From 68243342e95787dce6cf4d99351aa2912820af0d Mon Sep 17 00:00:00 2001 From: scottmakestech <83726258+scottmakestech@users.noreply.github.com> Date: Mon, 22 Dec 2025 17:02:26 -0600 Subject: [PATCH 1/4] Blog: A Note from our Executive Director --- content/en/post/2025-12-29-eoy-letter-2025.md | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 content/en/post/2025-12-29-eoy-letter-2025.md diff --git a/content/en/post/2025-12-29-eoy-letter-2025.md b/content/en/post/2025-12-29-eoy-letter-2025.md new file mode 100644 index 000000000..657fa2206 --- /dev/null +++ b/content/en/post/2025-12-29-eoy-letter-2025.md @@ -0,0 +1,32 @@ +--- +author: Josh Aas +date: 2025-12-29T00:00:00Z +slug: eoy-letter-2025 +title: "A Note from our Executive Director" +excerpt: "A year of growth and progress." +display_default_footer: true +--- + +
+ Josh Aas +
+ +This letter was originally published in our [2025 Annual Report](https://www.abetterinternet.org/documents/2025-ISRG-Annual-Report.pdf). + +This year was the 10th anniversary of Let's Encrypt. We've come a long way! Today we're serving more than 700 million websites, issuing ten million certificates on some days. Most importantly, when we started 39% of page loads on the Internet were encrypted. Today, in many parts of the world, over 95% of all page loads are encrypted. We can't claim all the credit for that, but we're proud of the leading role we played. Being able to help ISRG and Let's Encrypt get to where we are today has been the opportunity of a lifetime for me. + +There's more I could talk about from the past ten years, but this 10th year was about as good as any before it so I want to focus on our most recent work. I'll get the headline for 2025 out right away: over the past year we went from serving 492 million websites to 762 million. That's a 50% increase in a single year, equivalent to the growth we saw over our first six years of existence combined. Our staff did an amazing job accommodating the additional traffic. + +I'm also particularly proud of the things we did to improve privacy this year, across all of our projects. + +At the start of 2025 we were serving over four billion Online Certificate Status Protocol (OCSP) requests per day. That's 180 million per hour, or 50,000 per second. OCSP has been an important mechanism for providing certificate revocation information for a long time, but the way it works is bad for privacy. It requires browsers to check with certificate authorities for every website they visit, which is basically providing your browsing history to third parties. Let's Encrypt never held onto that data; it got dropped immediately. However, there is no way to know if that was standard practice across the industry, and even well-intentioned CAs could make a mistake or be compelled to save that data. It was a system ripe for abuse, so we decided to become the first major CA to turn off our OCSP service. We couldn't be sure what the full impact would be, but this was a way in which the Internet needed to get better. In August of 2025 we turned off our OCSP service. There was no major fallout and we haven't looked back. + +Another big privacy-focused change we made to Let's Encrypt in 2025 was no longer storing subscriber email addresses in our CA database, associated with issuance data. In June of this year we stopped adding the optional email addresses that subscribers send to our database, and we deleted the millions of email addresses that had accumulated over the years. Making this change was not an easy thing to decide to do---it limits our ability to contact subscribers and we had to turn off our expiration reminder email service---but we feel the ecosystem has grown enough over the past ten years that the privacy implications of holding onto the email addresses outweighed the utility. + +Privacy was at the forefront for the folks at ISRG researching human digital identity as well. They have been hard at work on an implementation of the Anonymous Credentials from ECDSA scheme, also known as [Longfellow](https://datatracker.ietf.org/doc/draft-google-cfrg-libzk/). This is a cryptographic library that can be used in digital identity management, including things like digital wallets, in order to improve privacy when sharing credentials. Digital identity systems should have strong privacy and compatibility requirements, but such requirements pose challenges that existing digital credential technologies are going to struggle to meet. New schemes such as Longfellow aim to address these challenges, bringing privacy improvements to systems that need to work with existing cryptographic hardware. This is exciting stuff, but not easy to build (so much math!)---watching our talented engineers make progress has been thrilling. + +The last example of great privacy work I want to highlight from 2025 is our Prossimo project's work towards encrypted recursive-to-authoritative DNS. Prossimo is focused on bringing memory safety to critical software infrastructure, but sometimes that dovetails nicely with other initiatives. DNS queries are fundamental to the operation of the Internet. Without getting into the details here too much, there are basically two types of DNS queries: stub-to-recursive and recursive-to-authoritative. A lot of work has gone into encrypting stub queries over the past decade, mostly through DNS over HTTPS (DoH) initiatives. Authoritative queries, however, remain almost entirely unencrypted. This is a particular problem for Certificate Authorities like Let's Encrypt. During 2025, our Prossimo project started work on changing that, investing heavily in encrypted authoritative resolution by implementing [RFC 9539](https://datatracker.ietf.org/doc/rfc9539/) Unilateral Opportunistic Deployment of Encrypted Recursive‑to‑Authoritative DNS and other related improvements in Hickory DNS. Once this is ready, early in 2026, Hickory DNS will be a high performance and memory safe option that DNS operators can use to start making and receiving encrypted authoritative DNS queries. It can also be used for integration testing with other DNS implementations. + +It's wonderful, and a real responsibility, to be able to have this kind of positive impact on the lives of everyone using the Internet. Charitable contributions from people like you and organizations around the world make what we do possible. Since 2015, tens of thousands of people have donated. They've made a case for corporate sponsorship, given through their DAFs, or set up recurring donations. If you're one of those people, thank you. If you're considering becoming a supporter, I hope this annual report will make the case that we're making every dollar count. + +Every year we aim to make the dollars entrusted to us go as far as possible, and next year will be no exception. \ No newline at end of file From 020f9f7bd49aee3e1b65297a295a37da8ebec6b9 Mon Sep 17 00:00:00 2001 From: scottmakestech <83726258+scottmakestech@users.noreply.github.com> Date: Tue, 23 Dec 2025 14:05:53 -0600 Subject: [PATCH 2/4] Update paragraph --- content/en/post/2025-12-29-eoy-letter-2025.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/post/2025-12-29-eoy-letter-2025.md b/content/en/post/2025-12-29-eoy-letter-2025.md index 657fa2206..a8ccd78ec 100644 --- a/content/en/post/2025-12-29-eoy-letter-2025.md +++ b/content/en/post/2025-12-29-eoy-letter-2025.md @@ -27,6 +27,6 @@ Privacy was at the forefront for the folks at ISRG researching human digital ide The last example of great privacy work I want to highlight from 2025 is our Prossimo project's work towards encrypted recursive-to-authoritative DNS. Prossimo is focused on bringing memory safety to critical software infrastructure, but sometimes that dovetails nicely with other initiatives. DNS queries are fundamental to the operation of the Internet. Without getting into the details here too much, there are basically two types of DNS queries: stub-to-recursive and recursive-to-authoritative. A lot of work has gone into encrypting stub queries over the past decade, mostly through DNS over HTTPS (DoH) initiatives. Authoritative queries, however, remain almost entirely unencrypted. This is a particular problem for Certificate Authorities like Let's Encrypt. During 2025, our Prossimo project started work on changing that, investing heavily in encrypted authoritative resolution by implementing [RFC 9539](https://datatracker.ietf.org/doc/rfc9539/) Unilateral Opportunistic Deployment of Encrypted Recursive‑to‑Authoritative DNS and other related improvements in Hickory DNS. Once this is ready, early in 2026, Hickory DNS will be a high performance and memory safe option that DNS operators can use to start making and receiving encrypted authoritative DNS queries. It can also be used for integration testing with other DNS implementations. -It's wonderful, and a real responsibility, to be able to have this kind of positive impact on the lives of everyone using the Internet. Charitable contributions from people like you and organizations around the world make what we do possible. Since 2015, tens of thousands of people have donated. They've made a case for corporate sponsorship, given through their DAFs, or set up recurring donations. If you're one of those people, thank you. If you're considering becoming a supporter, I hope this annual report will make the case that we're making every dollar count. +It's wonderful, and a real responsibility, to be able to have this kind of positive impact on the lives of everyone using the Internet. Charitable contributions from people like you and organizations around the world make what we do possible. We are particularly grateful to Jeff Atwood, Betsy Burton, and Stina Ehrensvärd for their special gifts this year. Since 2015, tens of thousands of people have donated. They've made a case for corporate sponsorship, given through their DAFs, or set up recurring donations. If you're one of those people, thank you. If you're considering becoming a supporter, I hope this annual report will make the case that we're making every dollar count. Every year we aim to make the dollars entrusted to us go as far as possible, and next year will be no exception. \ No newline at end of file From a73f5d161416502fdd2c6876305ba85b5aca8b3d Mon Sep 17 00:00:00 2001 From: scottmakestech <83726258+scottmakestech@users.noreply.github.com> Date: Tue, 23 Dec 2025 14:10:38 -0600 Subject: [PATCH 3/4] Em dash --- content/en/post/2025-12-29-eoy-letter-2025.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/en/post/2025-12-29-eoy-letter-2025.md b/content/en/post/2025-12-29-eoy-letter-2025.md index a8ccd78ec..9db547711 100644 --- a/content/en/post/2025-12-29-eoy-letter-2025.md +++ b/content/en/post/2025-12-29-eoy-letter-2025.md @@ -1,11 +1,11 @@ ---- +— author: Josh Aas date: 2025-12-29T00:00:00Z slug: eoy-letter-2025 title: "A Note from our Executive Director" excerpt: "A year of growth and progress." display_default_footer: true ---- +—
Josh Aas @@ -21,9 +21,9 @@ I'm also particularly proud of the things we did to improve privacy this year, a At the start of 2025 we were serving over four billion Online Certificate Status Protocol (OCSP) requests per day. That's 180 million per hour, or 50,000 per second. OCSP has been an important mechanism for providing certificate revocation information for a long time, but the way it works is bad for privacy. It requires browsers to check with certificate authorities for every website they visit, which is basically providing your browsing history to third parties. Let's Encrypt never held onto that data; it got dropped immediately. However, there is no way to know if that was standard practice across the industry, and even well-intentioned CAs could make a mistake or be compelled to save that data. It was a system ripe for abuse, so we decided to become the first major CA to turn off our OCSP service. We couldn't be sure what the full impact would be, but this was a way in which the Internet needed to get better. In August of 2025 we turned off our OCSP service. There was no major fallout and we haven't looked back. -Another big privacy-focused change we made to Let's Encrypt in 2025 was no longer storing subscriber email addresses in our CA database, associated with issuance data. In June of this year we stopped adding the optional email addresses that subscribers send to our database, and we deleted the millions of email addresses that had accumulated over the years. Making this change was not an easy thing to decide to do---it limits our ability to contact subscribers and we had to turn off our expiration reminder email service---but we feel the ecosystem has grown enough over the past ten years that the privacy implications of holding onto the email addresses outweighed the utility. +Another big privacy-focused change we made to Let's Encrypt in 2025 was no longer storing subscriber email addresses in our CA database, associated with issuance data. In June of this year we stopped adding the optional email addresses that subscribers send to our database, and we deleted the millions of email addresses that had accumulated over the years. Making this change was not an easy thing to decide to do—it limits our ability to contact subscribers and we had to turn off our expiration reminder email service—but we feel the ecosystem has grown enough over the past ten years that the privacy implications of holding onto the email addresses outweighed the utility. -Privacy was at the forefront for the folks at ISRG researching human digital identity as well. They have been hard at work on an implementation of the Anonymous Credentials from ECDSA scheme, also known as [Longfellow](https://datatracker.ietf.org/doc/draft-google-cfrg-libzk/). This is a cryptographic library that can be used in digital identity management, including things like digital wallets, in order to improve privacy when sharing credentials. Digital identity systems should have strong privacy and compatibility requirements, but such requirements pose challenges that existing digital credential technologies are going to struggle to meet. New schemes such as Longfellow aim to address these challenges, bringing privacy improvements to systems that need to work with existing cryptographic hardware. This is exciting stuff, but not easy to build (so much math!)---watching our talented engineers make progress has been thrilling. +Privacy was at the forefront for the folks at ISRG researching human digital identity as well. They have been hard at work on an implementation of the Anonymous Credentials from ECDSA scheme, also known as [Longfellow](https://datatracker.ietf.org/doc/draft-google-cfrg-libzk/). This is a cryptographic library that can be used in digital identity management, including things like digital wallets, in order to improve privacy when sharing credentials. Digital identity systems should have strong privacy and compatibility requirements, but such requirements pose challenges that existing digital credential technologies are going to struggle to meet. New schemes such as Longfellow aim to address these challenges, bringing privacy improvements to systems that need to work with existing cryptographic hardware. This is exciting stuff, but not easy to build (so much math!)—watching our talented engineers make progress has been thrilling. The last example of great privacy work I want to highlight from 2025 is our Prossimo project's work towards encrypted recursive-to-authoritative DNS. Prossimo is focused on bringing memory safety to critical software infrastructure, but sometimes that dovetails nicely with other initiatives. DNS queries are fundamental to the operation of the Internet. Without getting into the details here too much, there are basically two types of DNS queries: stub-to-recursive and recursive-to-authoritative. A lot of work has gone into encrypting stub queries over the past decade, mostly through DNS over HTTPS (DoH) initiatives. Authoritative queries, however, remain almost entirely unencrypted. This is a particular problem for Certificate Authorities like Let's Encrypt. During 2025, our Prossimo project started work on changing that, investing heavily in encrypted authoritative resolution by implementing [RFC 9539](https://datatracker.ietf.org/doc/rfc9539/) Unilateral Opportunistic Deployment of Encrypted Recursive‑to‑Authoritative DNS and other related improvements in Hickory DNS. Once this is ready, early in 2026, Hickory DNS will be a high performance and memory safe option that DNS operators can use to start making and receiving encrypted authoritative DNS queries. It can also be used for integration testing with other DNS implementations. From eee3c543dfa119dc31951d392d94d156a58b3ab6 Mon Sep 17 00:00:00 2001 From: scottmakestech <83726258+scottmakestech@users.noreply.github.com> Date: Tue, 23 Dec 2025 14:11:30 -0600 Subject: [PATCH 4/4] Em dash --- content/en/post/2025-12-29-eoy-letter-2025.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/post/2025-12-29-eoy-letter-2025.md b/content/en/post/2025-12-29-eoy-letter-2025.md index 9db547711..d83f33daa 100644 --- a/content/en/post/2025-12-29-eoy-letter-2025.md +++ b/content/en/post/2025-12-29-eoy-letter-2025.md @@ -1,11 +1,11 @@ -— +--- author: Josh Aas date: 2025-12-29T00:00:00Z slug: eoy-letter-2025 title: "A Note from our Executive Director" excerpt: "A year of growth and progress." display_default_footer: true -— +---
Josh Aas