Let's Encrypt: an automated certificate authority to encrypt the entire web

the morning papera random walk through Computer Science research, by Adrian ColyerLet’s encrypt: an automated certificate authority to encrypt the entire web, Aas et al., CCS’19This paper tells the story of Let’s Encrypt, from it’s early beginnings in 2012/13 all the way to becoming the world’s largest HTTPS Certificate Authority (CA) today – accounting for more currently valid certificates than all other browser-trusted CAs combined. Secondly, Let’s Encrypt managed to find a sustainable funding model for a combination of an open source project and free online service, as compared to the more normal pattern which sadly seems to involve running a small number of beneficent maintainers into the ground.Since it’s launch in December 2015, Let’s Encrypt has steadily grown to become the largest CA in the Web PKI by certificates issued and the fourth largest known CA by Firefox Beta TLS full handshakes. As of January 21, 2019, the CA had issued a total of 538M certificates for 223M unique FQDNs… Let’s Encrypt has been responsible for significant growth in HTTPS deployment.Today the majority of HTTPS sites use Let’s Encrypt and it’s the fastest growing CA, but it’s usage is still rarer among the largest sites.Let’s Encrypt’s service is fully automated end-to-end (a key part of being able to make it free), and hence Let’s Encrypt only offers domain validated (DV) certificates (verifying that the requestor has control over the domain). Boulder handles the three main functions required of a CA:(Enlarge)Boulder is built with six key design principles in mind:On the client side, the EFF created an ACME client called Certbot, which is used by 50% of Let’s Encrypt clients.Unlike most other clients, Certbot aims to fully automate secure HTTPS deployment, rather than simply procuring a certificate.Let’s Encrypt succeeded by combining ease-of-use with a great price (free).