Breaking news
…and more

Let's Encrypt the Web: Interview with Sarah from Let's Encrypt

Let's Encrypt aims at making the Web more secure. Let's Encrypt achieves this by issuing TLS/SSL certificates for free and in the easiest way possible. This makes Let's Encrypt a perfect match for Tutanota as we aim at securing all emails by encrypting them end-to-end automatically.

2019-04-17
Tutanota has implemented support for Let's Encrypt for whitelabel domains to make the issuing and updating of certificates automatic for our users. Let's Encrypt is a great free service run by the Internet Security Research Group (ISRG) with the aim of creating a more secure and privacy-respecting Web. We have asked Sarah from Let's Encrypt why a free certificate authority (CA) was and is necessary and how Let's Encrypt has changed the Web.

Your aim with Let's Encrypt is to make the Internt more secure. Why did you feel there was a need for a free CA when you started three years ago?

HTTPS had been around for 20 years when Let's Encrypt launched, and yet only 39.5% of web page loads were HTTPS. The co-founders of Let's Encrypt realized the only way to bring the Web to 100% encryption was to remove the technical, cost, and availability barriers to adoption and they designed Let's Encrypt to do that. Just three years after our launch, over 78% of Web page loads are HTTPS. We aren't solely responsible for this change, but certainly have contributed to it.

In what way differentiates Let's Encrypt itself in comparison to traditional certificate authorities?

Let's Encrypt offers Domain Validation (DV) certificates, which are cryptographically the same as any other CA. The differences between us and others are shrinking: we offer free certificates and use the ACME protocol, and both of these are increasingly true of other CAs. We are proud to say that we offer certificates in every country in the world, and to our knowledge, we are the only CA to do so. We would be happy to see other CAs provide certificates in every country.

According to you stats your growth rate is pretty impressive, with a substantial growth starting in July 2018. Why do you think the adoption rate is rising so much faster since summer last year?

You found our stats page, my favorite page! Google Chrome rolled out their version 68 in late July and with it, began marking plain HTTP pages as "not secure."

Many large companies and hosting providers knew they needed to switch to HTTPS before this change or a majority of Web users (due to Chrome's prominence) would have a negative experience. Thanks to the availability of free and automated certificates, this mass scale change was possible.

Let's Encrypt is free for anyone and supported by donations only. How well is this business model working, and why do you think a free CA is necessary?

The non-profit model allows us to make decisions that are in the best interest of Web users. It also allows us to collaborate with many different types of organizations; Let's Encrypt was founded by people from Mozilla, the University of Michigan, Cisco, and Akamai. The ability to make our certificates free has been key in encouraging adoption.

Using Let's Encrypt is reckoned to be very secure. Why is that?

We provide certificates that are cryptographically the same as those from other CAs. That said, we have worked hard to provide a reliable and trusted service and strive to be transparent when we make mistakes.

And finally, a bit of tech talk: We had a great experience integrating with Let's Encrypt. Two things helped - the acme4j library, which abstracts all communication away, and the Pebble integration server, which is very well made and had challenged some of our assumptions. What is the purpose of these tools?

Pebble's purpose is documented here. In summary, we wanted something smaller and easier to use than Boulder, specifically to make it easy for integrators and client developers to write end-to-end tests. It's also the place we experiment with new ACME features before moving them to Boulder (e.g. TLS-ALPN-01, ACME v2, etc).

ACME4J was written by a member of our community, Shred. You should talk with him about it and let him know how helpful it is!

So, we've also contacted Richard aka Shred. Richard, thank you very much for developing acme4j, could you quickly - for non-technical people like myself - explain what this library does?

I'm very happy that you guys at Tutanota are using acme4j - it's the greatest praise and motivation an open source developer can get when their tools are actually being used! Let me try to explain acme4j:

A protocol called ACME is used for communication with the servers of Let's Encrypt. Its documentation is public, so everyone can read how it works. However, it is not that easy to understand.

To avoid that software developers need to learn all the details in depth, there are so-called libraries. They hide the complexity, are field-tested, and offer an interface that is easy to learn. acme4j is such a library for the Java programming language.

To give an analogy: acme4j is like a lawyer. A lawyer knows the laws and regulations. He is experienced and specialized. His clients can thus deal with legal matters without having to study law science with his help.

Thank you very much for the interview, Sarah and Richard, and thanks for making the Web more secure with Let's Encrypt. :) We are also thinking about drafting a more technical piece that explains how we managed to integrate Let's Encrypt into Tutanota and how this improves the handling of whitelabel domains. So please share your questions so we can consider them for the in-depth post!

Tutanota has integrated Let's Encrypt with version 3.50.1 to make issuing and updating TLS/SSL certificates for whitelabel domains fast and easy.