Let’s Encrypt announced this week that they’d passed the 100 million certificates issued threshhold,
Let’s Encrypt has reached a milestone: we’ve now issued more than 100,000,000 certificates. This number reflects at least a few things:
First, it illustrates the strong demand for our services. We’d like to thank all of the sysadmins, web developers, and everyone else managing servers for prioritizing protecting your visitors with HTTPS.
Second, it illustrates our ability to scale. I’m incredibly proud of the work our engineering teams have done to make this volume of issuance possible. I’m also very grateful to our operational partners, including IdenTrust, Akamai, and Sumo Logic.
Third, it illustrates the power of automated certificate management. If getting and managing certificates from Let’s Encrypt always required manual steps there is simply no way we’d be able to serve as many sites as we do. We’d like to thank our community for creating a wide range of clients for automating certificate issuance and management.
The press release also notes that when Let’s Encrypt began issuing certificates, Firefox’s Telemetry report found that
. . . less than 40% of page loads on the Web used HTTPS . . . In the 19 months since we launched, encrypted page loads have gone up by 18%, to nearly 58%.
Interesting look from Let’s Encrypt Executive Director Josh Aas on the explosion in certificates that the free service has seen since its launch in 2015,
At the start of 2016, Let’s Encrypt certificates had been available to the public for less than a month and we were supporting approximately 240,000 active (unexpired) certificates. That seemed like a lot at the time! Now we’re frequently issuing that many new certificates in a single day while supporting more than 20,000,000 active certificates in total. We’ve issued more than a million certificates in a single day a few times recently. We’re currently serving an average of 6,700 OCSP responses per second.
. . .
When 2016 started, our root certificate had not been accepted into any major root programs. Today we’ve been accepted into the Mozilla, Apple, and Google root programs. We’re close to announcing acceptance into another major root program. These are major steps towards being able to operate as an independent CA.
In an end-of-the-year summary, the Electronic Frontier Foundation noted that deployment of HTTPS grew dramatically in 2016,
By some measures, more than half of page loads in Firefox and in Chrome are now secured with HTTPS—the first time this has ever happened in the Web’s history. That’s right: for the first time ever, most pages viewed on the Web were encrypted! (As another year-in-review post will discuss, browsers are also experimenting with and rolling out stronger encryption technologies to better protect those connections.)
The EFF sites the availability of tools and services such as Let’s Encrypt that make obtaining and deploying certificates easier, as well as increasing pressure on companies to encrypt all traffic rather than just specific subsets.
The one troubling spot is that this increase isn’t necessarily distributed well geographically,
A caveat: data from Google shows that use of HTTPS varies significantly from country to country, remaining especially uncommon in Japan. We’ve also heard that it’s still uncommon across much of East and Southeast Asia. Next year, we’ll have to find ways to bridge those gaps.
I’ve used HTTPS on 99 percent of my server for years now, but there was a tiny portion that was not HTTPS because of a specific application that used its own non-Apache server that did not play well with the Wildcard SSL certificate I use. This year, finally, I was able to use Let’s Encrypt to flawlessly install a certificate just for that. The process for doing so was ridiculously easy and took about 10 minutes from beginning to end to configure and test.
So one day my wife wanted a website to highlight her award-winning pottery. She finds WordPress a bit cumbersome to use and after looking at a number of hosting sites settled on Squarespace. After purchasing a site there, I registered a domain name for the site and we sat down and took a look at what needed to be done to point the domain to the site.
And that’s where things got weird. Because I figured while I was reading Squarespace’s documentation about where to point the domain DNS, I’d also see what the process was for adding an SSL certificate. And the answer was shocking–there is no option to for individuals to use SSL on Squarespace sites.
When you login to Squarespace or set up an e-commerce area, Squarespace sends you to a Squarespace.com area that use Squarespace’s SSL certificate. But those are the only times that users will see SSL related to a site they have set up. As Squarespace explains (emphasis added),
Some areas of Squarespace sites are protected by SSL, including checkout for Commerce transactions and wherever you log into your site. However, SSL isn’t currently available for other pages.
We don’t offer the ability to install custom SSL certificates at this time.
This is crazy, and potentially dangerous. Without SSL, browsing Squarespace sites is subject to snooping by third parties. Attackers could potentially perform man-in-the-middle style attacks by intercepting the non-encrypted traffic and injecting malicious code.
One of Squarespace’s competitors, WordPress.com not only supports SSL for the millions of blogs/sites it hosts, but just announced it was using Let’s Encrypt to offer free SSL to every single custom domain on its network.
That Squarespace continues to expose both its visitors and its customers to these sort of risks is inexcusable.