--- pubDate = 2026-06-19T05:18:46 tags = ['https', 'web', 'cryptography'] lang = "en" type = "note" [author] name = "ache" email = "ache@ache.one" [[alt_lang]] lang = "fr" url = "/notes/verrou-états-unien-du-web" --- # The us lock of the Web ![Illustration of a signed certificate with the US flag](res/certificat-signed-usa-alt.svg) Let's talk about **Let's Encrypt**. Recently, if you haven't noticed, **Let's Encrypt**, the world's leading Certificate Authority, has added to its terms of use that [it applies U.S. sanctions](https://linuxiac.com/lets-encrypt-certificate-rules-now-include-u-s-sanctions-warranties/). This isn't surprising, but it raises questions. The application of U.S. law to critical web infrastructure constitutes a major geopolitical weapon. ::::details What is _Let's Encrypt_ ? **Let's Encrypt** is the most well-known web certificate authority in the world. Stemming from a collaborative effort by Mozilla and the Electronic Frontier Foundation, the most active non-profit organization defending digital rights, Let's Encrypt has truly contributed to installing the little HTTPS padlock icon in your navigation bar. :::attention If you don't know what Let's Encrypt or a certificate authority is, then this blog post may not be entirely for you. Simply understand that we are talking about the padlock in your browser's address bar. ::: In order to democratize the use of HTTPS, Let's Encrypt revolutionized certification in two points: - _Free Of Charge._ Certification by Let's Encrypt is free, period. For competitors in 2014, a certificate cost VERY expensive. Even today, it is the factor that most actors choose **Let's Encrypt**. For information, a certificate costs €188/year at [GlobalSign]... for [a generic certificate] at sectigo. - _Automation._ While retrieving a certificate in 2014 required a long verification process, payment, and then manual renewal, Let's Encrypt automates everything. This facilitates everyone's work and contributes to a safer web. :::: ## Dependence on Let's Encrypt A year ago, [Stéphane Bortzmeyer] posted on Mastodon that 80% of certificates on the web came from **Let's Encrypt**. Naturally, I wanted to verify this. In particular, I wanted to check to what extent _I was, myself_, an average European, dependent on _Let's Encrypt_.[^ca_ache.one] [^ca_ache.one]: Just for information, all my certificates are issued by _Let's Encrypt_, including the one for this website. My first idea was to retrieve data from a [Certificate Transparency Log](https://letsencrypt.org/fr/docs/ct-logs/). However, this does not translate my concrete dependency on **Let's Encrypt** and requires many resources. A log the size of which is counted in tens of terabytes, I will therefore let them make their own statistics. It turns out that Cloudflare has an existing dashboard regarding this: [![Cloudflare's dashboard about certificate issuers](./res/cloudflare_dashboard_certificate_issuers.png)](https://radar.cloudflare.com/explorer?dataSet=ct&groupBy=ca_owner&filters=uniqueEntries%253Dtrue) :::details From Cloudflare's data: | | CA | Percentage of issued certificats | | --: | :-------------------- | -------------------------------: | | 1 | Let's Encrypt | 52% | | 2 | Google Trust Services | 17% | | 3 | Sertigo | 15% | | 4 | GoDaddy | 6% | | 5 | Amazon | 4% | | 6 | DigiCert | 2.5% | | 7 | Microsoft | 1.4% | | 8 | SSL.com | 0.69 | If one includes multiple certificates, that is, several certificates for the same domain name, for example. Then **Let's Encrypt** is slightly more productive proportionally, but this does not change the order of importance of each certificate authority (except GoDaddy). ::: To analyze my personal reliance on Let's Encrypt, I rather opted for a web plugin to install in Firefox. This analyzes all the sites that I visit and records the associated certificate authority upon the website’s first visit (within the current month). I present [Cert Check] (https://addons.mozilla.org/fr/firefox/addon/cert-check/). I installed this extension last year on all my devices. I can therefore be very precise regarding my concrete dependence on each certificate authority ## Is there a monopole for Let's Encrypt? Yes, Let's Encrypt is indeed the most used certification authority by the sites that I visit. But no, it is not 80% of the sites I visit and it remains less than Cloudflare's figures/numbers. Over the last month: | | CA | Percentage visited | | --: | :-------------------- | -----------------: | | 1 | Let's Encrypt | 46.098 | | 2 | Google Trust Services | 32.40 | | 3 | DigiCert | 7.58 | | 4 | Amazon | 5.26 | | 5 | GlobalSign | 2.93 | | 6 | Sectigo | 2.93 | | 7 | USERTrust | 1.34 | | 8 | Go Daddy | 0.37 | | 9 | Certigna | 0.37 | | 10 | HARICA | 0.37 | | 11 | SSL.com | 0.24 | | 12 | SwissSign | 0.12 | ![Table of percentage of certificats per CA of websites I visited in the last month ](res/certificate_visited_dep_last_month.png) However, if I take into account all the sites that Firefox has requested, not only those that I visited, it is Google which is the most prolific certificate authority. :::note "Visited sites" are those that appeared in my navigation bar. "Requested websites" are those where my browser made an HTTPS request, such as an image displayed on a webpage hosted by another site (which I did not visit directly). ::: For the last month: | | CA | Percentage loaded | | --: | :-------------------- | ----------------: | | 1 | Google Trust Services | 29.76 | | 2 | Let's Encrypt | 28.97 | | 3 | GlobalSign | 12.67 | | 4 | Amazon | 11.36 | | 5 | DigiCert | 8.43 | | 6 | USERTrust | 3.82 | | 7 | Sectigo | 2.07 | | 8 | Go Daddy | 1.52 | | 9 | HARICA | 0.42 | | 10 | SSL.com | 0.26 | | 11 | Buypass | 0.23 | | 12 | Certigna | 0.19 | | 13 | Certum | 0.07 | | 14 | COMODO RSA | 0.06 | | 15 | Deutsche Telekom | 0.06 | | 16 | IdenTrust | 0.03 | | 17 | Entrust | 0.02 | | 18 | Actalis | 0.02 | | 19 | SwissSign | 0.02 | | 20 | emSign | 0.005 | ![Table of percentage of certificats per CA, of TLD loaded on my browser, in the last month](res/certificate_loaded_dep_last_month.png) Thus, approximately 46% of the sites I visit have a certificate issued by Let's Encrypt, and 30% of the certificates my browser has used are from Google. My concrete dependence on Google is astonishing, especially if we take into account that I do not use a Google account daily and that it is not even my default search engine! ## A U.S. Dependence / An American Dependence Many actors were offended when _Let's Encrypt_ modified its terms of use, but few people denounced the American hegemony over the certification infrastructure. What my small experience highlights is not only that _Let's Encrypt_ is the Achilles' heel of security on the Internet. It also means that the **United States signed more than 95% of the certificates of websites that I visited**. The first non-U.S. issuer is [GlobalSign](https://en.wikipedia.org/wiki/GlobalSign) (Having its headquarters in Europe, but now more global than European) which signed 3% of the certificates; the second is [HARICA](https://harica.tbs-certificats.com/), a Greek public CA with 0.34%[^geomys]. Worse still, 100% of browsers are subject to US law, even if they don't enforce it until ow, and only two of the 8 [certificate transparency logs](https://certificate.transparency.dev/logs/) are European. Only one is Asian! [^geomys]: I did not know about [Geomys](https://geomys.org/). It is a CT Logs created by [Filippo Valsorda](https://filippo.io/), an Italian cryptographer known in the free world. I classified it as European, but let's be honest, its funding is private and of US origin. The conclusion is clear: the United States has the capacity to subject all actors in the global web security infrastructure to its extraterritorial jurisdiction. Certificate signing today is concentrated in the hands of a handful of actors whose legal, financial, and jurisdictional roots fall under the United States. :::attention Here, I focused on certificate authorities, but too much infrastructure is dependent on US authority/U.S. regulatory power. ::: Even browsers (Chrome/Google, Firefox/Mozilla, Safari/Apple, and Edge/Microsoft) are subject to American law, which means that the master list of trust certificates is, in reality, a backdoor into our digital intimacy. This constitutes not only an operational risk but a structural flaw of sovereignty. It is a global effort that we must implement to regain a healthier ecosystem. Not only in Europe. Asia is represented only by China, and the absence of any actor originating from Africa or Latin America is concerning. Our response should involves several concrete areas: - Diversifying root certification authorities and transparency logs. - Raising awareness among non-US players - whether it's a German host or an Indian developer - about their dependence. It is necessary to realize that supporting the most local infrastructure possible contributes to web resilience. - Investing in the development of free web browsers, and more generally, in open source software. The cost sharing provided by open source is the only coherent answer to US hegemony. **The Web remains a global common good**. Its security must not become a lever of pressure dependent on electoral cycles or the trade tensions of Washington. It is to all of us that the duty returns to rebalance this balance before digital confidence/trust is instrumentalized.