The free SSL certificates from Let’s Encrypt have triggered an important development on the German hosting market: Protecting personal data on your own website is now free of charge almost everywhere. But how has the initiative, which issues free SSL certificates for everyone as a certification authority, fared so far? A detailed look at the development.
Since the introduction of the HTTP/2 standard at the latest, an SSL certificate has brought many advantages. Not only is personal data reliably encrypted, but the website also loads faster. In addition, HTTPS – the secure version of the Hypertext Transfer Protocol – makes websites future-proof. This is because Google announced on 8 September that it will mark websites without an SSL certificate as insecure in Chrome from 2017. This brings Google ever closer to its self-declared goal of “HTTPS everywhere”.
Let’s Encrypt plays an important role in this context. This is because the initiative from California issues free SSL certificates to everyone. This enables every website operator to set up SSL free of charge and also relatively easily. And the US Certification Authority has already had an impact on the German hosting market. Many hosters already offer free certificates. Some have integrated Let’s Encrypt, others offer free certificates from other providers.
The success of Let’s Encrypt is therefore not only relevant for website operators, but also for the German hosting market.
Let’s Encrypt has issued more than 10,000,000 certificates to date
Since Let’s Encrypt was officially launched in May this year, the milestones have been coming thick and fast: Two million, five million, then recently the ten millionth certificate. However, these figures are not synonymous with ten million sites encrypted via Let’s Encrypt certificates. Rather, the actual figure must be approached from several angles.
On 23 April 2016, just a few days before the official launch, Let’s Encrypt was able to issue its two millionth certificate. Just 19 days later, on 9 May, the three million mark was reached. By the third of June, there were already four million certificates, and the five million mark was reached on 19 June. By the end of July, the figure had risen to seven million and currently Let’s Encrypt has issued 10.86 million certificates, more than twice as many as in mid-June. That sounds like a brilliant start. But what is actually behind this figure?
Almost half of the ten million certificates issued have expired
The number 10,000,000 initially says very little. This is because it contains rubbish data: certificate renewals, multiple certifications and expired certificates are counted. If you also realise that the renewal cycle for Let’s Encrypt certificates is 90 days, the figure becomes increasingly relative.
The number of currently valid certificates is more informative: Let’s Encrypt currently has 5.51 million valid certificates. This does not mean that there are actually that many sites that are encrypted with Let’s Encrypt. But the figure does provide an initial approximation.
7.88 per cent of certificates run on .de sites
According to Let’s Encrypt’s own documentation, 7.88 per cent of certificates run on .de top-level domains. However, the sample and population on which this figure is based, or to which this figure can be related, are not specified. This makes interpretation quite difficult because nothing is known about how the figure was arrived at. It can probably be assumed that it is the number of sites for which Let’s Encrypt knows the TLD.
However, one conclusion can be drawn from this: The German top-level domain is the strongest country-specific TLD with 28,083 counted pages. It is followed by .ru, .uk, .fr and also .cz. Country-unspecific TLDs such as .com and .ninja are more popular, with the Certification Authority counting 30,967 of them.
Let’s Encrypt in 14th place worldwide
Another good source is the data from w3techs.com. Based on the top ten million websites in the world published by Alexa, the service analyses the shares of certain internet technologies. The relevant websites are searched specifically for certain technologies. If a hit is obtained, this is included in the count. You can find out more about the sample used here.
According to w3techs, Let’s Encrypt is currently still a very small certification authority with a market share of 0.185 per cent and is in the bottom third of the market. Even if you only look at the certification authorities that have a market share of less than one per cent, Let’s Encrypt is at the bottom of the rankings. Both in terms of absolute usage and market share.
However, IdenTrust, the certification authority that supplies the root certificates for Let’s Encrypt, is in third place. This is a good sign. Because if the source of the root certificates enjoys a high level of trustworthiness, then the services based on these root certificates also tend to be trustworthy.
Especially smaller sites with less traffic use Let’s Encrypt
The biggest disadvantage of Let’s Encrypt compared to fee-based certification authorities is still the very limited choice of certificates. This is because the US certification authority currently only offers one type of certificate: a domain-validated certificate. Extended functions, such as the famous green address line and extended validations – e.g. of a company or organisation – are currently not possible with Let’s Encrypt. Of course, this does not mean that Let’s Encrypt certificates are less secure, just that their range of functions is limited.
The implementation of extended functions is currently not in sight. This is because the validation of organisations and companies requires man-hours, which in turn cost money. A detailed discussion about this can also be found in the Let’s Encrypt forum.
As a result, it is mainly smaller sites that use Let’s Encrypt, which can easily do without extended validation. The w3techs data clearly shows that Let’s Encrypt is currently primarily used by sites with low to medium traffic. The biggest players on the market, on the other hand, tend to serve sites with average traffic. This is because these certification authorities are profit-orientated companies that logically want to attract the large and therefore high-volume sites as customers.
Conclusion: In my opinion, Let’s Encrypt still has huge potential
For a look into the crystal ball, the data on the sites with SSL certificates is less interesting than the sites that do not yet have an SSL certificate. According to w3techs, this is 30.8 per cent of sites. Although the reasons for the lack of an SSL certificate for these sites are not broken down, I believe that for a good percentage of them, the costs in combination with the technical hurdles are probably the main obstacles.
Both are now greatly simplified by Let’s Encrypt and its integration into user interfaces, e.g. in the dashboards of hosting providers. The more the Californian initiative becomes known, the smaller the number of websites that do not have an SSL certificate is likely to become.
So far, it seems that Let’s Encrypt has not yet managed the transition to exponential growth. This could change in 2017 when Chrome starts labelling websites without HTTPS. The behaviour of other browser manufacturers in this matter will also have an influence on further developments. However, the development that Let’s Encrypt has initiated is to be welcomed in any case, both for website operators and hosting providers.
Do you already use a Let’s Encrypt certificate or have you had experience with it? Share your knowledge with us and other users. As the sys admin of Raidboxes, I am also happy to answer your questions about SSL.
Leave a Reply