Let’s Encrypt had a great year in 2018. We’re now serving more than 150 million websites while maintaining a stellar security and compliance track record.
Most importantly though, the Web went from 67% encrypted page loads to 77% in 2018, according to statistics from Mozilla. This is an incredible rate of change!
We’d like to thank all of the people and organizations who worked hard to create a more secure and privacy-respecting Web.
The thing that has always impressed me the most about Let's Encrypt has been Boulder (their CA server). Not for its code quality, but the fact that they have been able to create a fully transparent, open-source CA server that meets the Web PKI and the CA/Browser forum's baseline requirements.
Most of the time in incredibly regulated sectors, most of the products you see are huge, proprietary, and generally crap. It's such a rare treat to see a nice, simple thing that works in such a bureaucratic environment.
It really shows that Let's Encrypt are completely driven by wanting this thing to exist and be amazing, since they will slog through all the baseline requirements to get there. Most other open source initiatives fail when they reach the compliance stage because the work just becomes completely not fun.
Kudos to all the people at Let's Encrypt, and I wish y'all a very happy new year!
Let's Encrypt is awesome—it's great to be able to not have to deal with buying and renewing certs, and I think the ease of doing this now is great for securing the Web. It's great to hear that they're spinning out ISRG as a separate organization to do the same thing for other parts of the Internet.
The only thing that worries me about LE is that it's almost too easy. What happens when 90+% of the Web is running certificates from the same issuer? Are there any plans to run alternate free ACME CAs to prevent Let's Encrypt from becoming a single point of failure?
We pride ourselves on being an efficient organization. In 2019 Let’s Encrypt will secure a massive portion of the Web with a budget of only $3.6M. We believe this represents an incredible value and that contributing to Let’s Encrypt is one of the most effective ways to help create a more secure and privacy-respecting Web.
”We are also planning to introduce a Certificate Transparency (CT) log in 2019. All certificate authorities like Let’s Encrypt are required to submit certificates to CT logs but there are not enough stable logs in the ecosystem. As such, we are moving forward with plans to run a log which all CAs will be able to submit to.”
I’m glad to see that they’re prioritizing this. Not a giant leap but still an important step for ensuring the stability of the CT system and the trustworthiness of the CA system.
> The [BGP hijacking] solution we intend to deploy in 2019 is multi-perspective validation, in which we will check from multiple network perspectives (distinct Autonomous Systems).
This is really exciting. The CloudFlare BGP hijack and subsequent attack of myetherwallet.com could have been much more successful if they had also been able to get a valid certificate. Having this multi perspective feature would make it even harder to get a valid cert during a BGP hack. Of course those falsely attained certs would still be logged publicly in a certificate transparency log- but better the cert never gets created to start with.
> We had planned to add ECDSA root and intermediate certificates in 2018 but other priorities ultimately took precedence.
I was particularly looking forward to ECDSA. Not for any real reasons other then I want to try it out. I currently have their 4096 bit RSA cert on a raspberry pi and the SSL negotiation is particularly slow according to Newrelic. Im curious to see how EDSA performs on a raspberry pi.
I absolutely adore what Let's Encrypt has done for the Web, and I proudly wear the hoodie they gave my company for our sponsorship. It's amazing what a company of 11(?) people can do, most of which probably don't even do any development.
However, I really think that they need some (free) competition --- their market domination is becoming a little extreme. Someone else offering free certs via the ACME protocol would be nice
Point to note, VPS service like Bluehost have started providing Let's Encrypt SSL certs to all domains by default requiring no further effort. I hope others such as Hostgator, InMotion Hosting etc. follow the suit.
> The feature we’re most excited about is multi-perspective validation. Currently, when a subscriber requests a certificate, we validate domain control from a single network perspective. This is standard practice for CAs.
I wonder how many other CAs do this as well? The third sentence suggests few.
Let's Encrypt is one of the best things that has happened to the Web in the last few years. Everyone wants (and needs) SSL/TLS, and there was no reason for companies to be charging so much for the service. Kudos to the authors and maintainers of something that saves so many people time and money each year.
Let's Encrypt and certbot have made my sysadmin life so much easier by allowing me to manage certificates within the terminal and without having to deal with annoying CA UIs that try to sell you tons of stuff you don't really need.
And all that for free!
If you are a regular user, please consider donating to the cause: https://letsencrypt.org/donate/ You can make a one-time donation or set up a recurring one.
This one caught me by surprise earlier in the year. When I was building some new infrastructure to support HTTP-01 validations in a multi-region deployment (routed using least-latency), one day I suddenly started seeing what looked like multiple validation requests hitting my EU deployment. Had me very confused for a few minutes, first thinking my logging infrastructure was suddenly very broken, or I had somehow configured my load balancers to cross regions, except the requests were coming from many different public addresses.
After some more minutes of digging and I found out about multi-perspective validation on the staging environment.
Anyway, good idea. And it seems to work from what I've seen. It seems just a surprise when it turned on while I was literally working on code/infrastructure to handle validations.