That’s a sharp observation. The way Let’s Encrypt (founded by EFF, Mozilla, and a few others) became a trusted public CA does look like it happened “overnight,” but in reality it was years of behind-the-scenes coordination and heavy institutional backing.
Here’s how it unfolded:
1. Who actually stood behind Let’s Encrypt
Although the EFF was a co-founder, the real muscle came from:
- ISRG (Internet Security Research Group) – a nonprofit created in 2013 specifically to operate Let’s Encrypt.
- Mozilla, Cisco, Akamai, and the University of Michigan – founding sponsors who already had clout with browsers and standards bodies.
- EFF – provided legal and public-interest advocacy, but wasn’t the only operator.
So while the EFF gave it a “civil liberties” face, the effort was backed by deep-pocketed infrastructure companies.
2. Root inclusion process
To become a public CA, you need your root certificate added to the Mozilla Root Store (and then Chrome, Apple, Microsoft, etc.). This requires:
- Passing WebTrust audits (third-party compliance audits).
- Showing strong security, incident response, and governance.
- Submitting requests to each vendor’s root inclusion program.
Let’s Encrypt went through this between 2014–2016. At first, they didn’t even issue from their own root — they used IdenTrust’s cross-sign (an established CA) so their certs were immediately trusted while their own root went through the multi-year acceptance pipeline.
That cross-signing deal is the real reason it looked like they appeared “overnight.” Users saw trusted certs from Let’s Encrypt right away, even though technically the trust anchor was IdenTrust.
3. Why there was little industry pushback
You’re right: Let’s Encrypt blew up the traditional SSL business model (Symantec, Thawte, Network Solutions, etc., all lived on \$50–\$500/year certificates). But several factors muted the outcry:
- SSL was already commoditized. By 2010s, basic DV (domain-validated) certs were cheap — some resellers were charging \$5/year. The “\$499 SSL cert” gravy train was already dying.
- Browsers were moving toward 100% HTTPS. Google, Mozilla, and Apple wanted encryption everywhere. To get there, free + automated issuance was the only way.
- The incumbents shifted focus. DigiCert, Entrust, etc., pivoted to EV/OV certs, enterprise identity, and managed PKI. They didn’t have leverage to block Let’s Encrypt without looking like they opposed “securing the web.”
- EFF’s public image. Any company publicly attacking EFF and Let’s Encrypt risked looking anti-security and anti-privacy.
4. The business model disruption
Yes — Let’s Encrypt effectively destroyed the “SSL certificate sales” industry for DV certs:
- NetSol, Thawte, GoDaddy, etc. lost their premium markup business.
- The market consolidated (Symantec’s SSL business was sold to DigiCert, Thawte stopped issuing, etc.).
- Now, CAs make money on EV/OV certs, enterprise solutions, and PKI services — not basic HTTPS.
5. Why it felt “overnight”
- Cross-sign from IdenTrust = instant trust by browsers.
- Huge PR push by EFF and Mozilla = immediate adoption.
- Hosting providers (DreamHost, WordPress.com, GitHub Pages, etc.) integrated Let’s Encrypt very quickly, so it spread like wildfire.
✅ Summary:
EFF didn’t “sneak in” alone — Let’s Encrypt was a coalition with heavyweight backers (Mozilla, Cisco, Akamai, U. Michigan). They used IdenTrust’s cross-sign to bootstrap trust instantly. By the time their own root propagated through OS/browser trust stores, the ecosystem had already embraced them. Pushback was muted because the CA business for DV certs was already collapsing, and opposing “free HTTPS everywhere” would’ve been political suicide.
Timeline
Here’s the timeline of how Let’s Encrypt went from an idea to completely overturning the CA industry:
2012–2013: Conception
- Researchers at the University of Michigan and engineers at Mozilla discussed the need for an automated, free CA to push HTTPS everywhere.
- The Internet Security Research Group (ISRG) was founded in 2013 to operate what would become Let’s Encrypt.
- Early backers: Mozilla, Cisco, Akamai, EFF, U. Michigan.
2014: Public announcement
- November 2014: “Let’s Encrypt” project announced.
- Mission: free, automated, open CA to issue domain-validated (DV) certs at scale.
- Industry incumbents (Symantec, GoDaddy, Network Solutions, etc.) quietly watch; no open resistance yet.
2015: Technical launch
- June 2015: ISRG’s root CA submitted for inclusion in Mozilla, Microsoft, Apple, and Google trust stores.
- September 2015: Partnered with IdenTrust, an established CA, to provide cross-signing. This was the critical move:
- It meant Let’s Encrypt certs were instantly trusted by all browsers, even before ISRG’s root was approved.
- December 2015: First public beta certificates issued.
2016: General availability
- April 2016: Let’s Encrypt exits beta.
- Fully automated issuance via ACME protocol (Automatic Certificate Management Environment).
- Rapid adoption by hosting providers, CDNs, and small site owners.
- Certificate volume grows from zero to millions in less than a year.
2017: Explosive growth
- Let’s Encrypt surpasses 100 million certificates issued.
- Browser makers (Google, Mozilla) start marking HTTP as “Not Secure,” further driving adoption.
- The CA industry is visibly collapsing in the DV market — many companies stop selling low-end SSL.
2017–2018: Symantec collapse, DigiCert takeover
- Google and Mozilla distrust Symantec’s CA business due to repeated mis-issuance incidents.
- DigiCert acquires Symantec’s SSL/TLS business in 2017.
- Thawte, GeoTrust, and RapidSSL brands are folded into DigiCert.
- By this point, Let’s Encrypt dominates DV cert issuance worldwide.
2018–2020: HTTPS everywhere
- Let’s Encrypt becomes the largest CA by volume (hundreds of millions of certs).
- The cost of a DV certificate drops effectively to \$0.
- Commercial CAs pivot to EV/OV, enterprise PKI, IoT certificates.
2021–Present: Ubiquity
- Over 260 million active certificates (as of 2021).
- Powers TLS for ~250 million websites.
- ACME protocol becomes an IETF standard, used even outside Let’s Encrypt.
- Let’s Encrypt renews cross-sign deal with IdenTrust to maintain legacy trust, though most modern systems now trust ISRG’s root directly.
Why incumbents crumbled so fast
- Cross-sign trick: let them skip the 3–5 year trust store wait.
- Backers had leverage: Mozilla, Google, Cisco, Akamai.
- HTTPS push: browsers changed UI, making SSL mandatory.
- Public perception: free certs = privacy + security; opposing = bad PR.
- Economics: resellers already selling DV certs for \$5/year. The profit margin was thin, and Let’s Encrypt made it zero.
✅ By 2018, the “SSL cert industry” was effectively dead for DV certs.
What survived was enterprise-scale identity verification (OV/EV) and private PKI services — but the easy money of selling basic HTTPS was gone.
Trojan Horse of Undoing
Exactly how the cross-sign with IdenTrust worked technically (showing why browsers instantly trusted LE without waiting years):
You’re absolutely right to dig into this. IdenTrust wasn’t a “Trojan Horse”, but rather a strategic and transparent partner that accelerated Let’s Encrypt’s path to trust—and here’s how and why:
IdenTrust: Who Are They?
- Founded in 1999 by major banks including ABN AMRO, Barclays, Citibank, Bank of America, Deutsche Bank, and others.
- Provides PKI services to financial institutions, healthcare, government agencies, and enterprises worldwide.
- Acquired by HID Global in 2014, becoming part of a major identity and security conglomerate (Wikipedia).
- Known for robust security practices, accredited as a trusted CA (e.g., General Services Administration certification) (Wikipedia).
Why IdenTrust and Let’s Encrypt Partnered
- Let’s Encrypt (operated by ISRG) needed immediate trust in web browsers. Creating your own root CA and getting it in all trust stores can take years—often 3–5 years or more (Scott Helme).
- The solution: cross-signing patents. IdenTrust’s well-established root CA (DST Root CA X3) signed Let’s Encrypt’s intermediates. This meant certificates issued by Let’s Encrypt were instantly trusted by all major browsers without waiting for ISRG’s root to be added (Wikipedia).
- In technical terms, cross-signing is a standard PKI method to bootstrap trust—the “overnight” trust wasn’t a mystery, it was simply cross-signing in action (Scott Helme).
The Timeline of Trust-Bootstrapping
- June 2015: ISRG issues its root (ISRG Root X1) and intermediates.
- October 2015: IdenTrust cross-signs those intermediates—making Let’s Encrypt certificates initially trusted across the web (Wikipedia).
- Over time, as ISRG’s root became more widely trusted, the dependency on IdenTrust diminished.
- By 2020, ISRG Root X2 (ECDSA) was issued and also cross-signed for compatibility.
- Eventually, support for cross-signed chains was phased out as ISRG’s roots became ubiquitous (The SSL Store, e2encrypted.com).
Why No Outcry?
- It was open, honorable, and practical. Large browser vendors and security advocates supported it as an essential step toward HTTPS-for-all.
- Incumbent CAs were already in decline, especially for basic Domain-Validated (DV) certs. Let’s Encrypt upended the low-margin DV market, but that disruption aligned with broader industry momentum toward free, automated encryption.
- Transparency: Let’s Encrypt operated publicly, open-source, with clear goals. There was no deception—a legal and well-audited cross-signing agreement, followed by full public adoption.
Academic View
A 2020 paper, The Boon and Bane of Cross‑Signing, explains that while cross-signing has risks (like trust paths persisting after revocation), it’s crucial for “fast bootstrapping of new CAs” in a non-disruptive way—and Let’s Encrypt is a prime example (Wikipedia, arXiv).
Summary Table
| Entity | Role & Background |
|---|---|
| IdenTrust | Established bank-rooted CA under HID Global. Trusted and accredited. |
| Let’s Encrypt (ISRG) | Innovator pushing free, automated HTTPS; lacked initial browser trust. |
| Cross-signing | Technical bridge leveraging IdenTrust’s trust to bootstrap Let’s Encrypt’s CA status immediately. |
| Impact | Rapid global adoption of HTTPS with minimal friction and no consumer outcry. |
