SSL certificates used to be expensive and complex to install. Most website owners didn’t think the upside was worth the effort and so the vast majority of sites were served without encryption. Let’s Encrypt, first introduced in 2015, changed all that. With Let’s Encrypt, certificates are free and it’s easy to install and use them on common server configurations. This June, Let’s Encrypt celebrated its hundred millionth certificate. Its certificates are now used on over 47 million domains.
One of the most striking limitations of Let’s Encrypt is its inability to issue wildcard certificates, but that’s not going to be a problem for much longer. The project has announced that from January 2018, with the introduction of the ACME v2 API endpoint, Let’s Encrypt will be able to issue wildcard certificates.
Basic SSL certificates work with a single domain. They don’t work with subdomains. We could use this type of certificate to cover “futurehosting.com,” but we’d need a different certificate for www.futurehosting.com, my.futurehosting.com, and so on. Wildcard certificates offer encryption for all subdomains of a domain. A wildcard certificate issued to cover *.futurehosting.com covers all subdomains of that domain.
The introduction of subdomain support is important for sites with small numbers of subdomains, but it’s even more welcome to sites with many subdomains. Users of WordPress Multisite could previously use Let’s Encrypt: the certificates are free so there’s no price barrier to using a unique certificate on each domain. But managing multiple certificates introduces additional complexity and there have been reports of that approach not working well with WordPress Multisite installations with large numbers of domains.
100,000,000 certificates sounds like a lot, but what’s really important is the proportion of web page loads that are secure. That proportion stood at around 40% when Let’s Encrypt was first introduced. This July, 58% of page loads were encrypted. An 18% increase in secure web pages is a big change in a short time. The web moves slowly: it took twenty years to reach 40% adoption of HTTPS and the additional 18% took just 19 months.
It’s unlikely that all of the increase is directly due to Let’s Encrypt, but the web has been made a safer place by Let’s Encrypt and other certificate providers forced to simplify and reduce prices. I expect the addition of wildcard certificates to Let’s Encrypt will break through another barrier to implementing HTTPS and we’ll see another significant increase in adoption.
The stated goal of Let’s Encrypt is 100% HTTPS adoption. It’s going to be many years before that becomes a reality, if ever, but with the simplification of Let’s Encrypt and the introduction of HTTP2, which requires HTTPS, it’s likely that most of the pages on the web that receive a significant number of visitors will be delivered over encrypted connections in the next few years.