Certbot Improvements

Using the HTTPS protocol, and using it correctly, is a vital protection for journalists and media outlets, activists, lawyers, and other vulnerable communities around the world. Failure to use HTTPS by default leaves groups vulnerable to surveillance and high-precision censorship, based on specific web pages or their content. Failure to use HTTPS with appropriate security features leaves users vulnerable to theft of credentials and account hijacking. Building better tools for HTTPS deployment is therefore a critical security and anti-censorship task to assist vulnerable communities around the world.

The Let’s Encrypt and Certbot projects are making significant progress on the problem of ensuring that servers support HTTPS to begin with. Since launching in late 2015, Let’s Encrypt has enabled HTTPS on 40 million FQDNs across 15 million registered domain names (https://letsencrypt.org/stats/). There is now a wide diversity of ACME clients that can be used with Let’s Encrypt, but Certbot remains by far the most popular when counting by number of distinct servers, accounting for about 60% of the server IPs that deploy Let’s Encrypt certificates.

This effort to improve Cerbot includes extending the operating system support, developing a CSP reporting endpoint, enabling HSTS support, adding OCSP must-staple support and security enhancement UI updates, as well as self-hosted DNS plugins and building an integration/functionality testing framework.