The US lock of the Web - acheThe US lock of the Web<br>Let's talk about Let's Encrypt. ">Ache<br>Eternal student in computer science.<br>Self-taught developer,<br>now engineer.

GNU\Linux, C, C++, Python, Math, self-hosted, decentralisation, P2P, ...

httpswebcryptography<br>2026-06-19T05:18:46.000<br>The US lock of the Web<br>Let's talk about Let's Encrypt .<br>Recently, if you haven't noticed, Let's Encrypt , the world's leading Certificate Authority, has added to its terms of use that it applies U.S. sanctions. This isn't surprising, but it raises questions. The application of U.S. law to critical web infrastructure constitutes a major geopolitical weapon.<br>What is Let's Encrypt ?Let's Encrypt is the most well-known web certificate authority in the world.<br>Stemming from a collaborative effort by Mozilla and the Electronic Frontier Foundation, the most active non-profit organization defending digital rights, Let's Encrypt has truly contributed to installing the little HTTPS padlock icon in your navigation bar.<br>If you don't know what Let's Encrypt or a certificate authority is, then this blog post may not be entirely for you. Simply understand that we are talking about the padlock in your browser's address bar.

In order to democratize the use of HTTPS, Let's Encrypt revolutionized certification in two points:<br>Free Of Charge. Certification by Let's Encrypt is free, period. For competitors in 2014, a certificate cost VERY expensive. Even today, it is the factor that most actors choose Let's Encrypt . For information, a certificate costs €188/year at GlobalSign... $800 for a wildcard certificate at sectigo.<br>Automation. While retrieving a certificate in 2014 required a long verification process, payment, and then manual renewal, Let's Encrypt automates everything. This facilitates everyone's work and contributes to a safer web.<br>In concrete terms, this means that Let's Encrypt will refuse to issue a certificate to any entity—be it a company, organization, or individual—that has been sanctioned. For instance, no website operating in Russia or Iran can obtain these certificates. To be more specific, Nicolas GUILLOU, one of the International Criminal Court judges who issued the international arrest warrant against Netanyahu, cannot get certified by Let's Encrypt, even if he uses a subcontractor.<br>Dependence on Let's Encrypt<br>A year ago, Stéphane Bortzmeyer posted on Mastodon that 80% of certificates on the web came from Let's Encrypt . Naturally, I wanted to verify this. In particular, I wanted to check to what extent I was, myself, an average European, dependent on Let's Encrypt.1<br>My first idea was to retrieve data from a Certificate Transparency Log. However, this does not translate my concrete dependency on Let's Encrypt and requires many resources. A log the size of which is counted in tens of terabytes, I will therefore let them make their own statistics. It turns out that Cloudflare has an existing dashboard regarding this:

From Cloudflare's data:CAPercentage of issued certificats1Let's Encrypt52%2Google Trust Services17%3Sertigo15%4GoDaddy6%5Amazon4%6DigiCert2.5%7Microsoft1.4%8SSL.com0.69If one includes multiple certificates, that is, several certificates for the same domain name, for example. Then Let's Encrypt is slightly more productive proportionally, but this does not change the order of importance of each certificate authority (except GoDaddy).<br>To analyze my personal reliance on Let's Encrypt, I rather opted for a web plugin to install in Firefox. This analyzes all the sites that I visit and records the associated certificate authority upon the website’s first visit (within the current month). I present Cert Check.<br>I installed this extension last year on all my devices. I can therefore be very precise regarding my concrete dependence on each certificate authority<br>Is there a monopole for Let's Encrypt?<br>Yes, Let's Encrypt is indeed the most used certification authority by the sites that I visit. But no, it is not 80% of the sites I visit and it remains less than Cloudflare's figures/numbers.<br>Over the last month:<br>CAPercentage visited1Let's Encrypt46.0982Google Trust Services32.403DigiCert7.584Amazon5.265GlobalSign2.936Sectigo2.937USERTrust1.348Go Daddy0.379Certigna0.3710HARICA0.3711SSL.com0.2412SwissSign0.12<br>However, if I take into account all the sites that Firefox has requested, not only those that I visited, it is Google which is the most prolific certificate authority.<br>"Visited sites" are those that appeared in my navigation bar. "Requested websites" are those where my browser made an HTTPS request, such as an image displayed on a webpage hosted by another site (which I did not visit directly).

For the last month:<br>CAPercentage loaded1Google Trust Services29.762Let's Encrypt28.973GlobalSign12.674Amazon11.365DigiCert8.436USERTrust3.827Sectigo2.078Go Daddy1.529HARICA0.4210SSL.com0.2611Buypass0.2312Certigna0.1913Certum0.0714COMODO RSA0.0615Deutsche...