The free SSL certificates from Let's Encrypt have triggered an important development on the German hosting market: The protection of personal data on one's own website is now almost everywhere free of charge. But how has the initiative, which as a Certification Authority issues free SSL certificates for everyone, fared so far? A detailed look at the development.
An SSL certificate brings many advantages, at the latest since the introduction of the HTTP/2 standard. Not only is personal data reliably encrypted, the website also loads faster. In addition, HTTPS - the secure version of the Hypertext Transfer Protocol - makes websites future-proof. On 8 September, Google announced that from 2017, websites without an SSL certificate will be marked as insecure in Chrome. Google is thus coming ever closer to its self-declared goal of "HTTPS everywhere".
- With the new display, even pages of absolutely trustworthy providers would be given a red warning signal. With media like t3n, this is usually not a problem because readers trust the medium. However, Google's warning notice can cost lesser-known sites readers and customers.
Let's Encrypt plays an important role in this context. This is because the initiative from California issues free SSL certificates to everyone. This makes it possible for every site operator to set up SSL free of charge and also relatively easily. And the US Certification Authority has already had an influence on the German hosting market. Because many host already offer free certificates. Some have integrated Let's Encrypt, others offer free certificates from other providers.
The success of Let's Encrypt is therefore not only relevant for site operators, but also for the German hosting market.
Let's Encrypt has issued more than 10,000,000 certificates to date
Since Let's Encrypt officially launched at Mai this year, the milestones have been coming thick and fast: Two million, five million, then recently the ten millionth certificate. But these numbers are not synonymous with ten million pages encrypted via Let's Encrypt certificates. Rather, the actual number must be approached from several angles.
Let's Encrypt issued its two millionth certificate on April 23, 2016, just a few days before the official launch. Just 19 days later, on 9. Mai, the three million mark was reached. On the third of June there were already four million certificates, the five million mark was then cracked on the 19th of June. By the end of July, the figure was seven million, and Let's Encrypt currently has 10.86 million certificates, more than double the number issued in mid-June. That sounds like a brilliant start. But what is actually behind this number?
- In August and September, the number of certificates issued by Let's Encrypt increased particularly strongly. This is probably due to the 90-day term of the free SSL certificates. The official market launch was Mai 2016. Source: https://letsencrypt.org/stats/
Of the ten million certificates issued, almost half have expired
The number 10,000,000 initially says very little. It contains data rubbish: certificate renewals, multiple certifications and expired certificates are counted. If you also know that the renewal cycle for Let's Encrypt certificates is 90 days, the number becomes increasingly relative.
More informative is the number of currently valid certificates: Let's Encrypt currently counts 5.51 million valid certificates. This does not mean that there are actually so many sites that are encrypted with Let's Encrypt. But the number already gives a first approximate value.
- It is clear that the number of valid Let's Encrypt certificates increased only moderately from August to September. In September, it even stagnated. This is also an indication that many certificates were renewed in August and September. Source: https://letsencrypt.org/stats/
7.88 percent of certificates run on .de sites
According to Let's Encrypts' own documentation, 7.88 percent of the certificates run on .de top-level domains. However, the sample and population on which this figure is based, or to which this figure can be related, are not specified. This makes interpretation quite difficult, because nothing is known about how the figure was arrived at. It can probably be assumed that it is the number of sites of which Let's Encrypt knows the TLD.
One conclusion can be drawn from this, however: The German top-level domain is the strongest country code TLD with 28,083 counted pages. It is followed by .ru, .uk, .fr and also .cz. More popular are country code TLDs such as .com but also .ninja, of which the Certification Authority counts 30,967.
- Number of certificates by top-level domains. .de is currently the most strongly represented TLD. Also popular are .ninja, .me and .io. The values probably refer to all sites whose TLDs are known to the Certification Authority. Source: https://letsencrypt.org/stats/
Let's Encrypt ranked 14th worldwide
Another good source is the data from w3techs.com. The service collects the shares of certain internet technologies on the basis of the top ten million websites in the world issued by Alexa. The corresponding websites are searched specifically for certain technologies. If a hit is achieved, it is included in the count. More information on the sample used can be found here.
According to w3techs, Let's Encrypt is currently still a very small certification authority with a market share of 0.185 percent and is in the bottom third of the market. Even if you only look at the certification authorities that have less than one percent market share, Let's Encrypt ends up in the bottom third. Both in terms of absolute use and market share.
- Since the start of the beta, Let's Encrypt has been able to steadily gain market share. However, the big hit, i.e. the transition to exponential growth, is still a long time coming. Source: https://w3techs.com/technologies/details/sc-letsencrypt/all/all
However, IdenTrust, the certification authority that supplies the root certificates for Let's Encrypt, is in third place. This is a good sign. Because if the source of the root certificates enjoys high trustworthiness, then the services based on these root certificates also tend to be trustworthy.
- Let's Encrypt is clearly far behind in third-last place among the certification authorities. IdenTrust, on the other hand, can secure third place. It must be said that no information is available on the completeness of this list of providers. Source: https://w3techs.com/technologies/overview/ssl_certificate/all
Especially smaller sites with less traffic use Let's Encrypt
The biggest disadvantage of Let's Encrypt compared to fee-based certification authorities is still the very limited choice of certificates. This is because the US certification authority only offers one type of certificate so far: a domain-validated one. Extended functions, such as the famous green address line and extended validations - e.g. of a company or an organization - are currently not possible with Let's Encrypt. Of course, this does not mean that Let's Encrypt certificates are less secure, just that their range of functions is limited.
- Let's Encrypt, for example, cannot issue such certificates. Whether higher validation levels will ever come is currently still uncertain.
An implementation of extended functions is currently not in sight. This is because the validation of organizations and companies requires man-hours and these in turn cost money. A detailed discussion about this can also be found in the Let's Encrypt Forum.
Ergo, mainly smaller sites use Let's Encrypt, which can well do without extended validation. The w3tech data clearly show that Let's Encrypt is currently used primarily by sites with low to medium traffic. The biggest players on the market, on the other hand, tend to serve sites with average traffic. This is because these certification authorities are profit-oriented companies that logically want to win over the large sites with high purchasing power as customers.
- This plot shows the current ranking of the Let's Encrypt Certification Authority compared to other players. Noticeable: Both Let's Encrypt and IdenTrust are used more in the low-traffic area. Source: https://w3techs.com/technologies/details/sc-letsencrypt/all/all
Conclusion: Let's Encrypt still has huge potential in my opinion
For a look into the crystal ball, it is not so much the data on the pages with SSL certificates that is interesting, but rather the pages that do not yet have an SSL certificate. According to w3techs, this is 30.8 percent of the pages. While the reasons for not having an SSL certificate are not broken down for these sites - for a good percentage of them, however, I think the costs in combination with the technical hurdles are likely to be the main obstacles.
Both are now greatly simplified by Let's Encrypt and its integration into user interfaces, for example in the dashboards of hosting providers. The more familiar the Californian initiative becomes, the smaller the number of sites that do not have an SSL certificate is likely to become.
So far, it seems that Let's Encrypt has not yet managed the transition to exponential growth. This could change in 2017 when Chrome begins to mark websites without HTTPS. The behaviour of other browser manufacturers in this matter will also have an influence on further development. However, the development that Let's Encrypt has initiated is to be welcomed in any case, both for the website operators and for the hosting providers.
Do you already use a Let's Encrypt certificate or have you had experience with it? Share your knowledge with us and other users. As Sys-Admin of Raidboxes, I'm also happy to answer your questions about SSL.