February 27, 2020 Let's Encrypt Free Certificate Authority issued a billionth certificate.

In a celebratory press release, project representatives recall that the previous anniversary of 100 million issued certificates was celebrated in june year 2017. Then the share of HTTPS traffic on the Internet was 58% (in the US - 64%). In two and a half years, the figures have grown significantly: “Today, 81% of loaded pages around the world use HTTPS, and in the United States we are at 91%! - the guys from the project rejoice. - Incredible achievement. This is a much higher level of privacy and security for everyone.”

Let's Encrypt played a very important role in making HTTPS certificates a utility standard, and strong traffic encryption becoming a perfect norm on the Internet.

Beta testing of the innovative Let's Encrypt certificate authority began in December 2015. A unique feature of the new center was that the process of issuing certificates was initially fully automated.

Automatic configuration of HTTPS on the server occurs in two stages. In the first step, the agent notifies the CA of the server's administrator rights to the domain name. For example, validation might involve creating a specific subdomain, or installing an HTTP resource with a specific URI within a domain.

Let's Encrypt identifies the web server running the agent by its public key. The public and private keys are generated by the agent before the first connection to the CA. During automatic verification, the agent performs a number of tests: for example, it signs the received one-time password with a public key and presents an HTTP resource with a specific URI. If the digital signature is correct and all tests are passed, the agent is granted the rights to manage certificates for the domain.

In the second step, the agent can request, renew, and revoke certificates. To automatically issue a certificate, a challenge-response (challenge-response, challenge-response) class authentication protocol called the Automated Certificate Management Environment (ACME) is used. All manipulations with the certificate are carried out without stopping the web server using the ACME client Certbot. It's easy to use, works on most operating systems, and is well documented. There is an expert mode with an extended set of settings. In addition to Certbot, there is many other ACME clients.

The Importance of Let's Encrypt

Let's Encrypt has revolutionized a market previously dominated by commercial CAs. They are now almost out of the DV (Domain Validation) certificate business, although they continue to sell Organization Validation (OV) and Extended Validation (EV) certificates that Let's Encrypt does not issue. because they can't be automated. However, this is a niche product, and free Let's Encrypt certificates reign supreme in the mass market.

Let's Encrypt has made it a standard to automatically reissue certificates. Despite their short lifespan (90 days), the automatic procedure eliminates the "human factor" that traditionally represents a major security vulnerability. Domain administrators often simply forget to renew certificates, causing services to fail. The last such incident happened with Microsoft Teams. On February 3, 2020, this collaboration service went offline due to an expired certificate.

Automatic replacement of certificates using the ACME protocol eliminates the possibility of such incidents.

Although the Let's Encrypt project serves half the Internet, in the physical world it is a small non-profit organization: “In these two and a half years, our organization has grown, but not much! they write. “In June 2017, we hosted approximately 46 million websites with 11 full-time employees and an annual budget of $2,61 million. Today, we operate nearly 192 million websites with 13 full-time employees and an annual budget of approximately $3,35 million. This means we are serving over four times as many sites with just two additional employees and a 28 percent increase in budget.”

The project is supported through donations и sponsorship.

By now, HTTPS has become the de facto standard on the internet. Since last year, major browsers have been warning users about the dangers of connecting to sites that do not encrypt traffic over HTTPS. Let's Encrypt is credited with such a change in the security landscape.

On top of that, Let's Encrypt is literally revived the public XMPP server infrastructure. Now Jabber works with strong encryption both at the client-server and server-server levels, and the vast majority of certificates were issued by Let's Encrypt.

“As a community, we have done incredible things to protect people online,” reads the press release. “The issuance of one billion certificates is a testament to all the progress we have made as a community.”

Source: habr.com