Certification Authority Lets Authority

Five months of Let's Encrypt: Here's where the Certification Authority from California stands today

The free SSL certificates from Let's Encrypt have triggered an important development on the German hosting market: The protection of personal data on one's own website is now almost everywhere free of charge. But how has the initiative, which as a Certification Authority issues free SSL certificates for everyone, fared so far? A detailed look at the development.

An SSL certificate brings many advantages, at the latest since the introduction of the HTTP/2 standard. Not only is personal data reliably encrypted, the website also loads faster. In addition, HTTPS - the secure version of the Hypertext Transfer Protocol - makes websites future-proof. On 8 September, Google announced that from 2017, websites without an SSL certificate will be marked as insecure in Chrome. Google is thus coming ever closer to its self-declared goal of "HTTPS everywhere".

Certification Authority Let's Encrypt - Google Chrome HTTPS Marking
With the new display, even pages of absolutely trustworthy providers would be given a red warning signal. With media like t3n, this is usually not a problem because readers trust the medium. However, Google's warning notice can cost lesser-known sites readers and customers.

Let's Encrypt plays an important role in this context. This is because the initiative from California issues free SSL certificates to everyone. This makes it possible for every site operator to set up SSL free of charge and also relatively easily. And the US Certification Authority has already had an influence on the German hosting market. Because many host already offer free certificates. Some have integrated Let's Encrypt, others offer free certificates from other providers.

The success of Let's Encrypt is therefore not only relevant for site operators, but also for the German hosting market.

Let's Encrypt has issued more than 10,000,000 certificates to date

Since Let's Encrypt officially launched in May of this year, the milestones have been coming thick and fast: Two million, five million, then recently the ten millionth certificate. But these figures are not synonymous with ten million sites encrypted via Let's Encrypt certificates. Rather, the actual number must be approached from several sides.

As early as 23 April 2016, i.e. a few days before the official launch, Let's Encrypt was able to issue its two millionth certificate. Just 19 days later, on 9 May, the three million mark was reached. On the third of June, there were already four million certificates, and the five million mark was reached on 19 June. By the end of July, the figure was seven million, and currently Let's Encrypt has issued 10.86 million certificates, more than twice as many as in mid-June. That sounds like a brilliant start. But what is actually behind this number?

Number of free SSL certificates from the Let's Encrypt Certification Authority
In August and September, the number of certificates issued by Let's Encrypt increased particularly strongly. This is probably due to the 90-day term of the free SSL certificates. The official market launch was in May 2016. Source: https://letsencrypt.org/stats/

Of the ten million certificates issued, almost half have expired

The number 10,000,000 initially says very little. It contains data rubbish: certificate renewals, multiple certifications and expired certificates are counted. If you also know that the renewal cycle for Let's Encrypt certificates is 90 days, the number becomes increasingly relative.

More informative is the number of currently valid certificates: Let's Encrypt currently counts 5.51 million valid certificates. This does not mean that there are actually so many sites that are encrypted with Let's Encrypt. But the number already gives a first approximate value.

Valid certificates from the Let's Encrypt Certification Authority
It is clear that the number of valid Let's Encrypt certificates increased only moderately from August to September. In September, it even stagnated. This is also an indication that many certificates were renewed in August and September. Source: https://letsencrypt.org/stats/

7.88 percent of certificates run on .de sites

According to Let's Encrypts' own documentation, 7.88 percent of the certificates run on .de top-level domains. However, the sample and population on which this figure is based, or to which this figure can be related, are not specified. This makes interpretation quite difficult, because nothing is known about how the figure was arrived at. It can probably be assumed that it is the number of sites of which Let's Encrypt knows the TLD.

One conclusion can be drawn from this, however: The German top-level domain is the strongest country code TLD with 28,083 counted pages. It is followed by .ru, .uk, .fr and also .cz. More popular are country code TLDs such as .com but also .ninja, of which the Certification Authority counts 30,967.

Shares of the TLDs in the known Let's Encrypt certificates
Number of certificates by top-level domains. .de is currently the most strongly represented TLD. Also popular are .ninja, .me and .io. The values probably refer to all sites whose TLDs are known to the Certification Authority. Source: https://letsencrypt.org/stats/

Let's Encrypt ranked 14th worldwide

Another good source is the data from w3techs.com. The service collects the shares of certain internet technologies on the basis of the top ten million websites in the world issued by Alexa. The corresponding websites are searched specifically for certain technologies. If a hit is achieved, it is included in the count. More information on the sample used can be found here.

According to w3techs, Let's Encrypt is currently still a very small certification authority with a market share of 0.185 percent and is in the bottom third of the market. Even if you only look at the certification authorities that have less than one percent market share, Let's Encrypt ends up in the bottom third. Both in terms of absolute use and market share.

Market share of the Certification Authority Let's Encrypt
Since the start of the beta, Let's Encrypt has been able to steadily gain market share. However, the big hit, i.e. the transition to exponential growth, is still a long time coming. Source: https://w3techs.com/technologies/details/sc-letsencrypt/all/all

However, IdenTrust, the certification authority that supplies the root certificates for Let's Encrypt, is in third place. This is a good sign. Because if the source of the root certificates enjoys high trustworthiness, then the services based on these root certificates also tend to be trustworthy.

The Let's Encrypt Certification Authority compared to other CAs
Let's Encrypt is clearly far behind in third-last place among the certification authorities. IdenTrust, on the other hand, can secure third place. It must be said that no information is available on the completeness of this list of providers. Source: https://w3techs.com/technologies/overview/ssl_certificate/all

Especially smaller sites with less traffic use Let's Encrypt

The biggest disadvantage of Let's Encrypt compared to fee-based certification authorities is still the very limited choice of certificates. This is because the US certification authority only offers one type of certificate so far: a domain-validated one. Extended functions, such as the famous green address line and extended validations - e.g. of a company or an organization - are currently not possible with Let's Encrypt. Of course, this does not mean that Let's Encrypt certificates are less secure, just that their range of functions is limited.

Example of an OV certification
Let's Encrypt, for example, cannot issue such certificates. Whether higher validation levels will ever come is currently still uncertain.

An implementation of extended functions is currently not in sight. This is because the validation of organizations and companies requires man-hours and these in turn cost money. A detailed discussion about this can also be found in the Let's Encrypt Forum.

Ergo, mainly smaller sites use Let's Encrypt, which can well do without extended validation. The w3tech data clearly show that Let's Encrypt is currently used primarily by sites with low to medium traffic. The biggest players on the market, on the other hand, tend to serve sites with average traffic. This is because these certification authorities are profit-oriented companies that logically want to win over the large sites with high purchasing power as customers.

Scatterplot of the provider field Certification Authority
This plot shows the current ranking of the Let's Encrypt Certification Authority compared to other players. Noticeable: Both Let's Encrypt and IdenTrust are used more in the low-traffic area. Source: https://w3techs.com/technologies/details/sc-letsencrypt/all/all

Conclusion: Let's Encrypt still has huge potential in my opinion

For a look into the crystal ball, it is not so much the data on the pages with SSL certificates that is interesting, but rather the pages that do not yet have an SSL certificate. According to w3techs, this is 30.8 percent of the pages. While the reasons for not having an SSL certificate are not broken down for these sites - for a good percentage of them, however, I think the costs in combination with the technical hurdles are likely to be the main obstacles.

Both are now greatly simplified by Let's Encrypt and its integration into user interfaces, for example in the dashboards of hosting providers. The more familiar the Californian initiative becomes, the smaller the number of sites that do not have an SSL certificate is likely to become.

So far, it seems that Let's Encrypt has not yet managed the transition to exponential growth. This could change in 2017 when Chrome begins to mark websites without HTTPS. The behaviour of other browser manufacturers in this matter will also have an influence on further development. However, the development that Let's Encrypt has initiated is to be welcomed in any case, both for the website operators and for the hosting providers.

Do you already use a Let's Encrypt certificate or have you had experience with it? Share your knowledge with us and other users. As Sys-Admin of Raidboxes , I'm also happy to answer your questions about SSL.

Did you like the article?

Your rating helps us improve our future content.

Post a comment

Your email address will not be published.