Let's Encrypt Internet Security Initiative Exits Beta

By Sean Michael Kerner  |  Posted 2016-04-12 Print this article Print
Web security

The free SSL/TLS effort from the Linux Foundation is no longer in beta. Here's why it makes the Web more secure overall.

Let's Encrypt is officially exiting its beta stage today as the free Linux Foundation Collaborative Project hits a new milestone. The Let's Encrypt initiative is an effort to provide free Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates to Websites in a bid to help further the adoption of encryption on the Web and improve Internet security for everyone.

Let's Encrypt was first announced in November 2014, and in April 2015 it became a Linux Foundation Collaborative Project, with the first publicly available free certificates issued in December. Now, after issuing more than 1.5 million free certificates, Josh Aas, Internet Security Research Group executive director and leader of the Let's Encrypt project, is ready to take the beta label off the effort.

"We believe we've gained ample experience and confidence in our systems so that the beta label is no longer necessary," Aas told eWEEK. "We've successfully demonstrated our ability to issue at Web-scale, and while there is always more work to do, we are confident about the maturity of our systems."

Moving a technology out of beta often implies that the software is production-ready and that APIs will be stable. For Let's Encrypt, exiting beta does not imply anything new in terms of API stability, according to Aas.

"We have and will try to keep our APIs as stable as possible, ideally only making breaking changes for necessary security and compliance improvements," he said.

In addition to removing the beta label, Let's Encrypt today also announced additional sponsors for the project. Hewlett Packard Enterprise (HPE), Fastly, Duda and ReliableSite.net are joining the Let's Encrypt project as Silver sponsors, while Gemalto is joining as a Gold sponsor. Existing sponsors Akamai and Cisco are renewing their Platinum sponsorships of the project.

"Sponsorship is typically a set amount annually, with a discount for multiyear commitments," Aas said. "We've evolved our sponsorship model over time, in part due to experienced advice from the Linux Foundation and partly in response to conversations with potential sponsors."

A platinum sponsorship for Let's Encrypt costs $350,000 per year, or $300,000 a year with a three-year commitment, while a Gold membership is $150,000 a year. The Silver sponsorship level ranges from $10,000 to $50,000 a year, based on the number of employees in an organization.

"We don't charge for anything, so sponsorship and donations have to cover all of our costs," Aas said. "The biggest costs include operations staff, software engineers, hardware, hosting, auditing, and general and administrative expenses."

Let's Encrypt is a pretty lean operation, even while operating at entire-Web scale with meticulous attention paid to security, according to Aas. It has approximately 10 full-time employees plus administrative support from the Linux Foundation.

Among the latest deployments from Let's Encrypt is one with Automattic, the company behind the WordPress.com blogging Website. Aas noted that Automattic was a pretty early sponsor of Let's Encrypt as it liked what the project was doing and wanted to help. He added that Automattic let him know that it would like to switch to HTTPS by default for its Wordpress.com custom domains using Let's Encrypt.

"We got to encrypt a big chunk of the Web, and it was a great chance to test our ability for a very large number of domains in production," Aas said. "I think they requested approximately 29,000 certificates for 1.3 million domains in a single day, something we'd never done before. It went off without a hitch; we did nothing on our end but watch the certs go out."

With Let's Encrypt now officially out beta and the technology proven to work at scale, the project will continue to focus on its mission of improving HTTPS adoption on the Web. Aas noted that according to Firefox telemetry, approximately 38.5 percent of page loads used HTTPS when Let's Encrypt entered general availability in early December and as of last week it's a bit over 42 percent.

"The adoption rate has just about quadrupled since we launched, to almost 1 percent per month," Aas said. "That's an incredible rate of change, and we're responsible for a lot of that. We'd love to see HTTPS page loads exceed 50 percent by the end of 2016."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel