Slashdot Mirror

← Back to Stories (view on slashdot.org)

Let's Encrypt Hits New Milestone: Over 100,000,000 Certificates Issued (letsencrypt.org)

Posted by msmash on from the moving-things-forward dept.

Josh Aas, the executive director of Internet Security Research Group (ISRG) writing for Let's Encrypt: Let's Encrypt, a free, automated, and open certificate authority has reached a milestone: we've now issued more than 100,000,000 certificates. This number reflects at least a few things: First, it illustrates the strong demand for our services. We'd like to thank all of the sysadmins, web developers, and everyone else managing servers for prioritizing protecting your visitors with HTTPS. Second, it illustrates our ability to scale. I'm incredibly proud of the work our engineering teams have done to make this volume of issuance possible. I'm also very grateful to our operational partners, including IdenTrust, Akamai, and Sumo Logic. Third, it illustrates the power of automated certificate management. If getting and managing certificates from Let's Encrypt always required manual steps there is simply no way we'd be able to serve as many sites as we do. The total number of certificates we've issued is an interesting number, but it doesn't reflect much about tangible progress towards our primary goal: a 100% HTTPS Web.

2 of 164 comments (clear)

  1. Re:Value? by Anonymous Coward · · Score: 5, Informative

    Im not that poster but I do have to look after a lot of servers with sites that have letsencryprt certs.

    Basically it requires the same level of domain validation as any standard, non EV cert (including revocations) and provides the same level of protection for on the wire data interception with the disadvantage that certs are only issues for 90 days instead of 1+ years.

    Look here for a overview of the the process, its pretty simple and the same as any other non EV cert:
    https://letsencrypt.org/how-it-works/

  2. Re:Value? by Junta · · Score: 5, Insightful

    The point being you connect to http, and no worries, it's all cool. It's warm and fuzzy and not at all something to fret about.

    You connect to https with self-signed cert, *IT'S THE END OF THE WORLD*, you are horribly insecure, it's dangerous, you shouldn't even *try* to talk to the server, if you really want to you should click through 2 or 3 dialogs, and also you should be forced to do that every time you reconnect to the same server, without even a hint of whether the certificate changed from last time.

    It's just such a strange disconnect. I have seen web server operators opt to prefer http rather than https so as not to scare off users, even if they may be handling potentially sensitive information.

    Self-signed certs should be treated more like ssh keys in general.

    --
    XML is like violence. If it doesn't solve the problem, use more.