List of major websites with LE certificate?

Hi

Just to estimate the magnitude of impact on end-users with older MacOS / iOS versions when DST Root X3 expires (and for whom the Android workaround won't help), is there a list somewhere of major websites that are using Let's Encrypt certificates? Like Wikipedia etc.

If significant portions of the Internet become unusable for those clients, they will be less likely to blame (smaller) individual LE certified websites. Or at least those smaller site owners can tell them "please test Wikipedia as well" to convince customers the issue is on their side.

Found in this topic:

2 Likes

In case there is no such list...
Here is a first entry:
Stanford University
Here is a second entry:
National Security Agency (nsa.gov)

2 Likes

Looks like this might be relevant:
https://trends.builtwith.com/websitelist/LetsEncrypt

3 Likes

Let's Encrypt has around 200 million unexpired certificates, among around 80 million registered domains.

Let's Encrypt issues more than two-thirds of all certificates issued on any given day.

https://ct.cloudflare.com/

A list of sites that don't use Let's Encrypt might be shorter. :slight_smile:

3 Likes

updated my first post with the addition of:
National Security Agency (nsa.gov)

1 Like

I did not know that! That's just too funny and cool at the same time!

"Merkle Town" lists Let's Encrypt as the largest "ROOT CERTIFICATE AUTHORITIES", but seeing that LE still chains up to a IdenTrust root by default, is that even correct? Shouldn't that be IdenTrust strictly speaking?

2 Likes

That's not necessarily a correct comparison, given the 90 days lifetime and 60 days renewal cycle, vs. 1 year for most other CA's. You should probably divide that number by a factor of 4 to 6 to get a comparable number.

Also, big corporate-backed websites are more likely to be using an OV/EV certificate rather than a DV.

1 Like

Well, it's based on certificate transparency logs, which are primarily for logging leaf certificates. So I'm assuming the statistics would be based on the owner of the leaf-signing intermediate. Or I suppose it might be based on which policy OID is embedded in the leaf, but I suspect that amounts to basically the same thing.

Fair enough. Even doing that, though, Let's Encrypt is a pretty big number.

I suppose somebody should do a project (if it hasn't been done already) of looking at the top x websites based on some major list and seeing which CA they each use.

2 Likes

The term root ca they use there is probably a misnomer*, as they're listing company/trademark names, not actual roots. They most likely have internal mapping logic that maps certain issuers to a company, e.g maybe they check the org field of the intermediate issuer(s) and don't even care to what root you chain up. From a "legal" perspective, LE certs are issued by Let's Encrypt under LE CPS, so they do belong to Let's Encrypt, even if they chain up to IdenTrust, so I consider the Cloudflare view to be correct.

*I believe by using that term they wanted to highlight that they do not list subordinate CA's there, only CA's that own roots.

[You can now argue that LE does not have any root(s), only ISRG and therefore LE is a subordinate CA]

2 Likes

Yes, that's what I'm looking for. If a significant portion of "the Internet" breaks for those clients, it will be easier for small site owners to deal with, as they won't appear to be the ones to blame.
But I expect it will be a large number of smaller sites, not the "big" ones, with perhaps Wikipedia as most notable exception. Hence this query.

I'll look into that. Alexa top-100 or something like that.

1 Like

Only the Alexa top-50 is freely available, of which Wikipedia is indeed the only ISRG/Let's Encrypt issued certificate.
DigiCert dominates the list with 28 sites, followed by GlobalSign with 8.

(I couldn't reach some of the China-based websites in the list.)

But this sample is of course way too small.

Stack Overflow is on the list at #47, and that looks like a Let's Encrypt cert to me.

1 Like

From this copy of Alexa-1000, I find the following websites with a Let's Encrypt certificate:
(hopefully I won't get blocked for link spam here :slight_smile: )

Strangely, this time Wikipedia came out with a DigiCert certificate instead of Let's Encrypt (repeatedly). Are they using different certificates on different load balancer endpoints or something like that?

3 Likes

Looks like it.

https://crt.sh/?Identity=wikipedia.org&exclude=expired

https://wikitech.wikimedia.org/wiki/HTTPS/Unified_Certificates

1 Like

Btw, all sites above have R3-issued certificates, no E1 yet. :wink:

1 Like