Certification Authority Lets Authority

Five months of Let's Encrypt: This is where the Certification Authority from California stands today

The free SSL certificates from Let's Encrypt have triggered an important development on the German hosting market: Protecting personal data on your own website is now free almost everywhere. But how has the initiative, which issues free SSL certificates for everyone as a certification authority, fared so far? A detailed look at the development.

Since the introduction of the HTTP/2 standard at the latest, an SSL certificate has many advantages. Not only is personal data reliably encrypted, but the website also loads faster. In addition, HTTPS - the secure version of the Hypertext Transfer Protocol - makes websites future-proof. This is because Google announced on September 8 that it will mark websites without an SSL certificate as insecure in Chrome from 2017. This brings Google ever closer to its self-proclaimed goal of "HTTPS everywhere".

Certification Authority Let's Encrypt - Google Chrome HTTPS Marking
With the new display, sites from absolutely trustworthy providers would also be given a red warning signal. This is usually not a problem for media such as t3n because readers trust the medium. However, Google's warning can cost less well-known sites readers and customers.

Let's Encrypt plays an important role in this context. This is because the initiative from California issues free SSL certificates to everyone. This enables every website operator to set up SSL free of charge and also relatively easily. And the US Certification Authority has already had an impact on the German hosting market. Many hosters already offer free certificates. Some have integrated Let's Encrypt, others offer free certificates from other providers.

The success of Let's Encrypt is therefore not only relevant for website operators, but also for the German hosting market.

Let's Encrypt has issued more than 10,000,000 certificates to date

Since Let's Encrypt was officially launched in May of this year, the milestones have been coming thick and fast: Two million, five million, then recently the ten millionth certificate. However, these figures are not synonymous with ten million sites encrypted via Let's Encrypt certificates. Rather, the actual figure must be approached from several angles.

On April 23, 2016, just a few days before the official launch, Let's Encrypt was able to issue its two millionth certificate. Just 19 days later, on May 9, the three million mark was reached. By the third of June, there were already four million certificates, and the five million mark was reached on June 19. By the end of July, the figure had risen to seven million and currently Let's Encrypt has issued 10.86 million certificates, more than twice as many as in mid-June. That sounds like a brilliant start. But what is actually behind this figure?

Number of free SSL certificates from the Let's Encrypt Certification Authority
The number of certificates issued by Let's Encrypt rose particularly sharply in August and September. This is probably due to the 90-day term of the free SSL certificates. The official market launch was in May 2016. source: https://letsencrypt.org/stats/

Almost half of the ten million certificates issued have expired

The figure 10,000,000 initially says very little. This is because it contains garbage data: certificate renewals, multiple certifications and expired certificates are also counted. If you also know that the renewal cycle for Let's Encrypt certificates is 90 days, the figure becomes increasingly relative.

The number of currently valid certificates is more informative: Let's Encrypt currently has 5.51 million valid certificates. This does not mean that there are actually that many sites that are encrypted with Let's Encrypt. But the figure does provide an initial approximation.

Valid certificates from the Let's Encrypt Certification Authority
It is clear to see that the number of valid Let's Encrypt certificates increased only moderately from August to September. It even stagnated in September. This is also an indication that many certificates were renewed in August and September. Source: https://letsencrypt.org/stats/

7.88 percent of certificates run on .de sites

According to Let's Encrypt's own documentation, 7.88 percent of certificates run on .de top-level domains. However, the sample and population on which this figure is based, or to which this figure can be related, are not specified. This makes interpretation quite difficult, as nothing is known about how the figure was arrived at. It can probably be assumed that it is the number of sites for which Let's Encrypt knows the TLD.

However, one conclusion can be drawn from this: The German top-level domain is the strongest country-specific TLD with 28,083 counted pages. It is followed by .ru, .uk, .fr and also .cz. Country-unspecific TLDs such as .com and .ninja are more popular, with the Certification Authority counting 30,967 of them.

Shares of the TLDs in the known Let's Encrypt certificates
Number of certificates by top-level domain. .de is currently the most popular TLD. Also popular are .ninja, .me and .io. The figures probably refer to all sites whose TLDs are known to the Certification Authority. Source: https://letsencrypt.org/stats/

Let's Encrypt in 14th place worldwide

Another good source is the data from w3techs.com. Based on the top ten million websites in the world published by Alexa, the service collects the shares of certain internet technologies. The relevant websites are searched specifically for certain technologies. If a hit is obtained, this is included in the count. You can find out more about the sample used here.

According to w3techs, Let's Encrypt is currently still a very small certification authority with a market share of 0.185% and is in the bottom third of the market. Even if you only look at the certification authorities that have a market share of less than one percent, Let's Encrypt is at the back of the pack. Both in terms of absolute usage and market share.

Market share of the certification authority Let's Encrypt
Since the start of the beta, Let's Encrypt has been able to steadily gain market share. However, the big hit, i.e. the transition to exponential growth, is still a long way off. Source: https://w3techs.com/technologies/details/sc-letsencrypt/all/all

However, IdenTrust, the certification authority that supplies the root certificates for Let's Encrypt, is in third place. This is a good sign. Because if the source of the root certificates enjoys a high level of trustworthiness, then the services based on these root certificates also tend to be trustworthy.

The Let's Encrypt Certification Authority compared to other CAs
Let's Encrypt is clearly in third-last place among the certification authorities. IdenTrust, on the other hand, is in third place. It should be noted, however, that no information is available on the completeness of this list of providers. Source: https://w3techs.com/technologies/overview/ssl_certificate/all

Especially smaller sites with less traffic use Let's Encrypt

The biggest disadvantage of Let's Encrypt compared to fee-based certification authorities is still the very limited choice of certificates. This is because the US certification authority currently only offers one type of certificate: a domain-validated certificate. Extended functions, such as the famous green address line and extended validations - e.g. of a company or an organization - are currently not possible with Let's Encrypt. Of course, this does not mean that Let's Encrypt certificates are less secure, just that their range of functions is limited.

Example of an OV certification
Let's Encrypt, for example, cannot issue such certificates. Whether higher validation levels will ever come is still uncertain.

Implementation of extended functions is currently not in sight. This is because the validation of organizations and companies requires man-hours, which in turn cost money. A detailed discussion about this can also be found in the Let's Encrypt forum.

As a result, it is mainly smaller sites that use Let's Encrypt, which can easily do without extended validation. The w3techs data clearly shows that Let's Encrypt is currently mainly used by sites with low to medium traffic. The biggest players on the market, on the other hand, tend to serve sites with average traffic. This is because these certification authorities are profit-oriented companies that logically want to attract the large and therefore high-volume sites as customers.

Scatterplot of the provider field Certification Authority
This plot shows the current position of the Let's Encrypt Certification Authority compared to other players. It is striking that both Let's Encrypt and IdenTrust tend to be used in the low-traffic area. Source: https://w3techs.com/technologies/details/sc-letsencrypt/all/all

Conclusion: In my opinion, Let's Encrypt still has huge potential

For a look into the crystal ball, the data on the sites with SSL certificates is less interesting than the sites that do not yet have an SSL certificate. According to w3techs, this is 30.8 percent of sites. Although the reasons for the lack of an SSL certificate for these sites are not broken down, I believe that for a good percentage of them, the costs in combination with the technical hurdles are probably the main obstacles.

Both are now greatly simplified by Let's Encrypt and its integration into user interfaces, e.g. in the dashboards of hosting providers. The more the Californian initiative becomes known, the smaller the number of sites that do not have an SSL certificate is likely to become.

So far, it seems that Let's Encrypt has not yet made the transition to exponential growth. This could change in 2017 when Chrome starts to mark websites without HTTPS. The behavior of other browser manufacturers in this matter will also have an influence on further developments. However, the development that Let's Encrypt has initiated is to be welcomed in any case, both for website operators and hosting providers.

Do you already use a Let's Encrypt certificate or have you had experience with it? Share your knowledge with us and other users. As the sys admin of Raidboxes, I am also happy to answer your questions about SSL.

Did you like the article?

With your rating you help us to improve our content even further.

Write a comment

Your e-mail address will not be published. Required fields are marked with *