The Internet security ecosystem took an unexpected turn in 2015 with the creation of Let’s Encrypt, a certificate authorityA Certificate Authority (CA) is a trusted entity… (CA) that is non-profit and brought a new approach to the process of issuing digital certificates. Backed by prominent names like Mozilla, Akamai, Cisco, IdenTrust, and the Electronic Frontier Foundation (EFF), Let’s Encrypt was introduced to the world with an ambitious promise: “It’s free, automated, and open”. Just a few months after its official launch, Google Chrome joined as a sponsor of the project, solidifying its position as one of the most influential players in the digital certificate market.
However, this phenomenon raises questions about the dependence of critical Internet infrastructure on North American entities and its global impact, especially in regions like Europe.
Automation: The Key to Let’s Encrypt’s Success
One of the significant advancements introduced by Let’s Encrypt was the automation of certificate issuance. In 2019, the IETF (Internet Engineering Task Force) published the RFC8555 standard, which describes the Automatic Certificate Management Environment (ACME) protocol, largely developed by the same creators of Let’s Encrypt. This protocol allows web servers to automatically obtain, renew, and revoke digital certificates, eliminating manual complexities and making HTTPS security more accessible for developers and small businesses.
However, Let’s Encrypt’s automation has a significant limitation: it only issues domain validation certificates (DV). This means it guarantees that the applicant controls the domain but does not verify the identity of the organization or person behind it. This contrasts with QWAC certificates (Qualified Website Authentication Certificates) regulated by European eIDAS, which require a deeper analysis of the natural and legal identity of the applicant, respecting the idiosyncrasies of each country.
The Exponential Growth of Let’s Encrypt
Since its beta launch in January 2016, Let’s Encrypt has experienced explosive growth. As of today, it has issued billions of certificates and has become one of the most widely used CAs in the world. In 2020, the organization began operating with its own root certificate, partially breaking its dependence on IdenTrust, which had been part of the project from the beginning. This also coincided with a shift in the global distribution of digital certificates, where Let’s Encrypt now dominates the market.
However, this growth poses challenges for other certificate authorities. For example, Digicert, one of the few relevant European CAs, has lost market share to North American competitors, while IdenTrust’s figures have declined due to its historical relationship with Let’s Encrypt.
Europe: A Digital Giant with Little Infrastructure of Its Own
Europe is the third-largest economic region in the world in terms of Internet users, with 448 million inhabitants and a penetration rate of 99%. However, in terms of certificate authorities and other critical web infrastructures, its role is marginal. Of the main CAs used globally, only Digicert has European roots, and its market share is significantly smaller than that of its American competitors.
The North American dominance is not limited to CAs. Web browsers, the gateway to the internet for billions of people, are also under foreign control. Only two European browsers, Vivaldi and Mullvad, have any significance, while Opera, once Norwegian, came under Chinese ownership in 2016. Even Mozilla, known for its transparency and open-source model, is deeply influenced by North American perspectives, both in its management and funding.
The Global Impact of North American Dominance
The reliance on North American infrastructures in such a globalized ecosystem as the Internet poses both strategic and economic risks. Controlling key elements like CAs, browsers, and communication protocols allows the United States to maintain significant influence over how security is ensured on the web. Additionally, this dominance hampers the digital autonomy of regions like Europe, which, despite initiatives like eIDAS, has failed to establish competitive alternatives in terms of technology infrastructure.
The eIDAS, with its emphasis on qualified certificates like QWACs, attempted to lay the groundwork for robust regulation tailored to the European digital reality. However, the failure to adopt tools like eIDAS Nodes and the lack of investment in native infrastructures have limited its impact, leaving the field open for more agile and global projects like Let’s Encrypt.
Conclusion
Let’s Encrypt has democratized access to web security with its free, automated, and open approach, leading to a surge in the adoption of HTTPS certificates worldwide. However, this success also highlights the growing dependence on critical North American infrastructures. Europe, despite being a key player in terms of Internet users, still lags in managing its own technological infrastructure.
The story of Let’s Encrypt and the dominance of U.S. CAs underscores the need for a more strategic and coordinated approach from Europe to protect its digital sovereignty and ensure that the next generation of web security tools does not rely solely on foreign actors.