Just to estimate the magnitude of impact on end-users with older MacOS / iOS versions when DST Root X3 expires (and for whom the Android workaround won't help), is there a list somewhere of major websites that are using Let's Encrypt certificates? Like Wikipedia etc.
If significant portions of the Internet become unusable for those clients, they will be less likely to blame (smaller) individual LE certified websites. Or at least those smaller site owners can tell them "please test Wikipedia as well" to convince customers the issue is on their side.
I did not know that! That's just too funny and cool at the same time!
"Merkle Town" lists Let's Encrypt as the largest "ROOT CERTIFICATE AUTHORITIES", but seeing that LE still chains up to a IdenTrust root by default, is that even correct? Shouldn't that be IdenTrust strictly speaking?
That's not necessarily a correct comparison, given the 90 days lifetime and 60 days renewal cycle, vs. 1 year for most other CA's. You should probably divide that number by a factor of 4 to 6 to get a comparable number.
Also, big corporate-backed websites are more likely to be using an OV/EV certificate rather than a DV.
Well, it's based on certificate transparency logs, which are primarily for logging leaf certificates. So I'm assuming the statistics would be based on the owner of the leaf-signing intermediate. Or I suppose it might be based on which policy OID is embedded in the leaf, but I suspect that amounts to basically the same thing.
Fair enough. Even doing that, though, Let's Encrypt is a pretty big number.
I suppose somebody should do a project (if it hasn't been done already) of looking at the top x websites based on some major list and seeing which CA they each use.
The term root ca they use there is probably a misnomer*, as they're listing company/trademark names, not actual roots. They most likely have internal mapping logic that maps certain issuers to a company, e.g maybe they check the org field of the intermediate issuer(s) and don't even care to what root you chain up. From a "legal" perspective, LE certs are issued by Let's Encrypt under LE CPS, so they do belong to Let's Encrypt, even if they chain up to IdenTrust, so I consider the Cloudflare view to be correct.
*I believe by using that term they wanted to highlight that they do not list subordinate CA's there, only CA's that own roots.
[You can now argue that LE does not have any root(s), only ISRG and therefore LE is a subordinate CA]
Yes, that's what I'm looking for. If a significant portion of "the Internet" breaks for those clients, it will be easier for small site owners to deal with, as they won't appear to be the ones to blame.
But I expect it will be a large number of smaller sites, not the "big" ones, with perhaps Wikipedia as most notable exception. Hence this query.
I'll look into that. Alexa top-100 or something like that.
Only the Alexa top-50 is freely available, of which Wikipedia is indeed the only ISRG/Let's Encrypt issued certificate.
DigiCert dominates the list with 28 sites, followed by GlobalSign with 8.
(I couldn't reach some of the China-based websites in the list.)
Strangely, this time Wikipedia came out with a DigiCert certificate instead of Let's Encrypt (repeatedly). Are they using different certificates on different load balancer endpoints or something like that?