One billion certificates later, Let’s Encrypt’s crazy dream to secure the web is coming true
Commentary: Let’s Encrypt cofounder Josh Aas is quick to deflect praise, but each of us has a great deal to thank him for, as 85% of page loads are now secured.
Most of us have blockers that keep us from doing our job as well as we’d like. Maybe the marketing team won’t listen to us, or that jerk in engineering refuses to add a particular feature. And if only my boss would approve the purchase of a new MacBook Air, I could be soooo much more productive!
Josh Aas won’t be impressed. His blocker? He needed hundreds of millions of websites to embrace stronger security (HTTPS). No problem, right? Well…. One route to this goal was to standardize a new HTTP specification (HTTP/2) that embraces Transport Layer Security (TLS). But this introduced another problem: To make this work in the real world, Aas needed to issue the billion or so digital certificates websites would need in order to enable HTTPS (SSL/TLS)–for free. And make it super easy to obtain and manage those certificates.
Oh, and it all had to be done in five years or less.
So Aas quit his day job at Mozilla in 2012 and started Let’s Encrypt (as one does). Today, in part due to the work Let’s Encrypt does, roughly 85% of all websites use HTTPS and over one billion certificates have been issued. I talked with Aas to get the story.
SEE: Network security policy (TechRepublic Premium)
In 2011 Aas was leading Mozilla’s networking team–the group that writes all of the networking code in Firefox. As he tells it, it was a constant frustration that so many websites didn’t use HTTPS because there was not much Mozilla could do on the Firefox side to improve the security of those connections. “We desperately wanted to move to an HTTPS-only Web but getting hundreds of millions of websites to change their behavior seemed almost impossible,” he related.
As mentioned, at this time Aas and the Mozilla team were participating in the HTTP/2 standardization process, and Aas wanted to make sure that HTTP/2 required TLS so that it would be secure by default. This sounded simple and reasonable, but it wasn’t so straightforward.
One of the arguments against requiring TLS for HTTP/2 was that doing so would make it “pay to play”–you’d have to buy a certificate in order to deploy it. It would also make deployment much more complex because getting and managing certificates was very complex. All of this would hurt adoption.
“We needed to find a way to make certificates free and easy to get and manage,” said Aas. “We needed the solution to be available globally, and we wanted the solution to help convert a large portion of the Web to HTTPS in five years or less.”
Oh, really? That’s all?
Most of us would likely have given up. Not Aas. “The only idea that seemed like it could work was to start a new nonprofit certificate authority that issued certificates for free in an entirely automated and easy-to-use way.” Aas and his co-conspirators (a colleague from Mozilla, Eric Rescorla, Alex Halderman from the University of Michigan, and Peter Eckersely, who was with Electronic Frontier Foundation) “weren’t crazy about spending years of our lives building a CA [certificate authority],” but it seemed to be the only plausible answer, as implausible as it was.
In any startup, a certain amount of hope is required. The slightest bit of good news can help an entrepreneur navigate a barrage of bad news. For Aas, “There was a lot to learn, which I enjoy. There was a sense of urgency. The more progress we made the more excited other people got.”
It took Aas and the Let’s Encrypt team three years to go from nothing to issuing their first publicly trusted certificate. The first two years, he said, were mostly planning, getting initial sponsors, legal work, and putting together some partner deals. That third year was spent building the CA, which took a little over a year. At every step, Aas described, it was exhausting work. “What saved me,” he went on, “was hiring Sarah Gran, who is sort of the second in command at Let’s Encrypt these days. She’s incredibly smart and productive and really made things not only bearable again, but enjoyable.”
And what about money? Aas may have wanted to give away certificates for free, but building the Let’s Encrypt apparatus was anything but free. Fortunately, miracles happen when you’re securing the web.
During Let’s Encrypt’s third year, when money was tight and managing finances was a major source of stress for Aas, an anonymous donor reached out and offered to donate whatever Let’s Encrypt needed. Said Aas, “I quoted a pretty high figure that would solve a lot of problems, and they basically just responded asking for wire transfer instructions. They sent what I asked for. That was a massive relief financially, but also emotionally because it let us know that people out there we’d never heard of were understanding the importance of our work.”
Operating in the open
Eight years in, Let’s Encrypt has been a fantastic success. This new job that Aas took on to ensure the efficacy of his old job continues to this day. Since Let’s Encrypt issued its first certificate in 2015, the percentage of encrypted page loads has grown from 39% to 85% as of April 2020, globally, which has protected an incredible amount of personal data.
It’s a gargantuan achievement.
For companies to trust Let’s Encrypt’s certificates, it has been critical for Let’s Encrypt to operate with maximum transparency, right down to the source code behind its service. “We think it’s important for the code to be open source for transparency and trust,” he told me. The core code that runs the Let’s Encrypt certificate authority has always been open source, available on GitHub.
SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
Let’s Encrypt also depends on community in other ways. According to Aas, “We wouldn’t be where we are today without [our community].” This includes those who help manage community forums, those who contribute to building the Let’s Encrypt website (also open source), as well as those who write the hundreds of client software options for using Let’s Encrypt. As Aas noted, “There is a huge diversity of software deployment stacks out there and we don’t have the resources to make sure Let’s Encrypt integrates well with all of them. We rely on our community and they do an amazing job–there’s a client for almost every software stack! This is what makes Let’s Encrypt so easy for everyone to use.”
A better internet
From the start, Aas argued, “People want to do the right thing and secure their sites with HTTPS, [but] needed it to be easier to do.” Let’s Encrypt filled that void by offering a secure, reliable service that can issue millions of certificates per day without issue. Let’s Encrypt also removed complexity from certificate issuance and management by automating the process and building on standardized and well-documented APIs that make life easy for engineering teams.
“It would have been hard for me to imagine issuing a billion certificates and serving 200 million websites just five years after we started,” said Aas. “But here we are.” The fact that 85% of page loads on the web are now secure is “a stunning victory for privacy and security,” said Aas. Stunning, indeed, and it all comes back to the personal sacrifice that Aas and the other Let’s Encrypt cofounders made to secure the web, for us.
Disclosure: I work for AWS, but nothing herein relates to my work there.