How a nonprofit you’ve never heard of made the web safer for everyone

By Glenn Fleishman

Let’s Encrypt issued its one billionth digital certificate a few weeks ago. Run by the nonprofit Internet Security Research Group (ISRG), the service provides these certificates to websites for free, allowing your browser to create a secure and validated connection to a server that’s effectively impenetrable to snooping. The pandemic hasn’t halted the group’s progress: It says it’s now issued over 1,080,000,000 certificates.

That Let’s Encrypt doesn’t charge for this service is a big deal. A digital certificate for a website—also useful for email servers and other client/server systems—used to cost hundreds of dollars a year for a basic version and even more for a more comprehensive one. For smaller sites, that cost alone was a barrier.

While the price had dropped significantly before Let’s Encrypt began issuing its certificates at no cost in 2015, and some commercial issuers had offered free certificates on a limited basis, encrypting a site was no trivial matter. It required technical expertise and the ability to puzzle through command-line configurations. (Though I’ve been running websites since 1994, renewing and installing certificates had remained one of my bugbears before Let’s Encrypt.)

Let’s Encrypt didn’t set out to launch a price war and thereby destroy an existing marketplace. By making encryption free and simple, the organization has been a large part of an industrywide shift to encrypt all web browsing that has doubled the number of secure sites from 40 to 80 percent of all sites since 2016.

As executive director and cofounder of ISRG Josh Aas says, the organization wants everyone to be able to “go out and participate fully in the web without having to pay hundreds of dollars to do something.” Setting the cost at zero benefits each site’s users and the internet as a whole.

Google tracks opt-in information from Chrome browser users about the type of connections they make. It shows that secure connections rose from 39 percent (Windows) and 43 percent (Mac) in early 2015 to 88 and 93 percent respectively on April 11, 2020. One source indicates that Let’s Encrypt now supplies 30 percent of all website digital certificates. Two hundred million websites now use its certificates, the organization says.

This dramatic increase in web encryption protects people from some unwanted commercial tracking and snooping by malicious parties and government actors alike. It took Let’s Encrypt as a catalyst to put it within the reach of every website.

Blocking unprecedented snooping

After the revelation of the scope and nature of wide-scale, routine data collection by U.S. national security agencies added to the already-known and suspected habits of other democracies and repressive countries, tech firms shifted heavily into encrypting connections everywhere they could. That meant more encryption between data centers run by the same company (as Google added starting in 2013), encryption of data at rest stored on servers, and browser makers calling users’ attention to unprotected web sessions.

That last part was critical, as Chrome, Firefox, and Safari slowly increased warnings about nonencrypted connections—and finally turned those warnings into outright error messages. But it could also have been unfair to smaller websites, especially those in developing nations and ones run by nonprofits, volunteer groups, and small companies lacking the wherewithal to implement encryption. Without an easy way for most organizations to secure their sites, it would have balkanized the net.

Let’s Encrypt stepped into that growing void. Now financially supported by a host of major tech companies—though Apple’s name is oddly and noticeably absent—the firm has scaled successfully from a million certificates a year to a million a day over just four years.

We want to make sure that when someone entrusts us with a dollar, we go out and do the most work we can with that dollar.”

ISRG executive director Josh Aas

ISRG’s Aas says that the organization has a very small staff, which is why it favors more automation and less spending. “So many of our projects are about becoming more efficient,” he says. ISRG operates on a $3.6 million annual budget, which has increased only slightly since its first year in full production, in 2016.

“We want to make sure that when someone entrusts us with a dollar, we go out and do the most work we can with that dollar,” Aas says. For instance, he says, the group relies on three very expensive, exceedingly reliable database servers. Each costs $100,000 or more, but the setup provides triple redundancy. Using more common, cheaper hardware would require more staffers to provide maintenance.

ISRG has also retained an extremely tight mission focus on certificate issuance. And it offers no customer support, though it has a rich and active community that it encourages and ever-improving online documentation. Not providing support results in “a huge amount of internal pressure to ensure people don’t need support,” says Aas. “Developing community is a huge part of our efficiency.”

Some major hosting firms have adopted Let’s Encrypt as an effectively no-cost method of adding digital certificates for their users’ sites with almost no overhead. They can automate the process of requesting a certificate, receiving it, and installing it, a dramatically less intensive process than any previous method. (Let’s Encrypt has focused on automation and spent three years shepherding a relevant Internet Engineering Task Force draft through to a proposed standard in March 2019.)

The widely used cPanel administrative interface offers Let’s Encrypt as a point-and-click option to install a certificate. But it’s equally trivial to use manually. To renew certificates across about 20 domains and subdomains I own, I type in a single command every three months, reminded by Let’s Encrypt’s renewal email 30 days in advance. A few seconds pass and I’m ready to go for another three months. If I were slightly less lazy, I could entirely automate the process through a recurring server-based task.

No strings attached

Most “free” things on the internet come with an expensive price tag—usually involving giving up our privacy. Let’s Encrypt is the rare organization that does something useful and controls its scope and budget, so it can be more efficient every day it operates. The organization knows virtually nothing about parties requesting certificates—it doesn’t even ask for an email address—and retains almost nothing. It relies entirely on domain ownership as proof of a user’s identity. That’s enough, since all a certificate does is validate that someone runs the domain that the certificate is securing.

With its constrained mission, Aas says that ISRG has plenty of efficiencies yet to reap and improvements to make, even as it focuses on its day-to-day operations. “We take the time to do it right, but we don’t take more time than we need to get it right,” he says. The group took years to become a certificate authority (CA), for instance, making it one of a few hundred organizations trusted by a handful of operating system and browser makers to be the root of trust for certificates.

And just before the billionth certificate was issued, Let’s Encrypt implemented a security technique, the first by a CA, that effectively blocks the ability of a malicious party to subvert a flaw in the internet’s data routing system and obtain a domain certificate fraudulently. (It fully documented its new technology so others could benefit from it too.)

In many ways, Let’s Encrypt is a throwback to the precommercial internet, when a combination of generosity, mutual benefit, and enlightened self-interest allowed for rapid improvements. Its free certificates are a ticket to that past—but with modern technological efficiencies that keep it pointing toward the future.

 

Fast Company , Read Full Story

(8)