Back in the bad old days, seeing HTTPS on a random site actually meant something.
Not something mystical. Not “this site is honest” or “the people behind it are kind.” It meant somebody had spent money, filed paperwork, wrestled with a certificate authority, installed the thing without breaking the web server, and renewed it before it expired. That was enough friction that HTTPS became a rough proxy for seriousness.
Phishing sites didn’t bother. The economics didn’t work. Why spend $150 on a certificate for a fake PayPal page you’d use for three days?
Then Let’s Encrypt showed up and blew that entire social signal to pieces.
Good. Also, not entirely good.
What Let’s Encrypt Did
Let’s Encrypt launched in December 2015 with a radical proposition: TLS certificates should be free, automated, and open. No payment. No manual renewal. Run a command, prove you control the domain, get a certificate. ACME turned certificate management into software instead of ceremony. Ninety-day lifetimes sounded aggressive at first, but they pushed operators toward automation instead of calendar reminders and dread.
The adoption curve tells the story. In 2015, roughly 40% of web page loads used HTTPS. Today it’s over 95%. Let’s Encrypt alone serves more than 700 million websites. They are, by volume, the largest certificate authority on the internet.
This is one of the most important infrastructure projects in internet history. I mean that without exaggeration. They solved the problem by removing the barriers: cost, complexity, and inertia.
And the benefits are not abstract. HTTPS by default shut down a lot of routine network meddling. ISPs could no longer inject ads into HTTP pages. Public Wi-Fi got less predatory. Passive surveillance lost easy wins. Session cookies stopped flying in cleartext across forgotten corners of sites. “Should we encrypt this page?” stopped being a meaningful question.
Phishing Got HTTPS
The moment certificates became free and automated, the economics flipped.
That fake PayPal page? Now it has HTTPS. Valid certificate. Padlock icon. Takes thirty seconds to set up. By 2019, over 80% of phishing sites used HTTPS. Today it’s essentially all of them. The phishing kit includes it by default.
The connection is perfectly secure. It just securely connects you to a server run by a criminal in another hemisphere who is currently saving your credit card number to a plaintext file.
This isn’t Let’s Encrypt’s fault, exactly. Domain Validation certificates only prove you control a domain — not that you’re a legitimate business. DV certificates were never meant to signal trust. They signal encryption. But for twenty years, users were trained: “Look for the padlock. The padlock means safe.” Every bank, every security guide, every browser tooltip reinforced this.
The padlock never meant “safe.” It meant “encrypted in transit.” When only legitimate sites had HTTPS, the padlock was a useful heuristic even though it was technically measuring the wrong thing. When every site has HTTPS, the heuristic collapses. The signal-to-noise ratio went to zero.
Chrome eventually said the quiet part out loud. In 2023, they noted that nearly all phishing sites use HTTPS and only 11% of study participants correctly understood what the lock icon meant. Then Chrome replaced the lock with a neutral icon and removed it entirely on iOS. That was not cosmetic cleanup. It was a confession.
Extended Validation Failed
The industry’s answer was Extended Validation certificates. Pay more, go through rigorous identity verification, get a special green bar with your company name in the browser. Create a tier above DV — “this certificate proves the organization is real.”
It didn’t work. Users didn’t notice the green bar. Studies showed people couldn’t distinguish EV from DV in practice. Mobile browsers didn’t have screen space to display company names. Chrome removed the EV indicator in 2019. Firefox followed.
So now we have one tier: DV. A phishing site and your bank have identical browser treatment. The visual trust layer of the web is flat.
Shorter Is Better
Let’s Encrypt was right about this before the rest of the industry caught up. Short-lived certificates limit the blast radius of key compromise, make revocation less critical, and force automation. Ninety-day lifetimes were seen as a burden at first — but they pushed organizations from manual renewal to automated pipelines.
Google is now pushing for even shorter lifetimes. The CA/Browser Forum is dragging the ecosystem further in that direction. Let’s Encrypt has announced moves from 90 to 64 to 45 days over the next two years.
If your renewal process depends on a person, shorter lifetimes feel hostile. If it’s fully automated, they feel honest. The certificate was never supposed to be a decorative artifact hung on the wall for a year.
The Trust Vacuum
We lost a signal and never replaced it. Before: HTTPS meant someone cared enough to set up a certificate. After: HTTPS means the server exists. That old signal wasn’t great — it was scarcity masquerading as assurance — but it was something. Now it’s nothing.
Some argue we don’t need a replacement. The web should treat all sites as untrusted and protect users through Safe Browsing lists, phishing detection, reputation systems. Maybe. But those are invisible. They work when they catch the threat. When they miss it, the user has no fallback.
I want to be clear: the answer is not going back to expensive certificates and a smaller HTTPS web. Scarcity is a terrible security architecture. What we lost was not real trust. We lost a convenient shortcut people used in place of understanding.
Let’s Encrypt gave the internet encryption it desperately needed. If your security signal depends on friction, automation is going to kill it, and good riddance. The thing it took away — a flawed but functional trust heuristic — hasn’t been replaced yet. That’s not a criticism. It’s an open problem.