In his recent report on the state of TLS in the Alexa 1 million, Scott Helme uncovered some interesting trends that have emerged over the 18 months since the last report. In our last interview with Scott Helme, we wrote about how CDN providers like Cloudflare may have contributed to the rapid migration to TLS 1.3. Helme also found that the prevalence of Cloudflare and others have changed the dynamics of the Certificate Authority (CA) market. But not nearly as much as free CAs like Let’s Encrypt with its surprisingly rapid adoption rates.
Noted Helme, “Let's Encrypt went from not existing in 2016, to being the largest issuer of certificates on Planet Earth—quite comfortably and by a significant margin. Simply put, it's just outrageous.” At the same time, we’ve seen a significant decline in the use of EV certificates.
In a recent interview with Scott Helme, we delved into significant changes in the CA landscape and what that means for organizations today and in the near future.
How did Let’s Encrypt become the dominant player in the CA market?
Scott Helme: I remember going to DEF CON in 2015, when Yan Zhu and the other founding members of Let's Encrypt sat on a panel talking about how the CA ecosystem is polluted and there's too many CAs and we need some fresh blood. Okay. Then to address that problem they recommended, “We're going to make another CA.” And I thought to myself, yeah right. The problem of too many CAs is going to be solved with another CA. But when I spoke with her and really stopped to think about it [I thought], “Wow, this is a pretty ambitious plan. I hope it works."
And wow, did it work. They've gone from literally not existing to being the biggest issuer in the world. And I think they did that in four years. And we're five years on from when they started now, but it's just outrageous. No one can argue that they haven't completely changed the face of the web.
Initially, Let’s Encrypt seemed to be focused on encryption everywhere. Is that still true?
Scott Helme: I don't think there's a valid argument against that statement. Many skeptics said, "Oh, well, this is just everybody that used to pay for certificates, switching to the free certificate authority."
And there's multiple case studies that disprove that kind of disparaging theory. When I look at the domains that use certificates and check things like CT logs many of these websites didn't have certificates before they used Let's Encrypt.
The data has proven that while there is, of course, a small portion of Let's Encrypt users who have migrated from traditional paid CAs, the overwhelming majority were domains that did not previously have certificates.
So, I think Let's Encrypt has a very large presence from very large amounts of hosted WordPress blogs, hosted GitHub Pages, and other organizations that do all the infrastructure and platform, and people who just write popular content.
Do you think Let’s Encrypt has contributed to the decline in EV certificates?
Scott Helme: I think the thing that contributed to the decline in extended validation (EV) certificates was the inability to demonstrate value. It's hard to justify something that's expensive when you can't really demonstrate the value proposition—especially if your only argument is, "No. It's just better. Trust me."
I mean, I'm not a particularly big fan of EV. I've always really struggled with the value proposition, even when the browser UI was quite prominent for EV certificates. And my biggest criticism was always that you can’t build a value proposition on a mechanism that depends on the user in order to succeed.
I just don't fundamentally believe that we should have security mechanisms that place a dependency on the user. Because users tend to be unreliable. And I'm not criticizing them; they're not supposed to be reliable. So I’ve never really been a fan of EV because it places an unfair burden on the user.
But then when you try and explain the value proposition of EV, it's then very difficult because of that. Because it is a user control. So, site operators are learning that, over the years, the user is not reliable. And that’s not a criticism of users. It’s just that we shouldn't depend on users.
Any other factors that may have contributed to the rapid decline in EV certificates?
Scott Helme: I think the cost is obviously a big factor in the decline of EV certificates. I also think the lack of full automation capabilities with EV and OV (Organization Validated), is contributing to their decline. Because GitHub pages can never put an EV certificate on anyone's website for them, it's really close to impossible to do that practically.
If you're currently using EV, and someone says, "Well, we can't automate our certificates because we have EV," I think it's a very easy decision to drop EV and go to an automated CA.
So right now, I think there's a melting pot of reasons that EV's are on the decline. And anyone could make the argument that one was more significant than the other, but I think that they're all contributing.
What types of organizations are still using EV?
Scott Helme: I have a list of all the organizations still using EV. So, one of the other things that I can highlight on my crawler is a list of the sites using EV. If you look at the list of all of the sites using EV, there is a very clear pattern. They're either finance, a recognized brand, or they sell EV certificates. So, maybe this falls back into the category of those larger organizations that are stuck in their existing process, and perhaps they're too big to automate.
It’s enormous organizations with a massive eCommerce presence. And they're probably going to be some of the last to automate because their agility is not favorable to the process of migrating to an automated renewal. So, I think there's definitely an identifiable trend with who uses EV.
How significant is the role of automation in the move away from EV certificates?
Scott Helme: So that's been one of the most recent trends that I've noticed. There’s a visible shift in the patterns on how people are obtaining certificates. No one is going to ACS and manually renewing a certificate. It's all being done for them. No one's going to Let's Encrypt or Cloudflare and manually renewing a certificate. It's all being done for them.
So, there is a big move away from self-managed certificates in the traditional sense. Towards someone else automating for me. Because I think there's also a difference there that's very notable, between an organization implementing their own automated renewal and then being fronted up by a CDN provider that manages the keys and certificates for them. So, yeah. That's two distinct trends there, I think.