Let's Encrypt is actually encrypting the whole Web

Let's Encrypt (previously) a joint EFF-Mozilla-Linux Foundation project that lets anyone easily create an SSL certificate for free in minutes and install and configure it so that visitors to their Websites will be shielded from surveillance, came out of beta this week, and it's already making a huge difference.

Let's Encrypt certs are now running on 3.8 million websites, with no end in sight. WordPress now automatically creates Let's Encrypt certs for all its users' sites, transforming them from HTTP to HTTPS. At this rate, HTTPS will soon be the default for the whole Web, meaning that mass surveillance, identity theft and many other unsavory practices will be much, much harder.

All of that has led to a noticeable tectonic shift in the layer of encryption unfolding across the web. The 1.8 million certificates Let's Encrypt has issued to 3.8 million websites make it the third-largest certificate authority in the world now, according to Aas, behind Comodo and Symantec. And because 85 percent of those sites never had HTTPS before, it's already significantly boosted the total fraction of sites that are encrypted on the web as a whole. Based on numbers Mozilla gathers from Firefox users, encrypted sites now account for more than 42 percent of page visits, compared with 38.5 percent just before Let's Encrypt launched. And Aas says that number is still growing at close to one percent a month. "For the web, that's a rate of change that you don't usually see," he says. "A lot of us have our eyes on that 50 percent mark."

Let's Encrypt's free and automated HTTPS certification is designed to make it easy for individuals without technical expertise or resources to encrypt their sites. But its automation also helps big companies trying to roll out HTTPS to a large number of customers. WordPress, for instance, announced just last week that all WordPress sites with custom URLs will now be encrypted by default using Let's Encrypt's certificates. And that automation is set to get more sophisticated in the coming months, says Peter Eckersley, a technologist with the Electronic Frontier Foundation, which has helped to create and maintain the Let's Encrypt certification software. Upcoming versions, he says, will be capable of more detailed configurations—geekier tasks like making sure the certificate properly displays its expiration date to browsers and uses the most secure encryption algorithms. "We want to not only get a certificate and install it for you, but also deal with all the behind the scenes settings to get things right and have HTTPS actually be secured," Eckersley says.

A Scheme to Encrypt the Entire Web Is Actually Working [Andy Greenberg/Wired]