Vivian Voss

Read on LinkedIn

Let's Encrypt

security web

Technical Beauty ■ Episode 29

Before 2015, HTTPS was a luxury. A domain-validated certificate cost up to $50 per year. Extended validation: $1,500. Renewal was manual: generate a CSR, email it to a certificate authority, wait for a human to approve it, download the certificate, concatenate the intermediate chain (in the correct order, naturally, because reversing it produces an error message that mentions neither chains nor order), install it on the web server, restart the server, and set a calendar reminder to do the entire thing again in twelve months. Miss the reminder by a day and your visitors see a full-page browser warning that makes your website look like a phishing operation.

This was the state of affairs for the first twenty-five years of the commercial web. Encryption was available, technically, in the way that first-class air travel is available: it exists, it works, and the pricing ensures that most people walk past it.

Then four people decided this was absurd.

The People

Josh Aas and Eric Rescorla at Mozilla. Peter Eckersley at the Electronic Frontier Foundation. J. Alex Halderman at the University of Michigan. They met at RSA Conference 2012, discovered they were independently working on the same problem, and merged their efforts in 2013. The Internet Security Research Group was incorporated in May 2013. The first certificate was issued on 14 September 2015.

The idea was straightforward: if you can prove you control a domain, you should be able to get a certificate for it. Instantly. For free. Without emailing anyone. Without paying anyone. Without involving a human at any point. The certificate authority business had spent two decades charging money for a process that could be fully automated. The four of them automated it.

Peter Eckersley died in September 2022. He was 43. He co-designed the ACME protocol that made all of this possible. The internet is encrypted in large part because of him. One suspects he would have found the tribute somewhat excessive and the protocol insufficiently documented. Both observations would have been correct.

The Numbers

Let's Encrypt: Ten Years 700M websites and counting 10M/day certificates issued every single day 0 pounds sterling for ten years 39% → 80% Firefox HTTPS traffic (2016 to 2026) from minority to default 1 billion certificates by February 2020 four and a half years after launch Sources: letsencrypt.org/stats, letsencrypt.org/2025/12/09/10-years, threatshub.org

700 million websites. 10 million certificates issued per day. Firefox HTTPS traffic: from 39 per cent in 2016 to 80 per cent today. One billion certificates by February 2020, four and a half years after launch. Cost to the user: precisely zero. For ten years.

The commercial certificate authorities charged money for domain validation. Let's Encrypt proved that domain validation is a technical problem, not a commercial service. The difference between a $50 certificate and a free one is not quality. It is not security. It is not trustworthiness. It is a business model. The certificate is cryptographically identical. The only thing the money bought was the privilege of doing manually what a machine does in seconds.

The Protocol

The ACME protocol (Automatic Certificate Management Environment, now IETF RFC 8555) is what makes the automation possible. The idea is elegant in its simplicity: the client proves domain control by placing a file at a predictable URL, the CA verifies the file exists, and issues the certificate. No emails. No humans. No waiting. The entire handshake is machine-to-machine, and the specification is short enough to read over lunch.

acme-tiny implements the entire ACME client in fewer than 200 lines of Python. Two hundred lines. The complete protocol interaction: account registration, domain verification, certificate signing request, certificate retrieval. Two hundred lines of Python replace what was previously a week of emails, three pages of documentation, and a calendar reminder that you would inevitably ignore until your monitoring system told you the certificate had expired yesterday.

The Reduction

The previous process, for those fortunate enough never to have experienced it:

  1. Generate a private key (openssl genrsa)
  2. Create a Certificate Signing Request (openssl req)
  3. Submit the CSR to a certificate authority via a web form
  4. Receive an email asking you to verify domain ownership
  5. Click a link in the email
  6. Wait for the CA to process the request (hours to days)
  7. Download the certificate and the intermediate chain
  8. Concatenate them in the correct order
  9. Configure the web server to use the certificate and key
  10. Restart the web server
  11. Set a calendar reminder for 365 days
  12. Forget the calendar reminder
  13. Discover the certificate expired when customers complain

Let's Encrypt reduced steps 1 through 13 to:

certbot certonly --webroot -w /var/www -d example.com

One line. Free certificate. Automatic renewal via cron. No human involved at any point. The calendar reminder is replaced by a cron job that runs twice daily and does nothing unless the certificate is within 30 days of expiry. The system operator's involvement is zero after the initial setup. Zero.

The Reduction Before (2015) 13 manual steps hours to days Certbot 1 command seconds Caddy 0 commands automatic Let's Encrypt reduced ten steps to a cron job. Caddy reduced the cron job to nothing.

Caddy took it further: zero lines. Point it at a domain, it fetches the certificate on the first request, renews it automatically, configures TLS, and never mentions it again. No certbot. No cron. No configuration at all. The web server handles encryption the way a light switch handles electricity: you use it without thinking about it, which is precisely the point.

The Point

Let's Encrypt did not improve the certificate industry. It made it irrelevant. The complexity was never inherent to the problem. It was inherent to the business model. Domain validation is a technical verification that a machine performs in seconds. The industry built a manual process around it, charged money for the manual labour, and called it security. The moment someone removed the profit motive, the entire process collapsed into a single command.

This is the pattern that Technical Beauty celebrates: the moment someone looks at an entire industry and realises that the complexity is not protecting anyone. It is billing someone. The certificate was always a few kilobytes of signed mathematics. The fifty dollars bought you an email from a human who verified what a script could verify faster, more reliably, and without taking weekends off.

700 million websites. Ten years. Zero pounds.

Rather beautiful, that.

Before 2015, a certificate cost $50 and a week of manual process. Four people at Mozilla, EFF, and the University of Michigan designed the ACME protocol and launched Let's Encrypt. 700 million websites. 10 million certificates per day. Firefox HTTPS from 39% to 80%. The complexity was never inherent to the problem. It was inherent to the business model.