CASE STUDY

Making Internet Security Accessible to Everyone

The Challenge

Vital personal and business information flows over the Web more frequently than ever, and we don’t always know when it’s happening. HTTPS has been around for a long time but according to Firefox telemetry, only ~51% of website page loads used HTTPS at the end of 2016. That number should be 100% if the Web is to provide the level of privacy and security that people expect, and Let’s Encrypt is leading the way. ABOUT LET’S ENCRYPT

Let’s Encrypt is a free, automated and open certificate In essence, everyone should use TLS (the successor to SSL) authority, run for the public’s benefit and is supported everywhere to protect their communications over the Web. Every organizationally by The Linux Foundation. The objective browser in every device supports it. Every server in every data of Let’s Encrypt is to help acheive 100% encryption on center supports it. the Web. Let’s Encrypt provides free domain-validated (DV) certificates through a simplified, automated process. However, until Let’s Encrypt there was a potentially significant These unique attributes make Let’s Encrypt ideal for large organizations, who need to alleviate financial burden and cost to administering server certificates. Let’s Encrypt is a free automate deployment at scale. Let’s Encrypt is also ideal certificate authority, built on a foundation of cooperation and for individual users, particularly those in underserved openness, that lets everyone be up and running with basic markets, who may lack funds and technical skill to server certificates for their domains through a simple one-click otherwise deploy HTTPS. process. Letsencrypt.org Prior to Let’s Encrypt, getting even a basic certificate through conventional means was too much of a hassle for many server HIGHLIGHTS operators. The application process can be confusing. It usually costs money. It’s tricky to install correctly. It’s difficult to update. • Let’s Encrypt enables free and automated installation Let’s Encrypt goes further than most in terms of end-to-end of SSL/TLS certificates automation and extensibility, both getting certificates and • Within it first year of operations, Let’s Encrypt secured in many cases installing them. This is an important strategy communications for over 25 million websites since major servers don’t yet have built-in support, and the • HTTPS grew to represent 39.5% of all page loads in the team supporting Let’s Encrypt want to make sure it’s given a last 20 years. In less than two years since the start of Let’s proper chance to thrive. Encrypt, that number has grown to 54%, thanks in large part to the free and automated certificates • Let’s Encrypt certificates have been issued in nearly every country in the world WWW.LINUXFOUNDATION.ORG CASE STUDY

The Approach certificates secured over 25 million websites worldwide and ranked as one of the largest certificate authorities. Mozilla Corporation, Cisco Systems, Inc., Akamai Technologies, Electronic Frontier Foundation (EFF), IdenTrust, Inc., and researchers at the University of Michigan started working through the Internet Security Research Group (“ISRG”) to create Let’s Encrypt and deliver this much-needed infrastructure in 2014. The Linux Foundation is providing the infrastructure and operational support for Let’s Encrypt using its collaborative model for open source projects.

The key principles behind Let’s Encrypt are:

• Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost. • Automatic: The entire enrollment process for Throughout this period of incredible growth, support for the certificates occurs painlessly during the server’s native effort has also increased. OVH joined Cisco and Akamai as installation or configuration process, while renewal Platinum sponsors with three-year commitments. Mozilla, occurs automatically in the background. Google Chrome and the EFF provide support through their Platinum contributions. The Ford Foundation also awarded • Secure: Let’s Encrypt serves as a platform for Let’s Encrypt their first grant in 2016. Shopify, Facebook, implementing modern security techniques and best SiteGround, Cyon and many others have joined the ranks practices. of over 25 Silver sponsors. • Transparent: All records of certificate issuance and revocation are available to anyone who wishes to inspect them. Twice annually a Legal Transparency report will be published to ensure users have visibility “Encryption ia critical to security and privacy regarding legal requests. on the Web, and by working with Let’s • Open: The automated issuance and renewal protocol is an open standard and as much of the software as Encrypt, OVH is showing our commitment possible will be open source. to bringing the protections of HTTPS to • Cooperative: Much like the underlying Internet Web users worldwide.” protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any - Pascal Jaillon Vice President of Product Management, one organization. OVH US

The Results Let’s Encrypt has received a considerable boost from In September 2015 Let’s Encrypt issued their first industry endorsement, with major hosting companies like certificate, and just seven months later, they issued ther OVH, Wordpress.com, Gandi, Dreamhost, and Squarespace millionth certificate. At the close of 2016, Let’s Encrypt

WWW.LINUXFOUNDATION.ORG CASE STUDY

helping many sites move to HTTPS with Let’s Encrypt. Based on numbers Mozilla gathers from Firefox users, encrypted “Cisco is committed to improving the sites now account for more than 53 percent of page visits, compared with 39.5 percent just before Let’s Encrypt security of the Internet, not only for our launched. Wordpress.com and Squarespace started customers and partners, but for everyone providing free HTTPS for all custom domains hosted on their respective platfroms, which helps protect users in else as well. Let’s Encrypt has been doing various ways, including defending against surveillance impressive work toward that goal. Our of content and communications, cookie theft, account hijacking, and other web security flaws. support of this community towards real- time, on-demand certificates will make the Internet more secure.”

- David Ward, CTO of Engineering and Chief Architect at Cisco

The project’s aim is for HTTPS to become the default on the Web, and the success so far gives the community confidence that it will get there - and much faster than anyone predicted. Let’s Encrypt is growing at a current rate of more than 200,000 certificates per day which is creating a rapid increase in the security and safety of online Web users.

For more information on Let’s Encrypt visit letsencrypt.org For more information on projects hosted at The Linux Foundation, visit linuxfoundation.org/projects

WWW.LINUXFOUNDATION.ORG