10 Years of Let's Encrypt

https://letsencrypt.org/2025/12/09/10-years

69•SGran•1h ago

Comments

victorbjorklund•27m ago

Wow. Feels like Let’s encrypt been around for longer.

Aardwolf•26m ago

Agreed! What were we using before Let's Encrypt again? Maybe just plain HTTP

bakies•22m ago

Self signed certs. I wasn't paying.

Thaxll•21m ago

Some of them were not expensive but it was not convenient at all.

rew0rk•20m ago

either you used http, self signed if you did not mind the warning, and i remember there being one company that did offer free certificates that validated, but cant remember the name of it

tomklein•15m ago

I believe it was StartSSL and/or WoSign back then

SahAssar•15m ago

> i remember there being one company that did offer free certificates that validated, but cant remember the name of it

You're probably thinking of StartSSL, and it was a bit of a pain to get it done.

jsheard•19m ago

Didn't the push to encrypt absolutely everything (not just "sensitive" data) really kick off in the wake of the Snowden leaks? That was 12 years ago so the timing more or less lines up, if your site was low-stakes then you probably could have gotten away with just using plain HTTP before Lets Encrypt arrived.

asadotzler•15m ago

SSL/TLS via expensive and hard to work with providers and tooling. Let's Encrypt made it free and easy to maintain.

ZeroConcerns•14m ago

Mostly Verisign, which required faxing forms and eye-watering amounts of money. Then Thawte, which brought down prices to a more manageable US$500 per host or so. Which might seem excessive, but was really peanuts compared to the price of the 'SSL accelerator' SBus card that you also needed to serve more than, like, 2 concurrent HTTPS connections.

And you try telling young people that ACME is a walk in the park, and they won't believe you...

SirMaster•1m ago

I was using StartCom SmartSSL which was offering free 1 year certificates at least for my personal sites.

quesera•1m ago

I was going to say the opposite. LE still feels like the "new" way, to me. :)

jjice•21m ago

Let's Encrypt was _huge_ in making it's absurd to not have TLS and now we (I, at least) take it for granted because it's just the baseline for any website I build. Incredible, free service that helped make the web a more secure place. What a wonderful service - thank you to the entire team.

The CEO at my last company (2022) refused to use Let's Encrypt because "it looked cheap to customers". That is absurd to me because 1), it's (and was at the time) the largest certificate authority in the world, and 2) I've never seen someone care about who issued your cert on a sales call. It coming from GoDaddy is not a selling point...

So my question: has anyone actually commented to you in a negative way about using Let's Encrypt? I couldn't imagine, but curious on others' experiences.

rokkamokka•19m ago

No! Let's encrypt is easily the best thing that's happened for a secure internet the last 10 years.

johnebgd•16m ago

There are extended certificates that did matter in our sales process for some hosted solutions back about 15 years ago if I recall right… no one has ever cared since…

giancarlostoro•14m ago

> It coming from GoDaddy is not a selling point...

I just people who use GoDaddy. They were the one company supporting SOPA when the entire rest of the internet was opposed to SOPA. It's very obvious GoDaddy is run by "business-bros" and not hackers or tech bros.

Analemma_•7m ago

I've seen people complain that Let's Encrypt is so easy that it's enabling the forced phaseout of long-lived certificates and unencrypted HTTP.

I sort of understand this, although it does feel like going "bcrypt is so easy to use it's enabling standards agencies to force me to use something newer than MD5". Like, yeah, once the secure way is sufficiently easy to use, we can then push everyone off the insecure way; that's how it's supposed to work.

UltraSane•6m ago

I have worked at companies that refused to use LetsEncrypt for the same reason.

quesera•3m ago

There was a time when EV certificates were considered more trustworthy than DV certs. Browsers used to show an indication for EV certs.

Those days are long gone, and I'm not completely sure how I feel about it. I hated the EV renewal/rotation process, so definitely a win on the day-to-day scale, but I still feel like something was lost in the transition.

trueismywork•1m ago

What about OV?

traceroute66•2m ago

> has anyone actually commented to you in a negative way about using Let's Encrypt?

A friend of mine has had a negative experience insofar as they are working for a small company, using maybe only 15–20 certs and one day they started getting hounded by Let's Encrypt multiple times on the email address they used for ACME registration.

Let's Encrcypt were chasing donations and were promptly told where to stick it with their unsolicited communications. Let's Encrypt also did zero research about who they were targetting, i.e. trying to get a small company to shell out $50k as a "donation".

My friend was of the opinion is that if you're going to charge, then charge, but don't offer it for free and then go looking for payment via the backdoor.

In a business environment getting a donation approved is almost always an entirely different process, involving completely different people in the company, than getting a product or service purchase approved. Even more so if, like Let's Encrypt, you are turning up on the doorstep asking for $50k a pop.

btown•2m ago

To be fair, for a CEO in 2022, EV certificates had only lost their special visualizations since September/October 2019 with Chrome 77 and Firefox 70 - and with all that would happen in the following months, one could be forgiven for not adapting to new browser best practices!

https://www.troyhunt.com/extended-validation-certificates-ar...

npodbielski•13m ago

I am glad to be one of the users using that for around 7 years. I can't think of how much better is life of people just doing blogs or some silly websites with free https certs. Would I pay 50$ bucks a year for ability to self host nextcloud? Probably not. But security enhancement is so enormous with that service. Thanks to everyone involved for making world a little bit better.

greyface-•11m ago

New baseline expectation that web traffic will be encrypted on the wire: very good!

New de-facto requirement that you need to receive the blessing of a CA to make use of basic web platform features... not so good.

jovial_cavalier•6m ago

That's not new, LetsEncrypt just didn't solve it. And if you think this is the only single point of failure in the stack, I have news for you.

greyface-•2m ago

It's absolutely new. No HTML5 features were restricted to secure origins only pre-LE. Today, many are. Google was able to push these requirements in large part due to Let's Encrypt's success making secure origins ubiquitous.

ekr____•2m ago

Can you elaborate a bit about what you mean by "the blessing of a CA"?

I agree that it's true that you need a certificate to do TLS, but importantly Let's Encrypt isn't interested in what you do with your certificate, just that you actually control the domain name. See: https://letsencrypt.org/2015/10/29/phishing-and-malware.html

hulitu•10m ago

> 10 Years of Let's Encrypt

Aren't they only 45 days [1] old ?

[1] https://letsencrypt.org/2025/12/02/from-90-to-45

Show HN: UIforSaaS – Production-Ready SaaS UI Kit for React and Tailwind

Improve your docs by giving your AI assistant the project's issues

Selling H200s to China Is Unwise and Unpopular

Common Threads

Show HN: Client-side file tools – PDF, images, crypto, all in-browser

It is counterproductive to force cache on all tools of an agent

We Manage Cloudflare with Infrastructure as Code

The Resonant Computing Manifesto

The Tate Modern posted my job application on the internet

Express JavaScript API sucks, so meebo

The Year of the Linux Desktop Is Finally Here – But Not for Humans

Show HN: No API? No Problem! Unlock web data behind clicks, searches, and UI

Why the A.I. Boom Is Unlike the Dot-Com Boom

Is It a Bubble?

#1 Week of Building Cross a todo app that syncs to Notion and Obsidian

Progressives used to view schools as engines of social mobility

We are breaking the domain industry. On purpose

Cisco AI's A2A Scanner – New OSS Tool to Detect Threats in A2A Eco-System

The Big Vitamin D Mistake [pdf]

How do solo founders get their first pilot users for a complex B2B product?

The Slow and Dangerous Loss of Self

Microsoft invests $17.5B in India to drive AI diffusion at population scale

Happy Smallpox Eradication Day [video]

Bazel Migrate to Bzlmod

Claude Code in Slack

Private Indices Are the New Public Indices

Show HN: LitContent – AI content designed to match your brand voice

Releasing Packages with a Valet Key: NPM, PyPI, and Beyond

RLS – Release Layer System

OpenAI Appoints Denise Dresser as Chief Revenue Officer