Home of internet privacy

Let’s Encrypt has issued a billion certificates, securely encrypting nearly 200 million sites

An effortless way to check whether the site you just logged on to maintains an encrypted connection is whether it starts with HTTP or HTTPS. HTTPS (Hyper Text Transfer Protocol Secure) encrypts the connection between you and the sites you visit, preventing snoopers from prying on the contents of your traffic.

The good news is that you don’t need to check so much anymore. Globally, 81% of sites use HTTPS with 91% of those sites in the U.S.. The speed of adoption is due largely because of Let’s Encrypt, a non-profit group that issues certificates verifying that sites use HTTPS.

Last week they issued their one billionth certificate, reaching almost 200 million websites.

What is a CA certificate and why is it so important for site encryption?

A Certificate Authority certificate verifies that a website is saying the truth when it claims an encrypted connection, which is in part indicated by the HTTPS protocol. The CA will sign the website’s encryption certificate, which is presented to the user every time a website is opened.

This encryption is important to make it more difficult for malicious actors, surveillance agencies, and your ISP to gather sensitive information about you in cleartext and use that to pry on your browsing activity for personal information.

[Keep up with the latest in privacy and security. Sign up for the ExpressVPN blog newsletter.

Browsers like Chrome and Firefox have also made it easier for you to check whether a site is secure or not—just look to the URL for a closed padlock to see if it’s secure. There are still sites that don’t use HTTPS, including an array of university websites like UCLA, Oxford University, and many non-U.S.-based sites.

A free, open and automated client makes it easy to use…

Much of Let’s Encrypt’s success lies heavily in its simple-to-use protocol, ACME (Automatic Certificate Management Environment), which automates the generation of certificates through a public-key infrastructure, allowing it to generate millions of certificates with relative ease.

It’s free and requires minimal manual upkeep, and several clients, like the Electronic Frontier Foundation’s Certbot, makes the application and certification of your website incredibly easy.

Every certificate issued has a 90-day lifespan, which helps limit damage from stolen keys or mis-issued certificates and encourages automating certificate renewal, instead of manually refreshing every few years.

…and somewhat easy to abuse

But such ease has also made Let’s Encrypt a convenient choice for bad actors. Some redirect unwitting users to encrypted sites to install malware and spyware onto their devices, like these malvertisers did in 2016.

Their ACME protocol was also hit a couple years ago with a flaw that would have let attackers hijack a certificate for a domain they didn’t own, and just a few days ago Let’s Encrypt found a bug that now requires them to revoke a few certificates. Let’sEncrypt has always responded quickly to fix these though, and is now launching its multi-perspective domain validation system to “ensure certificate applicants control the domains they’re hoping to register a certificate for.”

Encrypting a website has never been easier

As far as security software goes, Let’s Encrypt has played a huge part in encrypting and certifying certificates. The non-profit body has improved its own security and authentication processes, and it’s continually striving to work as securely and painlessly as possible.

If you don’t own a website but still want to make sure you’re only on HTTPS certified websites, use EFF’s HTTPS Everywhere (which we have on our Chrome, Firefox, and Edge extensions). The extension blocks all HTTP requests, stopping you from visiting unencrypted websites.