DEV Community

Vivian Voss
Vivian Voss

Posted on • Originally published at vivianvoss.net

Let's Encrypt

#security #https #opensource #webdev

A golden padlock made of dollar bills crumbles apart, revealing a green HTTPS lock icon.<br>

Technical Beauty — Episode 29

Before 2015, HTTPS was a luxury. A domain-validated certificate cost up to $50 per year. Extended validation: $1,500. Renewal was manual: generate a CSR, email it to a certificate authority, wait for human approval, download the certificate, install it, configure the web server, set a calendar reminder to do it all again in twelve months.

Then four people decided this was absurd.

The People

Josh Aas and Eric Rescorla at Mozilla. Peter Eckersley at the Electronic Frontier Foundation. J. Alex Halderman at the University of Michigan. They met at RSA Conference 2012, merged their parallel efforts in 2013, and issued the first certificate on 14 September 2015.

Peter Eckersley died in September 2022. He was 43. He co-designed the ACME protocol that made all of this possible. The internet is encrypted in large part because of him.

The Numbers

700 million websites. 10 million certificates issued per day. Firefox HTTPS traffic: from 39% in 2016 to 80% today. One billion certificates by 2020. Cost to the user: precisely zero. For ten years.

The Reduction

The ACME protocol automated what took a week of emails and three pages of documentation. acme-tiny implements the entire client in fewer than 200 lines of Python. Certbot does it in one command:

certbot certonly --webroot -w /var/www -d example.com
Enter fullscreen mode Exit fullscreen mode

One line. Free certificate. Automatic renewal. No human involved.

Caddy took it further: zero lines. Point it at a domain, it fetches the certificate on the first request, renews it automatically, configures TLS. No certbot. No cron. No configuration at all.

The previous process: generate key, create CSR, submit to CA, verify domain via email, receive certificate, concatenate chain, configure server, restart, set reminder for 365 days. Let's Encrypt reduced ten steps to a cron job. Caddy reduced the cron job to nothing.

The Point

Let's Encrypt did not improve the certificate industry. It made it irrelevant. The complexity was never inherent to the problem. It was inherent to the business model. The moment someone removed the profit motive, the entire process collapsed into a single command.

700 million websites. Ten years. Zero pounds.

Read the full article on vivianvoss.net →

By Vivian Voss — System Architect & Software Developer. Follow me on LinkedIn for daily technical writing.

Top comments (0)