Learning from Lets Encrypts 10 years of success – InfoWorld

Foundations have a hit-or-miss success rate in software, generally, and open source, specifically. Im on the record with 908 words of eyerollfor the Open Enterprise Linux Association and OpenTofu, given the conspicuous absence of cloud vendor support. Yet Ive also recommendedprojects like Kubernetesprecisely because of their foundation-led community support. Foundations can help foster community but are in themselves no guarantee of success.

This is why Lets Encrypt and the Internet Security Research Group (ISRG) are so fascinating. There is no obvious reason they shouldve succeeded, yet 10 years in, ISRGs Lets Encrypt has issued more than four billion certificates to secure more than 360 million websites. Its also likely that the nonprofits Prossimo, a memory safety project, and Divvi Up, a privacy-preserving metrics system, will follow that pattern, even as many other foundations fail to deliver similar victories (OpenStack, anyone?).

The question is why. Why did Lets Encrypt succeed, and what can other nonprofits or open source projects learn from it?

One key reason for Lets Encrypts success is that it solved a big problem. When Lets Encrypt was founded in 2013, just 28% of page loads were secured on the web. There were plenty of options that were available [like TLS and SSL], says Sarah Gran, vice president of communications at ISRG, but they were not widely used. In order to really advance the security of the web, this needed to change, and it needed to change more commensurate with the pace of the growth and dependence on the Internet that people were having every single day.

Lets Encrypt didnt try to change things with public service announcements. They focused on automation and reducing the complexity of getting a certificate. The more easily developers could adopt and apply certificates to their websites, the more likely they were to use them. Convenience is the killer app for developers, asRedMonks Steve OGrady has posited.

It also helped that ISRG and its Lets Encrypt initiative werent trying to compete with commercial certificate authorities. Were not here to be heroes, says Gran. All were trying to do is solve a problem. By working alongside proprietary providers of certificates, Lets Encrypt could focus on solving the problem of Internet security, not collecting credit for doing so.

When I asked Gran to identify the secret for ISRGs success with Lets Encrypt, she didnt hesitate: We know what we do well, and we stay in that lane. And what we do well is tackle difficult engineering infrastructure problems, particularly as they relate to Internet security, which ISRG tackles through the lens of automation, efficiency, and scale. ISRG focuses on solving discrete problems, and in so doing has achieved outsized success with Lets Encrypt. That same foundation-led focus should help it with Prossimo and Divvi Up.

Clearly, ISRGs foundation approach has worked, enabling it to work alongside corporate competitors without being competitive. However, its important to note that foundations arent essential to a software projects success. In the world of certificate authorities, Comodo and Digicert thrive alongside Lets Encrypt. Outside the realm of Internet security, its much the same story. It would be hard to argue that HashiCorp, MongoDB, Elastic, etc., arent wildly popular with attendant business success. Nor is it true that introducing a foundation to a market guarantees it will trounce single-vendor products. Speaking of HashiCorp, even as he launchedthe OpenTofu projectto provide an open source, foundation-backed fork of HashiCorps Terraform, Linux Foundation CEO Jim Zemlin told me that he believes both Terraform and OpenTofu will succeed for different reasons.

Terraform, in his view, will succeed because its great software with a credible company behind it. He also sees OpenTofu taking a big share of the market: Nobody wants to invest large engineering resources into a project that isnt neutrally owned or is owned and controlled by a single commercial entity. This will lead to better investment in OpenTofu. Despite the relatively small companies contributing to OpenTofu today, Zemlin believes downstream vendor dependence on the codeveloped OpenTofu will create a larger ecosystem as more providers reinvest to improve their downstream products.

Maybe. Foundation-led projects fail all the time.

Why did Kubernetes succeed while OpenStack failed, despite both being filled to the brim with foundation-led communities? According to Zemlin, it turns out containers [Kubernetes] were the right abstraction for cloud computing workloads and not VMs [OpenStack]. Technology matters. No foundation can overcome being on the wrong side of customer choice for particular technologies.

This brings us back to ISRG and its mission. Similar to its observation in 2015 about website security, today ISRG sees an equally big issue with memory safety. As Gran puts it, We looked at our infrastructure and various infrastructures out there that the Internet is reliant upon, and we saw how much of it is written in C and C++, with all their problems of memory safety, bugs, and vulnerabilities. Why is this a problem now? After all, such languages have had issues for a long time. Gran credits Microsoft and Google for acknowledging that the vast majority of their vulnerabilities stemmed from memory safety problems, which pinpointed memory safety as a big issue, and one that could be solved through languages like Rust.

Will they succeed in a similar way as Lets Encrypt? Nothing is certain, but the confluence of a big problem with a clear technology that can help (Rust, in this case) makes success far more likely. Whether youre a nonprofit foundation or a for-profit company, a focus on solving a customer problem, along with a bit of luck in customer technology choices, seems to guarantee success.

Go here to read the rest:
Learning from Lets Encrypts 10 years of success - InfoWorld

Related Posts

Comments are closed.