.png)
3 hours ago
1
In 1996, I registered my first website, Vaughan-Nichols & Associates. After setting up the site, one of the first things I did was to secure connections with a Secure Sockets Layer (SSL) certificate. The then-new security network protocol provided an encrypted connection and a digital certificate that authenticates a website's identity.
SSL was then, and is now, the minimum security a safe website should provide to its users. The protocol was also a major pain to set up and expensive to boot. It was to address those issues that Let's Encrypt was born.
Also: Cloudflare just changed the internet, and it's bad news for the AI giants
While everyone recognized that HTTPS was vital to secure users' web connections and essential for e-commerce sites, almost no one was using it back then. According to internet security expert Scott Helme, only 6.71% of the million most popular websites were using the security protocol. That was pathetic.
Worse still, evidence was mounting that insecure web connections would lead to security breaches. What a surprise, right? Unfortunately, no one wants to pay for security until they trip and fall into a security hole. For many users, that day came in 2010 when Firesheep demonstrated how easy it was to snoop on anyone's Wi-Fi connection. It was clear then that the only way to have reliable security is for every website to be encrypted.
Also: Your Brother printer might have a critical security flaw - how to check and what to do next
The problem was how to make the process easy, simple to install, and cheap so that people would finally adopt HTTPS. Then, as now, there are three significant types of SSL (now known as Transport Layer Security (TLS)) certificates.
These types are Domain Validation (DV) certificates, for basic single-domain certificates; Organization Validation (OV) certificate, which verifies both that the applicant owns the domain and that they represent a legitimate business or entity; and Extended Validation (EV) certificates, which are designed to provide users with the most rigorous verification of a website's identity and are intended for organizations that need to establish maximum trust, such as banks, financial institutions, and e-commerce platforms. In 2015, EV certificates could cost as much as $1,500 a year, and even a DV would run you as much as $50 annually.
To address both the cost and technical issues, the idea for Let's Encrypt took root in 2012 among technologists at Mozilla, the Electronic Frontier Foundation (EFF), and the University of Michigan. They recognized that the barriers to HTTPS, cost, complexity, and manual processes were preventing widespread adoption. They wanted a web where every site could be encrypted, by default, at no cost.
In May 2013, these collaborators formally established the Internet Security Research Group (ISRG) as the nonprofit home for Let's Encrypt and other public benefit digital infrastructure projects. The ISRG's nonprofit status was crucial for prioritizing transparency, public service, and the absence of profit motives.
As Josh Aas, the ISRG's executive director, said at the time, the goal was to make "Encryption … the default for the web. The web is a complicated place these days; it's difficult for consumers to be in control of their data. The only reliable strategy for making sure that everyone's private data and information is protected while in transit over the web is to encrypt everything. Let's Encrypt simplifies this."
Also: The best VPN services for iPhone and iPad (yes, you need to use one)
The ISRG technical team, drawing on expertise from Mozilla, EFF, and partners such as Cisco and IdenTrust, began developing the core software and infrastructure. Their goal was to automate every step of certificate issuance, validation, and renewal. This approach was a radical departure from the manual, error-prone processes that were then common.
The key innovation was the Automated Certificate Management Environment (ACME) protocol, which enabled servers to request, install, and renew certificates automatically. ACME simplifies certificate issuance, renewal, and revocation with JSON-formatted messages over HTTPS. This protocol, later standardized by the Internet Engineering Task Force (IETF), became the backbone of Let's Encrypt's automation.
In November 2014, Let's Encrypt was publicly announced. Its approach quickly garnered support from major technology organizations. It wasn't until September 2015, however, that the first Let's Encrypt certificate was issued to the domain helloworld.letsencrypt.org. By October of the same year, ISRG made a deal with the established SSL Certificate Authority (CA) IdenTrust so that it would trust its certificate signatures. This step meant the major browsers would now work with Let's Encrypt.
Also: Patch your Windows PC now before bootkit malware takes it over - here's how
Since then, Let's Encrypt's model, which provides free, automated, 90-day domain-validated certificates, has been embraced by web hosts, content delivery networks (CDNs), and site owners. By removing both cost and complexity, the model democratized web encryption.
So, why is Let's Encrypt free? As Aas explained in a keynote speech at the Linux Foundation's 2025 Open Source Summit North America, "It's not just the issue of affordability, it's about removing the friction of needing to make any kind of recurring payment of any size we want. There is just no reason not to get a certificate. No need to find a credit card, no need to obtain permission to pay. We don't have to cut you off if your credit card expires. That is really important. Everyone needs security, so we don't want any friction. It's also about making sure that we can provide service everywhere in the world, regardless of our ability to engage in financial transactions in any particular place."
He continued: "We're also open. We're based on open standards of software's open source, and there are a couple of reasons for this. Trust is what makes this whole thing work, and relying as much as possible on open source and open standards is a way to let people understand how our systems work."
Aas added: "Our service is fully automated, and we do this for a few different reasons. First, we need to serve many millions of subscribers efficiently on a modest budget, with a modest amount of staff. Automation is the only way to make this work. The second reason is that automated systems are easier to use when you're trying to deliver security technologies at scale. Ease of use is just critical. People don't want to think about certificates. They shouldn't have to think about certificates. They're just gonna let the computers take care of it. Automated systems are just more reliable and secure. Computers are really good at reliably performing repetitive tasks. People are not, and we make fewer mistakes when we automate everything we can. So over the past 10 years, we've gone from no certificates per day to about seven million certificates per day."
Let's Encrypt's approach worked. In less than six months, in March 2016, ISRG issued its millionth certificate. By June 2017, the organization had issued its 100 millionth certificate, and in February 2020, it issued its billionth certificate.
The effect on the broader web has been dramatic. The percentage of web pages loaded over HTTPS soared from below 7% a decade ago to 88.1% in 2025.
Also: 7 password rules security experts live by in 2025 - the last one might surprise you
Of course, you can't give Let's Encrypt all the credit. However, even when it wasn't directly responsible, Let's Encrypt still helped secure the web. For example, in 2014, Google announced that secure sites would receive higher PageRank rankings. That policy change incentivized many sites to implement HTTPS. Then, in 2016, Google began marking sites that didn't use HTTPS as insecure in its Chrome web browser. That move sparked a rush to secure websites. One of the most popular choices was, of course, Let's Encrypt.
Since then, the ISRG hasn't rested on its laurels. Let's Encrypt's success has inspired the ISRG to expand its effort to memory safety in critical internet infrastructure software by supporting the use of Rust in the Linux kernel via its Promissmo project.
Today, Let's Encrypt is woven into the very fabric of the internet. I rarely find a site that doesn't support HTTPS. Without Let's Encrypt, we might still be plagued by insecure web connections.
Also: The best VPNs for streaming your favorite shows and sports
While the internet certainly has more than its fair share of security problems, at least we no longer need to worry about our website passwords being swiped when we're connecting via a coffee shop's Wi-Fi network.
Let's Encrypt stands as a testament to what can be achieved when public interest, technical innovation, and industry collaboration align.
English (US) ·