How Big is Let’s Encrypt

Category : security

print

I have looked into this some time ago, when I researched the global market of web encryption. I used market research reports and arrived to the number of 80%. This time, I had a look at the data from KeyChest monitoring.

The 80% figure in my blog post https://dan.enigmabridge.com/lets-encrypt-in-the-spotlight/ was based on predictions from Frost&Sullivan and other market research reports and actual volume of certificates issued by Let’s Encrypt.

This time, I have analyzed 500,000 certificates from the database of KeyChest.net. I have looked at the numbers of all certificates that KeyChest pulls from CT (certificate transparency) logs and also at data of server audits. The two datasets differ as we request more certificate than we actually use – especially when they are free. When I query our CT (certificate transparency) database directly, I can see large numbers of duplicates, but it’s non-trivial to eliminate the effect of CDNs (content delivery networks). The data from actual audits of web services show how important this aspect is.

Anyway, I had worked for large enterprises and I was curious. An enterprise is still unlikely to use Let’s Encrypt but how successful are “enterprise trusted” names elsewhere. And it’s pretty bad for some names I believed to be market leaders.

Let me start with some simple but nevertheless interesting stats around algorithms and key length. The data is for domains audited by KeyChest.

Algorithms and key length

RSA 4,096 bits12%
RSA 2,048 bits68%
RSA 1,024 bits2%
ECC 256bits15%
ECC 384bits0.8%

Personally, I’m surprised by the large use of elliptic curve (ECC) certificates, which I’d expect to be less than 5%. So well done to all the admins who optimize their servers for faster encryption.

Types of certificates

self-signed certificates1.2%
extended validation certificates (EV)4.8%
organization validation certificates (OV)20.5%
domain validation certificates (DV)73%
  • Cloudflare certificates: 15%
  • Wildcard certificates: 22%

What you can start seeing from this is the role of CDNs, and especially Cloudflare among KeyChest users. Cloudflare would have OV certificates, which means that when we take those away, only organizations are more likely to use the most expensive EV certificates than OV certificates.

KeyChest is a web service for safe use of encryption. It monitors certificate expiry. It is free unless you want real-time notifications, more detailed reports, or user management. Support our INDIEGOGO campaign to make a difference.

I’m finally getting to the results of the main excercise – how big is Let’s Encrypt. It is not 80% but it’s still majority of all certificates that KeyChest pulled from CT logs.

Main trust providers / issues of certificates of KeyChest users – all issued certificates

There are some unexpected entries there (cPanel) but in general – there are basically 2 leaders in the market – Let’s Encrypt for free, short term certificates that we are using on our web servers. COMODO used by main CDNs. GlobalSign and Digicert are sharing the market of “end user organizations” with COMODO.

Let’s have a look at the data from actual audits of servers. I have done two samples, one for all audits in the database of KeyChest (since Q3 2017) and a sample of audits executed over the last 3 months.

Trust providers issuing certificates detected on servers.

The main number here is the increase of Let’s Encrypt – from 33.1% to 38.8%. Another interesting point is that COMODO is back in line with other commercial issuers – something that most likely reflects how CDNs use certificates. My experience is that the number of certificates issued for CDNs is much higher than what can be see on CDN servers (although we are limited by the use of only a couple of DNS servers we use to resolve domain names to IP addresses).

Some interesting numbers. Certainly well done to Let’s Encrypt, which seems to keep getting new customers as old long-validity certificates expire. The figure is much less than 80% I arrived at previously. The main reason is the rise of COMODO due to its strategic targeting of CDNs – as well as low cost for small users.


Leave a Reply