Let's Encrypt is 10 years old now

Hands down one of the greatest services out there, stopped a racket and made the internet secure.

I remember a time when having an HTTPS connection was for "serious" projects only because the cost of the certificate was much higher than the domain. You go commando and if it sticks then you purchase a certificate for a 100 bucks or something.

We consider our ten year anniversary to be in 2025 but I appreciate the kind words here!

Today is roughly the ten year anniversary of when we publicly announced our intention to launch Let's Encrypt, but next year is the ten year anniversary of when Let's Encrypt actually issued its first certificate:

https://letsencrypt.org/2015/09/14/our-first-cert/

In December of 2015 (~9 years ago today) is was made available to everyone, no invitation needed:

https://letsencrypt.org/2015/12/03/entering-public-beta/

It feels like just yesterday I was paying for certs, or worst, just running without.

Can't believe its been ten years.

I'm kinda mixed on LE.

It's nice that you can now get free TLS certs without having to resort to shady outfits like StartSSL. This allows any website to easily move to HTTPS, which has basically elimated sensitive data (including logins) from being sent over unencrypted connections.

On the otherhand, this reinforces the inherently proken trust model of TLS certificates where any certificate authority (and a lot of them are controlled by outright hostile entities) has the ability to issue certificates for your domain without your involvement. Yes there are tons of kludges to try and mitigate this design flaw (CAA records, certificate transparency) but they don't 100% solve the issue. If not for LE perhaps there would have been more motivation to implement support for a saner trust mechanism by now that limmits certificate issuance to those entities who actually have any authority to decide over domain ownership, like with DNSSEC+DANE.

I'm also concerned with the (intentional) lack of backwards compatibility with moving sites to TLS, which is not just a one time TLS on/off issue but a continual deprecation of protocols and ciphers. This is warranted for things that need to be secure like banking or email but shouldn't really be needed to view a recipe or other similar static and non-critical information. Concerns about network operators inserting ads or other shit are better solved with regulation.

What I'm most thankful is the ACME protocol.

Does anyone remember how we renewed certificates before LE? Yeah, private keys were being sent via email as zip attachments. That was a security charade. And as far as I know, it was a norm among CAs (I remember working with several).

Thank you Let's Encrypt.

I really wish something like this comes up for the desktop certification world as well. Microsoft just went full insane mode with their current requirements, and their certificate plugs are making more money than ever without lifting a finger.

So funny that all of their security, vetting and endless verifications are standing on a single passport photo sent over an email to this day.

Peter Eckersley (1978-2022) was posthumously inducted into the Internet Hall of Fame for his founding work on Let’s Encrypt. The Internet is a better place because of Peter (and his many collaborators and colleagues).

Coincidentally I just got an email from a potential client, Dutch governmental institution, that they don’t want me to use Letsencrypt. They prefer paying for a certificate themselves. Not sure why, apparently they don’t trust it.

A lot of people are not aware that HTTPS certificates do not necessarily guard you from certain types of attacks like DNS injection. You can see <https://www.youtube.com/watch?v=exy5JwAU8qk> for one example where an attack campaign called DNSPionage obtained valid certificates for their attacks.

To explain the issue with HTTPS certificates simply, issuance is automated and rests on the security of DNS, which is achieved via DNSSEC and most do not implement.

Let's Encrypt is a massive achievement, and is now essential infrastructure.

Basing it on an open protocol, so it doesn't become a single point of failure, was a clever idea that allows the idea to survive the demise of any single organization.

May there be many more such anniversaries.

Config management took me many years to adopt, containers took me about 6 years to warm up to. But LE was something I jumped on immediately. I had worked in web hosting for 10 years already when it came out so I remember faxing your driver's license in order to validate a TLS cert. It just felt like such a scam for so long that these CAs were over charging for something that is just a key signing.

But I guess automation and standards had to catch up in order for LE to securely setup their CA.

Let's Encrypt helped reduce our OUTRAGEOUS Entrust bill(legacy vendor, I didn't pick them, they had insane security protocols for a small company who just needed SSL certs). We had a 4 yr/$14k contract for about 11 certs. Now our SSL is near 0, except for a cert for SSRS that is hard to automate with LE.

Let's encrypt saved me :) I love to use it with certbot in docker-compose :) deploying really can be simple

Here’s to 10 more years! With web servers like Caddy, software like certbot and even something like Apache2 getting mod_md, I’d say we’re in a pretty good spot!

That said, I’m wondering why there aren’t 10 or so popular alternatives to LE, since that seems to be the landscape for domain registrars, for example.

Are there any areas today similar to the SSL of 10 years ago that a service like Let's Encrypt could remedy? I see a lot of subscription apps that could pretty easily be replaced by free, non-subscription, ones, but I don't know of anything that widespread.

I really wish they would finally branch out and offer S/MIME certificates. Good email clients support them out of the box, it's just a PITA to get them if you don't want to order 100 at a time or something equally ridiculous for SME/individuals.

thank you Edward Snowden

People talk about paying for certificates but one major pain point solved by PaaS companies over the last 5 years is automatically adding certificates and renewing them for your app deployments. It saves a huge amount of headache.

In 2024, if your PaaS does not have automated encryption for deploys, I will never use it.

Time flies when you're having fun. Congratulations

Such an awesome service (and protocol!)

Reminder that they donation dependent

Nothing makes me trust a site with my payment info more than seeing a LE or domain-validated certificate with no ownership details in the DN.