Just five years ago, most websites relied on unencrypted HTTP, the aging and inherently insecure protocol that provides no protection to sites or visitors from threats that range from surveillance through phishing and identity theft.
Today, the internet is a much more secure place, with over 80% of websites protected by HTTPS secure encryption.
That dramatic transformation – to a secure web – is due in large part to the activities of Let’s Encrypt, a non-profit certificate authority (CA) founded five years ago by Prof. J. Alex Halderman and his collaborators.
Let’s Encrypt has driven adoption of the digital certificates needed to enable secure sites by making them free, easy to install and manage, and readily available through hosting providers.
This approach has been a radical break from traditional practice, says Halderman, where implementing HTTPS has required website operators to choose a certificate authority, prove their identity to them, pay as much as a few hundred dollars for a certificate, wait for it to arrive, then follow a complicated series of steps to install it. In addition, he says, “You would have to repeat this process every year or two, and if you didn’t do it on time, your website might go down. So a lot of websites, particularly smaller ones, just left their sites unencrypted.
“As a non-profit,” Halderman adds, “we give people the digital certificates they need in order to enable HTTPS websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting web.”
As a result of their unique approach, Let’s Encrypt is today the world’s largest CA, and over 225 million websites are protected by certificates issued by the organization.
Let’s Encrypt’s origins go back to 2012, when a research group led by Halderman and Peter Eckersley at Electronic Frontier Foundation was developing a protocol for automatically issuing and renewing certificates. Simultaneously, a team at Mozilla led by Josh Aas and Eric Rescorla was working on creating a free and automated certificate authority. The groups learned of each other’s efforts and joined forces in May 2013.
That month, they formed the Internet Security Research Group (ISRG), a nonprofit corporation, to be the legal entity operating Let’s Encrypt. It was decided that ISRG should be a nonprofit because nonprofit governance requirements – such as no profit motive, no ownership, relatively high transparency, and a public service mission – would help ensure that the organization served the public in a stable and trustworthy manner over the long term. Josh Aas has served as ISRG’s Executive Director since its founding.
Let’s Encrypt was publicly announced on November 18, 2014, issued its first browser-trusted certificate on September 14, 2015, and began providing service to the public on December 3, 2015.
Looking back, Halderman says that “creating a new kind of certificate authority that gives out free certificates was a crazy idea. We had to prove that the economics would work, and there was no way to do that except to just build it. Five years after launch, the success and impact we’ve achieved is beyond my wildest dreams.”