Certbot Improvements

Using the HTTPS protocol, and using it correctly, is a vital protection for journalists and media outlets, activists, lawyers, and other vulnerable communities around the world. Failure to use HTTPS by default leaves groups vulnerable to surveillance and high-precision censorship, based on specific web pages or their content. Failure to use HTTPS with appropriate security features leaves users vulnerable to theft of credentials and account hijacking. Building better tools for HTTPS deployment is therefore a critical security and anti-censorship task to assist vulnerable communities around the world.

The Let’s Encrypt and Certbot projects are making significant progress on the problem of ensuring that servers support HTTPS to begin with. Since launching in late 2015, Let’s Encrypt has enabled HTTPS on 225 million FQDNs across 63 million registered domain names (https://letsencrypt.org/stats/). There is now a wide diversity of ACME clients that can be used with Let’s Encrypt, but Certbot remains by far the most popular when counting by number of distinct servers, accounting for about 60% of the server IPs that deploy Let’s Encrypt certificates.

The 2017 effort to improve Cerbot included extending the operating system support, developing a CSP reporting endpoint, enabling HSTS support, adding OCSP must-staple support and security enhancement UI updates, as well as self-hosted DNS plugins and building an integration/functionality testing framework.

The 2019 effort to improve Certbot includes expanding Certbot to support Windows-based servers and to build a better distribution system for Certbot. The project builds on the prior funding by enabling more users to take advantage of the security enhancements Certbot can bring.