corresponding websites are searched specifically for certain technologies. If a hit is achieved, this is included in the count. You can find out more about the sample used here.

According to w3techs, Let's Encrypt is currently still a very small certification authority with a market share of 0.185 percent and is in the bottom third of the market. Even if you only look at the certification authorities that have less than one percent market share, Let's Encrypt ends up at the bottom of the list. Both in terms of absolute usage and market share.

Market share of the Certification Authority Let's Encrypt
Since the start of the beta, Let's Encrypt has been able to steadily gain market share. However, the big hit, i.e. the transition to exponential growth, is still a long time coming. Source: https://w3techs.com/technologies/details/sc-letsencrypt/all/all

However, IdenTrust, the certification authority that supplies the root certificates for Let's Encrypt, is in third place. This is a good sign. Because if the source of the root certificates enjoys high trustworthiness, then the services based on these root certificates also tend to be trustworthy.

The Let's Encrypt Certification Authority compared to other CAs
Let's Encrypt is clearly far behind in third last place among the Certification Authorities. IdenTrust, on the other hand, can secure third place. It should be noted, however, that no information is available on the completeness of this list of providers. Source: https://w3techs.com/technologies/overview/ssl_certificate/all

Especially smaller sites with less traffic use Let's Encrypt.

The biggest disadvantage of Let's Encrypt compared to fee-based certification authorities is still the very limited certificate selection. This is because the US certification authority only offers one type of certificate so far: a domain-validated one. Extended functions, such as the famous green address line and extended validations - e.g. of a company or an organization - are currently not possible with Let's Encrypt. Of course, this does not mean that Let's Encrypt certificates are less secure, just that their range of functions is limited.

Example of an OV certification
Let's Encrypt, for example, cannot issue such certificates. Whether higher validation levels will ever come is currently still uncertain.

An implementation of extended functions is currently not in sight. This is because the validation of organizations and companies requires man-hours and these in turn cost money. A detailed discussion about this can also be found in the Let's Encrypt forum.

Ergo, mainly smaller sites use Let's Encrypt, which can well do without an extended validation. The w3techs data clearly show that Let's Encrypt is currently mainly used by sites with low to medium traffic. The biggest players on the market, on the other hand, tend to serve sites with average traffic. This is because these certification authorities are profit-oriented companies that logically want to win over the large and therefore wealthy sites as customers.

Scatterplot of the provider field Certification Authority
This plot shows the current ranking of the Let's Encrypt Certification Authority compared to other players. Noticeable: Both Let's Encrypt and IdenTrust are used more in the low-traffic area. Source: https://w3techs.com/technologies/details/sc-letsencrypt/all/all

Conclusion: Let's Encrypt still has huge potential in my opinion

For a look into the crystal ball, it is not so much the data on the sites with SSL certificate that is interesting, but rather the sites that do not yet have an SSL certificate. According to w3techs, this is 30.8 percent of sites . While the reasons for not having an SSL certificate are not broken down for these sites - for a good percentage of them, I think the cost combined with the technical hurdles are likely to be the main obstacles.

Both are now greatly simplified by Let's Encrypt and its integration into user interfaces, e.g. in the dashboards of hosting providers. The more familiar the Californian initiative becomes, the smaller the number of sites that do not have an SSL certificate is likely to become.

So far, it seems that Let's Encrypt has not yet managed to transition into exponential growth. This could change in 2017, when Chrome starts to mark websites without HTTPS. Also, the behavior of other browser vendors on this matter will have an impact going forward. However, the development that Let's Encrypt has initiated is to be welcomed in any case, both for the site operators and for the hosting providers.

Do you already use a Let's Encrypt certificate or have you had experience with it? Share your knowledge with us and other users. As Sys-Admin of RAIDBOXES I'm also happy to answer your questions about SSL.

As a system administrator, Tobias watches over our infrastructure and finds every possible way to optimize the performance of our servers. His tireless efforts mean he can often be found on Slack in the early hours.

Comments on this article

Post a comment

Your email address will not be published. Required fields are marked with *.