Featured products and servicesadvertise here
24/7 Real Media
Adobe Experience Manager
Apache Traffic Server
Full Circle Studies
Google Hosted Libraries
Google Tag Manager
Image File Formats
IPS Community Suite
PHP Link Directory
SSL Certificate Authorities
Top Level Domains
Traffic Analysis Tools
Yahoo Tag Manager
The impact of Let's Encrypt on the SSL certificate market
Posted by Matthias Gelbmann on 26 September 2016 in News, IdenTrust, Let’s Encrypt, SSL Certificate Authorities
Let's Encrypt certificates used by 3% of all websites
If we look at the SSL certificate authorities survey, we find Let's Encrypt way down at rank 14 with 0.1% market share. However, this is misleading. As it takes a while to be included as a trusted authority in most user's browsers, Let's Encrypt certificates are cross-signed by IdenTrust at the moment. The wast majority of Let's Encrypt sites therefore use IdenTrust as root certificate, thus preventing the browser showing confusing warnings to visitors. IdenTrust has been around for a long time, but its SSL certificate market share was pretty much negligible before the Let's Encrypt deal. Therefore, if we look at the IdenTrust statistics, we basically see the Let's Encrypt adoption rate.
We see that Let's Encrypt is now used by 3% of all websites, that is an SSL certificate market share of 13.1%, which brings it at rank 3 after Comodo and Symantec. What impact does that have on the SSL certificate market and on its competitors?
The SSL certificate market as a whole is growing quickly
One remarkable observation from last year's market trend is the fact that most of the other certificate authorities also increased the number of sites they are serving. Comodo, for example, is now used by 9.2% of all sites, up from 5.9% one year ago.
The gain from Let's Encrypt primarily comes from sites that did not use a valid SSL certificate before. 30.7% of the websites use no certificate at all now, that share was 37% last year. A remarkable 44.9% (down from 46% last year) of all sites use an invalid certificate, that is a certificate that has been issued for another domain. Most of these invalid certificates are installed by hosting providers as a free service for their customers. Webmasters may use these certificates for testing or for internal use, most sites probably never use them.
Interestingly, the number of expired certificates has increased from 0.2% to 0.9% since the start of Let's Encrypt. It seems that a fair number of people request their free certificate, perhaps don't even use it, and let it expire. The fact that Let's Encrypt certificates are valid only for three months, instead of the usual year, certainly plays a role too.
The total share of websites that use a valid certificates went up from 16.2% to 23.0%, the whole certificate market is growing quickly. As we have seen above, only less than half of that increase comes from Let's Encrypt certificates, more than half went to other CAs. Nevertheless, webmasters change their certificate provider from time to time, some of the sites that now use Let's Encrypt have used other CAs before. Looking at the technology change report we see that Let's Encrypt gains websites primarily from GlobalSign, followed by Comodo and Symantec.
Let's Encrypt certificates used by low-traffic sites
Our market position diagram shows another aspect of the market: CAs near to top border of the diagram are primarily used by high traffic sites, whereas CAs near the bottom border are preferred by low traffic sites.
It comes as no surprise that IdenTrust, and thus Let's Encrypt, comes at the low-traffic end of the market, as they issue only Domain Validated SSL Certificates at the moment. High-traffic sites often require some form of Extended Validation SSL Certificates, which are more expensive. Furthermore, Let's Encrypt does not yet issue wildcard certificates.
France loves Let's Encrypt
There are significant regional differences in the adoption of Let's Encrypt. They are market leader in several countries, most notably in France with 46.3% market share. On the other hand, they have hardly started in some Asian countries such as China (3.1% market share), South Korea (1.8%) and Japan (1.5%).
With 77% of all websites not yet using a valid SSL certificate, we can expect Let's Encrypt to continue to grow in the coming years. Once browsers have them listed as trusted authority, we will see them with their own name in our statistics, rather than under the IdenTrust root certificate. Let's Encrypt does not yet hurt other certificate providers, except that they may slow their growth. That may change once the market is more saturated, but it looks like there is still time for the competition to evolve their strategies.
You can find much more details in our SSL Certificate Authorities Market Reports.
Share this page
Leave a comment