How Let’s Encrypt made the web more secure with funding from donations

Grand ambitions do not always need hefty budgets. You just need a sound strategy to achieve them.

By Sara Downey, Thought Leadership, Dell Technologies

The internet is risky business. It was even more so as recently as 2015, when a majority (61%) of browser page loads were unencrypted. A lack of encryption leaves users vulnerable to data mining and malicious malware implants in addition to profiling.

A non-profit organization, Let’s Encrypt, has since systematically worked to fill in the gaps, issuing millions of Transport Layer Security (TLS) certificates for free while running on a small budget. Their story carries some important lessons for the rest of us.

The unencrypted before times

Josh Aas and Eric Rescorla were working at Mozilla Firefox in 2015 and realized that the primary reason the internet was unprotected was that the process of obtaining a TLS certificate, necessary for secure access, was convoluted, expensive and opaque. And even if you did manage to get one from a registered certificate authority (CA), companies had to repeatedly renew the certificate manually, which involved significant staff time and institutional knowledge. It was a painful rinse-and-repeat. Worse, it was expensive. In 2015, the average price of a one-year, single-domain certificate from the five largest CAs was $178–one even cost $766.

Given the expense, the hassle, and the seemingly nebulous advantages of securing a website, many businesses figured it was easier to follow the path of least resistance and stay unencrypted.

To rectify these problems, Aas and Rescorla decided to team up with a group at Electronic Frontier Foundation that was working on a protocol for automatically issuing and renewing certificates. The University of Michigan, Cisco, and Akamai joined shortly thereafter as founding partners. A new non-profit, Internet Security Research Group (ISRG) was born with the goal of making the web a safer and more secure place. Let’s Encrypt, a free, automated, and open certificate authority (CA), was ISRG’s first digital infrastructure project run for the public’s benefit.

A megawatt job on a low-power budget

While Let’s Encrypt dived in with gusto, they had to solve problems along the way. For one thing, the team did not know much about launching a recognized certificate authority. They had to build that plane as they were flying it—but they flew it well.

Arguably, the biggest challenge was the lean budget for it all, dependent entirely on donor dollars. Let’s Encrypt has secured 275 million websites thus far on a tight annual budget of $3 million to $4 million.

Strategic decisions helped. Right off the bat, Aas and his small team of all-remote staff knew they had to automate as many processes as possible, starting with the certificate issuing process. Eliminating repetitive toil allowed employees to focus on strategic tasks.

Let’s Encrypt also calculated that they had to use their staff’s time and resources more strategically and that was best done with the right hardware and software support. The Let’s Encrypt servers handle more than 70,000 queries per second, and its SQL database is around 13TB on disk. A lot is riding on its technology. The team went with Dell hardware, operated by The Integrated Dell Remote Access Controller (iDRAC) because it’s capable of heavy lifting, while also being easy to maintain. With iDRAC, the organization’s geographically dispersed remote staff can manage, deploy and update servers from anywhere, more easily than other similar systems.

Being discerning about the products they spend money on has helped Let’s Encrypt do more with less and with impressive outcomes: During one recent upgrade to Dell database hardware, the average time to process an API request dropped from about 90 milliseconds to 9. The request latency for the databases themselves dropped from .45 milliseconds to .15, a 3X improvement.

Key takeaways

The ability of Let’s Encrypt to do more with less teaches us many lessons that apply to enterprises of all sizes.

First, there is a difference between value and cost. Enterprises have a choice in where to spend their dollars, but they need to evaluate how that spend aligns with what they expect to get out of it. The lean team at Let’s Encrypt have internalized these messages:

  • Look at the large picture and go lean where you have to, but spend money on things that deliver value in the long run.
  • Understand how to play to your strengths. Let’s Encrypt has a robust staff who know what it takes to keep the web secure. Preserving that talent is a key goal, and every decision (spending, automation) plays to it. In serving this goal, the team has historically opted for fewer larger servers because they’re easier to track and maintain than a larger number of smaller ones.
  • Keep learning and improving the process. The staff hosts a number of book clubs and shares ideas learned and read to help the organization work better.

Let’s Encrypt has proved that you do not need a grand budget to achieve lofty ambitions. In 2021, the organization registered an impressive goal: It issued a whopping 2.5 million certificates on average every day, helping the percentage of encrypted page loads reach its highest level ever.

The web and its security challenges will continue to test all of us and our ability to serve future security needs. But a lean operating model will serve enterprises well no matter what is thrown at them. Let’s Encrypt is a testament to that.

Lead photo by John Salvino on Unsplash