Let’s Encrypt Comes Up With Solution for Bizarre Problem

The problem itself is fairly straightforward. Let’s Encrypt launched in 2016, and while it waited to have its root certificate approved and added to browsers and OSes, it reached an agreement with existing certificate authority IdenTrust to cross-sign it’s SSL certs. This meant that as long as IdenTrust’s widely deployed root certificate was on a device, then Let’s Encrypt certs would be accepted as valid by that device.

But that IdenTrust root certificate expires in September 2021, and Let’s Encrypt will transition to using its own widely deployed root certificate going forward.

Except on one operating system–Android.

Let’s Encrypt was added to Android’s certificate authority store in Android 7.1.1, released in December 2016. So devices using version 7.1.1. or newer will have no problems at all when the IdenTrust root certificate expires. Let’s Encrypt’s root cert is already included in the Android OS, and things will be fine.

The problem is that almost 34 percent of Android devices are running a version older than 7.1.1. That translates to about 845 million devices still running an OS that is more than four years old.

Let’s Encrypt found a workaround, but it’s crazy that 845 million Android devices being actively used have an OS that hasn’t been updated in four years, and that likely can’t receive updates even if their owners wanted to.

Ironically, one of the bug fixes rolled out in 7.1.1 was an update to Android’s CURL/LIBCURL libraries, which had bugs that could allow a malicious actor with a forged certificate to launch a remote code execution attack.

Hell, Let’s Encrypt’s workaround relies on the fact that Android ignores crucial security settings. Even though a root certificate like IdenTrust’s has an expiration date, Android ignores that expiration date. So IdenTrust has agreed to extend its cross-signing of Let’s Encrypt certs for three years.

IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1 from their DST Root CA X3. The new cross-sign will be somewhat novel because it extends beyond the expiration of DST Root CA X3. This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors. ISRG and IdenTrust reached out to our auditors and root programs to review this plan and ensure there weren’t any compliance concerns.

Let’s Encrypt Crosses Billion Certificates Issued Threshold

Let’s Encrypt recently announced that it had issued its billionth certificate on February 27, 2020.

We issued our billionth certificate on February 27, 2020. We’re going to use this big round number as an opportunity to reflect on what has changed for us, and for the Internet, leading up to this event. In particular, we want to talk about what has happened since the last time we talked about a big round number of certificates – one hundred million.

One thing that’s different now is that the Web is much more encrypted than it was. In June of 2017 approximately 58% of page loads used HTTPS globally, 64% in the United States. Today 81% of page loads use HTTPS globally, and we’re at 91% in the United States! This is an incredible achievement. That’s a lot more privacy and security for everybody.

Another thing that’s different is that our organization has grown a bit, but not by much! In June of 2017 we were serving approximately 46M websites, and we did so with 11 full time staff and an annual budget of $2.61M. Today we serve nearly 192M websites with 13 full time staff and an annual budget of approximately $3.35M. This means we’re serving more than 4x the websites with only two additional staff and a 28% increase in budget. The additional staff and budget did more than just improve our ability to scale though – we’ve made improvements across the board to provide even more secure and reliable service.

Switched My Server to Using Let’s Encrypt

Recently when my wildcart certificate came up for renewal, I renewed it one last time just so I’d have a fallback, but then worked on switching over my various domains to use Let’s Encrypt.

Frankly, I renewed the wildcard cert because I anticipated I might run into issues or headaches trying to get Let’s Encrypt to work, but the reality was just the opposite. Getting Let’s Encrypt installed and the certs all updated was probably the smoothest experience I’ve had with updating certs.

Now the server updates the various certs without my intervention, and I just check in occasionally to make sure everything’s running correctly. I couldn’t be happier with the outcome.

Let’s Encrypt Now Issues > 50 Percent of the SSL Certs Used by the Top Million Websites

In April, Let’s Encrypt crossed the threshhold of issuing more than 50 percent of the SSL certificates for sites in NetTrack’s database of the top million websites.

NetTrack SSL Issuer Chart
NetTrack SSL Issuer Chart

Let’s Encrypt to Offer Wildcard Certificates in 2018

Let’s Encrypt announced today that they plan to offer wildcard certificates beginning in January 2018.

A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.example.com). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains, which can make HTTPS deployment significantly easier.

Wildcard certificates will be offered free of charge via our upcoming ACME v2 API endpoint. We will initially only support base domain validation via DNS for wildcard certificates, but may explore additional validation options over time. We encourage people to ask any questions they might have about wildcard certificate support on our community forums.

That is excellent news. Wildcard certificates are fairly expensive. I’m paying $94/year for a Comodo PositiveSSL wildcard cert through a reseller. If you go directly to Comodo, they want $249/year which is going to be well out of the range of a lot of people to afford.

It will be interesting to see what the uptake is on this, as I assume wildcard certificates are a major profit center for certificate authorities. It would also be interesting to see an analysis of what effect Let’s Encrypt has had on the economics of CA’s already.

Are those who use Let’s Encrypt large companies and individuals who weren’t using SSL at all beforehand, or is a significant portion of that activity from people who opted for a free alternative.

I know I was at the point where I needed to buy a single domain certificate last year and opted for Let’s Encrypt because of its low, low price of nothing.

Let’s Encrypt Reaches 100 Million Certificates Milestone

Let’s Encrypt announced this week that they’d passed the 100 million certificates issued threshhold,

Let’s Encrypt has reached a milestone: we’ve now issued more than 100,000,000 certificates. This number reflects at least a few things:

First, it illustrates the strong demand for our services. We’d like to thank all of the sysadmins, web developers, and everyone else managing servers for prioritizing protecting your visitors with HTTPS.

Second, it illustrates our ability to scale. I’m incredibly proud of the work our engineering teams have done to make this volume of issuance possible. I’m also very grateful to our operational partners, including IdenTrust, Akamai, and Sumo Logic.

Third, it illustrates the power of automated certificate management. If getting and managing certificates from Let’s Encrypt always required manual steps there is simply no way we’d be able to serve as many sites as we do. We’d like to thank our community for creating a wide range of clients for automating certificate issuance and management.

The press release also notes that when Let’s Encrypt began issuing certificates, Firefox’s Telemetry report found that

. . . less than 40% of page loads on the Web used HTTPS . . . In the 19 months since we launched, encrypted page loads have gone up by 18%, to nearly 58%.

A very good trend.