Securing your self-hosted website with Let’s Encrypt, part 8: more cool things about Let's Encrypt

Fri Apr 08 2016 18:04:28 GMT+0100 (British Summer Time)

PHEW! That was a lot of blog posts in just a couple of days, but I wanted to make sure that individual 'topics' had their own URL so people can link to the bit that they find more interesting and ignore everything else.

To finish, I would like to present together a number of interesting and cool facts about Let's Encrypt which I omitted before because they were not directly related to using it.

All about Let's Encrypt is open source

I'm pretty sure I mentioned this at some point, but I think this is really huge and worth reiterating.

To date, digital certificate issuing has been a sort of exclusive niche that only a few run and only a few could afford. Making this available to everyone and also making the internals available to everyone not only democratises the Web again, but also subjects Let's Encrypt to a higher level of scrutiny than traditional certificate authorities.

Way more eyes on the source code means better code and better systems.

If you don't like their client, you can use other clients (or write your own) that use their protocol, ACME

Because the server and the client are decoupled, you are free to use whatever client you like. You can even write a client that you like better. Or augment existing servers with auto https abilities, like the Caddy server.

Compare this to having to use a website to get a certificate, and then if you want to get a certificate from a different authority, you need to learn the website for that different authority, with all the obscure oddities each authority has.

The ACME protocol is being standardised

This means that it will be defined very clearly and it will have a nice 'seal' and version numbers and etc. Doesn't it sound like very traditional and processy? And do you know who likes process a lot? Traditional companies.

So maybe sometime in the future traditional certificate authorities will implement the ACME protocol for getting certificates with their servers. Instead of interacting with their website, you could keep using the Let's Encrypt but pointing it to the traditional certificate authority server, instead of the default, with an additional command line parameter.

And this would make the process less horrible and debilitating :-D

Numbers! Metrics!

Some people won't even take your suggestions seriously until you show them 'metrics'. So I'm happy to oblige:

The public beta started sometime in September 2015
In December 2015, Let's Encrypt was the 4th worldwide certificate issuer already (THE FOURTH!!!!!!!!!!!!!)
As of March 2016, one million certificates have been issued! (ONE MILLION!!!!!!!!)
Many of those domains have never used https before

Source: this ultra great talk by my colleague April King: introduction to Let's Encrypt.

Let's Encrypt is not the answer to all your certificate needs, but...

But it is enough for most of the websites. And they are working on getting even better, with plans to overcome some of the limitations and make it possible to encrypt things that so far they are not encrypting, such as email, chat, etc.

If you like the work they are doing, and you can, you should donate. Help keep the web open to all!

To another million certificates and more! 🙌🏼