Let’s Encrypt now issues 52% certs and protects 38 % of websites
I have looked into this some time ago, when I researched the global market of web encryption. I used market research reports and arrived to the number of 80%. This time, I had a look at the data from KeyChest monitoring.
The 80% figure in my blog post https://dan.enigmabridge.com/lets-encrypt-in-the-spotlight/ was based on predictions from Frost&Sullivan and other market research reports and actual volume of certificates issued by Let’s Encrypt.
This time, I have analyzed 500,000 certificates from the database of KeyChest.net. I have looked at the numbers of all certificates that KeyChest pulls from CT (certificate transparency) logs and also at data of server audits. The two datasets differ as we request more certificate than we actually use — especially when they are free. When I query our CT (certificate transparency) database directly, I can see large numbers of duplicates, but it’s non-trivial to eliminate the effect of CDNs (content delivery networks). The data from actual audits of web services show how important this aspect is.
Anyway, I had worked for large enterprises and I was curious. An enterprise is still unlikely to use Let’s Encrypt but how successful are “enterprise trusted” names elsewhere. And it’s pretty bad for some names I believed to be market leaders.
Let me start with some simple but nevertheless interesting stats around algorithms and key length. The data is for domains audited by KeyChest.
Algorithms and key length
- RSA 4,096 bits — 12%
- RSA 2,048 bits — 68%
- RSA 1,024 bits — 2%
- ECC 256bits — 15%
- ECC 384 — bits0.8%
Personally, I’m surprised by the large use of elliptic curve (ECC) certificates, which I’d expect to be less than 5%. So well done to all the admins who optimize their servers for faster encryption.
Types of certificates
- self-signed certificates — 1.2%
- extended validation certificates (EV) — 4.8%
- organization validation certificates (OV) — 20.5%
- domain validation certificates (DV) — 73%
And finally a couple of random but interesting figures:
- Cloudflare certificates: 15%
- Wildcard certificates: 22%
What you can start seeing from this is the role of CDNs, and especially Cloudflare among KeyChest users. Cloudflare would have OV certificates, which means that when we take those away, only organizations are more likely to use the most expensive EV certificates than OV certificates.
How Big Is Letsencrypt
I’m finally getting to the results of the main exercise — how big is Let’s Encrypt. It is not 80% but it’s still majority of all certificates that KeyChest pulled from CT logs.
There are some unexpected entries there (cPanel) but in general — there are basically 2 leaders in the market — Let’s Encrypt for free, short term certificates that we are using on our web servers. COMODO used by main CDNs. GlobalSign and Digicert are sharing the market of “end user organizations” with COMODO.
Let’s have a look at the data from actual audits of servers. I have done two samples, one for all audits in the database of KeyChest (since Q3 2017) and a sample of audits executed over the last 3 months.
The main number here is the increase of Let’s Encrypt — from 33.1% to 38.8%. Another interesting point is that COMODO is back in line with other commercial issuers — something that most likely reflects how CDNs use certificates. My experience is that the number of certificates issued for CDNs is much higher than what can be see on CDN servers (although we are limited by the use of only a couple of DNS servers we use to resolve domain names to IP addresses).
Some interesting numbers. Certainly well done to Let’s Encrypt, which seems to keep getting new customers as old long-validity certificates expire. The figure is much less than 80% I arrived at previously. The main reason is the rise of COMODO due to its strategic targeting of CDNs — as well as low cost for small users.
