
Let's Encrypt Has Issued a Billion Certificates - jaas
https://letsencrypt.org/2020/02/27/one-billion-certs.html
======
nwsm
>In June of 2017 we were serving approximately 46M websites, and we did so
with 11 full time staff and an annual budget of $2.61M. Today we serve nearly
192M websites with 13 full time staff and an annual budget of approximately
$3.35M.

That's awesome. Congrats

~~~
oh_sigh
Those two extra staff are expensive, but worth it.

~~~
aneutron
Honestly, I don't know anything about running a business. But if there's one
thing I learned in engineering, it's the great if it ain't broke, don't fix
it.

(I know you're joking)But even if they're costly, if they keep the service
running and bring in funds, why would anyone risk damaging their business and
start cutting costs ?

~~~
three_seagrass
In grad school, my MBA-level technology course had a case on Zara and their
POS software.

The case problem was that the software was running on MS-DOS, had a janky
text-based interface, but managed to work well for Zara's fast-fashion
inventory.

The 'right' solution for the case was to not change anything at all.

~~~
meesles
Just curious how one would know if it was the 'right' solution without having
tried other solutions?

I find it hard to believe that any business would not benefit from moving from
an ancient computer system to one with error validations and better tooling so
that their boots on the ground can make less mistakes. Forget the cost of
transitioning since at scale that's a whole executive job function, but purely
from a day-to-day I don't understand how what you said can be true.

~~~
three_seagrass
That's why it was taught as a business case, because it forces you to look at
the requirements for switching and evaluate the cost/benefit of the action.

Even passenger jets still use floppy disks. AFAIK Zara did update their POS
system later though, to be more compatible with payment device hardware.

------
upofadown
Let's Encrypt has caused a revolution in the world of public XMPP servers. Now
they are pretty much all properly encrypted for both client to server and
server to server. The list of servers shows a sea of Let's Encrypt:

* [https://list.jabber.at/](https://list.jabber.at/)

I suspect that there are a lot of other non-web applications out there that
have hugely benefited as well...

~~~
mpoteat
If so many services use Let's Encrypt, do you think there's a risk they become
a target for sneaky surveillance activities?

~~~
joosters
There's not much to spy on. It's not like LetsEncrypt _generate_ your private
keys and give them to you. They sign a request that you send them (and they
don't get to ever see your actual private key). So an evil CA won't be able to
crack your encrypted website.

An evil CA can of course generate fake certificates for any hostname they
like, but those people already exist. Have you taken a look at just how many
different root CAs are out there, and are trusted by your OS/browser? It
includes hundreds of companies and governments. Then there are even more
(countless?) 'second level CAs' (I forget the proper term, sorry!) who can
also generate and sign a trusted certificate for any hostname, because, while
they aren't a root CA, their authority has been signed in turn by a top-level
CA. The web of trust is very large and has many points of failure.

~~~
panny
>An evil CA can of course generate fake certificates for any hostname they
like, but those people already exist

[citation needed]

If that were true, I'd expect browser/OS makers to promptly revoke trusted CA
status for them.

~~~
hawkice
Only if they abused it. If it's a government CA, and they use it only to trap
pedophiles and ISIL, I don't see them doing anything.

~~~
comex
I’m pretty sure browsers will de-trust CAs that intentionally sign forged
certificates regardless of what they’re used for.

------
hashhar
Thanks for making it all so painless. It's so good I forget it's even there.
Easily the best piece of infrastructure tech I've ever used.

Also, to folks who wish to "pay" for the certs, you can do so at
[https://letsencrypt.org/donate/](https://letsencrypt.org/donate/). A yearly
recurring donation for the avg price of an SSL cert is what I do.

~~~
LoSboccacc
we still can't certify on an alternative port, DNS is not always an option and
so there's people stuck with having to shut down servers while certbot does
it's thing

~~~
__float
what practical situation do you encounter that DNS isn't an option?

why are you shutting down servers to rotate certificates? a reload should be
totally possible!

~~~
closeparen
I think it refers to stopping the main service so that certbot can bind port
80 during the verification process.

~~~
ohyeshedid
The person you're responding to is asking about verification through dns,
which is an option that avoids the need for http verification.

------
anurag
Let's Encrypt isn't just making the web more secure; it's enabling a new
generation of startups to exist and thrive.

My company relies heavily on Let's Encrypt to offer SSL for all kinds of use
cases including wildcard domains. We wouldn't be here without them and we're
proud to be an official sponsor.

If your company can afford it, do consider a corporate sponsorship:
[https://letsencrypt.org/become-a-sponsor/](https://letsencrypt.org/become-a-
sponsor/)

------
gramakri
One of the best things to happen to the internet. We started working on our
product a year before Let's Encrypt and in the early days onboarding new
customers was a nightmare. This is because our product required a domain to
work and we spent lot of time hand-holding customers to purchase a certificate
and set it up. After Let's Encrypt, this has never been a problem.

~~~
gramakri
Wanted to add that after the dns-01 challenge went live, it has become even
more awesome. Many customers saw opening up port 80 as a security concern for
their firewall.

~~~
dan15
DNS challenges are great for internal services too, where you want server-to-
server communication to be encrypted but the servers aren't accessible over
the public internet.

------
ddevault
Since LE has certificiate transparency, can we determine which cert was the
billionth? I registered two certs with them today, here's hoping it was me ;)

~~~
jaas
It's surprisingly hard to tell which certificate was the billionth issued.
You'd have to decide on a source of truth, and CT is probably not a good one
for this purpose. Submissions to CT are not necessarily made and processed in
issuance order. The goal is to get all certs into CT as quickly as possible,
but ordering isn't particularly important (maybe one submission from our CA
starts a second before another but the network request is delayed until after
the second one).

At the heart of things, our certificate signing infrastructure includes
multiple HSMs, each one with multiple signing cores. This means that we're
signing certificates in parallel all the time.

The signed certificates are inserted into our internal database in a
serialized order, but due to how we optimize our database it's not easy for us
to just ask "what is the billionth one." That kind of query is usually not a
very useful one for us to make.

~~~
ddevault
So, what you're saying is that my certificate was definitely the billionth.

~~~
cjm42
No, he's saying that he cannot deny that your certificate was the billionth.

------
privateSFacct
And the ICANN fees we pay covered none of this (when funding this sort of
thing would be an obvious benefit vs what ICANN does spend money on).

~~~
shp0ngle
we have the fun ceremony videos though

------
giancarlostoro
Wouldn't it have been something if every domain purchase went towards
infrastructure and projects like this one. Even an email provider that
provides free mail (and you can pay extra to get more email storage) service
for your domain. I wonder if gmail would of ever grown the way it did.

~~~
maxmcd
It's worth reading the paper: [https://jhalderm.com/pub/papers/letsencrypt-
ccs19.pdf](https://jhalderm.com/pub/papers/letsencrypt-ccs19.pdf)

I don't think this is just about having money and funding, it's a very careful
and tactical approach.

Agree it would be nice if we find and capitalize on opportunities like this,
but (to me) it would be hard to run an email provider with the operational
goals they list:

\- Minimal logic

\- Minimal data

\- Full automation

\- Functional isolation

\- Operational isolation

\- Continuous availability

~~~
giancarlostoro
Can't that be achieved with POP3 email? It downloads emails to your system and
then deletes them on the server.

~~~
randomdude402
Most people don't want to have a desktop at home be the single source of truth
for their email anymore, though.

------
glofish
I shudder to think about what will happen if they go down for whatever reason.
Or get compromised, or the renewal gets bugged etc.

It is all cool and great, but is it sustainable long term, who guarantees that
everything will work in 10 years? Monocultures are not desirable.

A ray of hope - you can get a two-year certificate for 10 bucks - so right
there, another major benefit of Let's Encrypt, they makes for better
competition. (ok I know Apple will stop honoring these starting in the Fall,
but I still got two years since the expiration will be for new certificates)

~~~
BiteCode_dev
This should be a state provided service. Or provided by the UN. Essential
stuff like this or root DNS should be a planetary responsibility.

~~~
antoinealb
In a lot of countries, giving the government the ability to issue SSL
certificates would be a catastrophe in terms of surveillance and censorship.

~~~
BiteCode_dev
Didn't think of that.

It doesn't have to be just the state or the UN though. It's not about removing
all the other actors on the market.

But if I make a website on Python programming in french, I'm quite ok using
the french gov as a CA provider.

I mean, I trust mozilla because it's mozilla. But I wouldn't trust most
companies.

~~~
vertex-four
The problem is, there’s no way to enforce this. If you are a CA, there is
nothing technically stopping you from issuing a certificate for google.com.
There’s no infrastructure for the ability to say “this CA is valid only for
sites that agree with the risks involved in using it”.

~~~
roblabla
Actually, I believe there are. IIRC it's possible for a CA's root cert to be
limited to only a certain TLD. There's an extension called "Name Constraints"
that limits a Root SSL Cert, and I believe it is honored by chrome.

[https://security.stackexchange.com/questions/31376/can-i-
res...](https://security.stackexchange.com/questions/31376/can-i-restrict-a-
certification-authority-to-signing-certain-domains-only)

~~~
zaarn
It's an optional extension, so a client may ignore it without failing the
connection. It needs a lot more adoption. I could, for example, instead of
getting a wildcard cert, get LE to sign a CA valid for my domain. That way I
can issue certs for my domain myself and put load off of LE.

------
sarcasmatwork
Congrats and Thanks Let's Encrypt crew! Using your services for awhile now.

------
nojvek
What made Let’s encrypt go through the roof is a whole bunch of providers
effortlessly make your site https compatible.

Like netlify (hosting a static site with build is super easy). Same with
Cloudflare and a bunch of others.

As a user it’s all abstracted at simply the push of a button.

------
est31
Why does the number in the TOTAL row and TOTAL column contain 1.7 billion?
[https://crt.sh/?caid=16418](https://crt.sh/?caid=16418)

~~~
jaas
Probably because it includes pre-certificates. I have to run so I don't have
time to explain, but basically at a certain point we started submitting each
certificate twice, the first one being a "pre-cert." You can probably Google
for more info.

~~~
est31
Thanks for answering my question as well as others in this thread! Let's
Encrypt is awesome.

------
cm2187
And that's where they realise they stored the serial number on an int32!

~~~
knodi123
int32 is enough to store one cert per ipv4 address....

~~~
Dylan16807
So a two month supply, since serial numbers don't get reused.

------
saurabhnanda
Not to take away from this achievement, but no one else bothered about this
massive centralisation of critical security infrastructure?

~~~
globular-toast
I've always been concerned about the centralised model of SSL. But
interestingly whenever I mention that the model is broken and web of trust is
the best thing we have I get downvoted and shouted at here on HN.

~~~
doublerabbit
I get the same.

Single point of failure and you don’t even get insurance if something does go
tits up. Unlike you would with a normal paid SSL certificate .

If ICANN can’t be trusted what makes me want to trust LetsEncrypt.

I don’t trust it, I won’t use it. I don’t like it.

------
ck2
Now with domain prices being threatened to skyrocket, let's create/adopt a
free alternative to ICANN with alternate roots supported by all modern
browsers like OpenNIC

Yeah I know there are billions of legacy devices that will never work on it
but gotta start somewhere or adopt a current alternative asap so a decade from
now it's common.

------
rasengan
Stats[1] indicate about 1.5-1.7 [2] websites exist.

This would mean letsencrypt certificates make up more 2/3 of the internet!

[1] [https://www.websitehostingrating.com/internet-statistics-
fac...](https://www.websitehostingrating.com/internet-statistics-facts/)

[2] [https://www.internetlivestats.com/total-number-of-
websites/](https://www.internetlivestats.com/total-number-of-websites/)

Edit: Sounds like these include renewals from the thread, but it’s still over
10pct of the internet!

~~~
icedchai
It sounds like a billion certificates includes renewals, so not anywhere close
to 2/3rds.

~~~
jaas
This is correct. We currently serve about 195 million websites, where website
is defined as a unique Fully Qualified Domain Name.

~~~
DonHopkins
Not only that, but you also made a profit of zero billion dollars!!! ;) Thanks
for such a valuable public service.

[https://www.youtube.com/watch?v=cKKHSAE1gIs](https://www.youtube.com/watch?v=cKKHSAE1gIs)

~~~
johnchristopher
I'd gladly pay a dollar a year to use the service (not a dollar a year per
certificate).

~~~
penagwin
They do accept donations!

[https://letsencrypt.org/donate/](https://letsencrypt.org/donate/)

Disclaimer : not affiliated but if you want to support a non-profit that's the
best way to do it :)

------
vuln
How many were issued to phishing/malvertising/malicious sites?

------
denkmoon
If you're interested in running your own CA (eg. for .lan, and not having to
deal with dozens of self signed certs) and want the benefits for ACME,
smallstep (step-ca) makes this really easy.

Unfortunately lots of user interfaces don't support setting a custom ACME
directory (the clients mostly do, but both pfsense and proxmox require
fiddling to add your custom CA working via the web UI), but it's getting
better.

------
simonblack
I converted my website from http to https last weekend.

Many thanks to LetsEncrypt with CertBot for making it pretty much painless.

------
coryfklein
And of course the first few pages (or 20%) of the comments are about Wikimedia
budgets lol.

------
cloudking
Thanks for saving us so much money and making the web more secure!

------
zck
What was the billionth one issued? It's a long shot, but my website had its
certificate renewed today, and it would be cool to find out if I had the
billionth one.

------
lerie1982
Thank you for your service

------
totaldude87
Keep doing what you are doing.. ;)

------
burnJS
Thank you!

------
justlexi93
Would be interesting to know how many of those billion+ are flat out
bad/malicious.

------
LoSboccacc
well yeah they expire like milk

------
musicale
...and only 90% of those certs went to
[https://login.yourbanknamehere.com.secure-
password.asp.net.t...](https://login.yourbanknamehere.com.secure-
password.asp.net.totally.legit.phishing-site.download.example)

