Vue lecture

Il y a de nouveaux articles disponibles, cliquez pour rafraîchir la page.

Certbot Is Now on 4 Million Servers, Maintaining Over 31 Million Websites

EFF’s Certbot is now installed on over 4 million web servers, where it’s used to maintain HTTPS certificates for more than 31 million websites. The recent achievement of these milestones helps show the success of the project and the important role it plays in the infrastructure of a secure and encrypted internet.

When EFF helped launch the Let’s Encrypt certificate authority and released the software that’d become Certbot in 2015, the web was a very different place. Less than 40% of websites were loaded using HTTPS, while the rest used unencrypted HTTP. This unencrypted traffic made it easy for malicious actors to eavesdrop, inject content, and take over online accounts by stealing cookies. Today, the percentage of web traffic using HTTPS is over 80% worldwide and over 93% in the United States.


Since Certbot’s first release, it has never stopped growing. The recent achievement of Certbot exceeding 4 million installations actively maintaining certificates with Let’s Encrypt is just our latest metric showcasing this growth. Additionally, since many servers host more than one website, these installations are responsible for more than 22 million certificates covering more than 31 million domain names. That’s more than 31 million websites that Certbot is helping to offer HTTPS. These benefits extend to every person who visits those sites.

But even these numbers are probably low, because they reflect only Certbot use with Let’s Encrypt. The ACME protocol is an open standard which allows others to create their own projects that are compatible with these tools. Since Certbot and Let’s Encrypt launched, lots of other software has been createdincluding other ACME certificate authoritiesand the number of these is likely to increase.

Earlier this year, Google made changes to the Chrome root program that require all new certificate authorities to offer automated certificate issuance, and specifically encouraged certificate authorities to support ACME. These changes are good for the security of the internet and are likely to further encourage the adoption of ACME software like Certbot.

If you’d like to support us in our work in continuing to develop and support Certbot, especially for the millions of people who find it useful and have come to rely on it, please consider donating to EFF.

Should Caddy and Traefik Replace Certbot?

Can free and open source software projects like Caddy and Traefik eventually replace EFF’s Certbot? Although Certbot continues to be developed, we think tools like these help offer a promising path forward in the further development of a secure and encrypted web. For some users, tools like these can replace Certbot completely. 

We started development on Certbot in the mid-2010s with the goal of making it as easy as possible for website operators to offer HTTPS. To accomplish this, we made Certbot interact the best we could with existing web servers like Apache and Nginx without requiring any changes on their end. Unfortunately, this approach of using an external tool to provide functionality beyond what the server was originally designed for presents several challenges. With the help of open source libraries and hundreds of contributors from around the world, we designed Certbot to try to reparse Apache and Nginx configuration files and modify them as needed to set up HTTPS. Certbot interacted with these web servers using the same command line tools as a human user, and then waiting an estimated period of time until the server had (probably) finished doing what we asked it to. 

All of this worked remarkably well. Today, Certbot is used to maintain HTTPS for over 30 million domain names and it continues to be one of the most popular ways for people to interact with Let’s Encrypt, a free certificate authority, which has been hugely successful by many metrics. Despite this, the ease of enabling HTTPS remains hindered by the need for people to run Certbot in addition to their web server. 

That's where software like Caddy and Traefik are different. They are designed with easy HTTPS automation in mind. Caddy even enables HTTPS by default. They both implement the ACME protocol internally, allowing them to integrate with services like Let’s Encrypt to automate regularly obtaining the certificates needed to offer HTTPS. Since this support is built into the server, it completely avoids problems that Certbot sometimes has as an external tool, such as not parsing configuration files in the same way that the software it's trying to configure did. Most importantly, there's less effort required for a website operator to turn on HTTPS, further lowering the barrier to entry, making the internet more secure for everyone. 

Both Caddy and Traefik are written in Go, a memory safe programming language. The Apache and Nginx web servers that Certbot interacts with were written in C, which is not memory safe. This may seem like a minor technical detail, but it’s not. A memory safe programming language is one that systematically prevents software written in it from having certain types of memory access errors which can occur in other programming languages. Studies have found that these memory safety errors are responsible for the majority of security vulnerabilities, leading to a growing push for the development of memory safe software. By adopting software like Caddy or Traefik, you’re able to proactively eliminate an entire class of common security vulnerabilities from that part of your system. 

With these benefits and Certbot’s limitations, should tools like Caddy and Traefik replace Certbot? Yes, they probably should eventually. While EFF does not endorse any specific product or service, we think that software like this is part of a larger suite of tools that will eventually make Certbot no longer needed. The ecosystem will be better served by using integrated software, not external tools that try to configure old and hard-to-use ones. 

No single approach to securing traffic to a website will work for everyone. For example, many hosting providers now offer HTTPS, and this will almost certainly be an easier approach than using any other external software. If you run a website and previously used a tool like Certbot though, consider whether software like Caddy or Traefik is a better fit for you. These tools have been around for years and have extensive user bases. You can use Caddy or Traefik as a TLS terminating reverse proxy or even use Caddy directly as your file server. 

If Certbot continues to work best for you for some use cases, that's also okay. We plan to continue developing the project until the happy day comes when running an HTTPS site is so simple that Certbot is no longer needed. Until that day, if you do continue using Certbot, please consider donating to EFF so that we’re able to continue supporting the project.

❌