Foundations have a hit-or-miss success rate in software, generally, and open source, specifically. I’m on the record with 908 words of eyeroll for the Open Enterprise Linux Association and OpenTofu, given the conspicuous absence of cloud vendor support. Yet I’ve also recommended projects like Kubernetes precisely because of their foundation-led community support. Foundations can help foster community but are in themselves no guarantee of success.
This is why Let’s Encrypt and the Internet Security Research Group (ISRG) are so fascinating. There is no obvious reason they should’ve succeeded, yet 10 years in, ISRG’s Let’s Encrypt has issued more than four billion certificates to secure more than 360 million websites. It’s also likely that the nonprofit’s Prossimo, a memory safety project, and Divvi Up, a privacy-preserving metrics system, will follow that pattern, even as many other foundations fail to deliver similar victories (OpenStack, anyone?).
The question is why. Why did Let’s Encrypt succeed, and what can other nonprofits or open source projects learn from it?
10 years of securing the Internet
One key reason for Let’s Encrypt’s success is that it solved a big problem. When Let’s Encrypt was founded in 2013, just 28% of page loads were secured on the web. “There were plenty of options that were available [like TLS and SSL],” says Sarah Gran, vice president of communications at ISRG, “but they were not widely used. In order to really advance the security of the web, this needed to change, and it needed to change more commensurate with the pace of the growth and dependence on the Internet that people were having every single day.”
Let’s Encrypt didn’t try to change things with public service announcements. They focused on automation and reducing the complexity of getting a certificate. The more easily developers could adopt and apply certificates to their websites, the more likely they were to use them. Convenience is the killer app for developers, as RedMonk’s Steve O’Grady has posited.
It also helped that ISRG and its Let’s Encrypt initiative weren’t trying to compete with commercial certificate authorities. “We’re not here to be heroes,” says Gran. “All we’re trying to do is solve a problem.” By working alongside proprietary providers of certificates, Let’s Encrypt could focus on solving the problem of Internet security, not collecting credit for doing so.
When I asked Gran to identify the secret for ISRG’s success with Let’s Encrypt, she didn’t hesitate: “We know what we do well, and we stay in that lane. And what we do well is tackle difficult engineering infrastructure problems,” particularly as they relate to Internet security, which ISRG tackles through the lens of automation, efficiency, and scale. ISRG focuses on solving discrete problems, and in so doing has achieved outsized success with Let’s Encrypt. That same foundation-led focus should help it with Prossimo and Divvi Up.
The secrets of their success
Clearly, ISRG’s foundation approach has worked, enabling it to work alongside corporate “competitors” without being competitive. However, it’s important to note that foundations aren’t essential to a software project’s success. In the world of certificate authorities, Comodo and Digicert thrive alongside Let’s Encrypt. Outside the realm of Internet security, it’s much the same story. It would be hard to argue that HashiCorp, MongoDB, Elastic, etc., aren’t wildly popular with attendant business success. Nor is it true that introducing a foundation to a market guarantees it will trounce single-vendor products. Speaking of HashiCorp, even as he launched the OpenTofu project to provide an open source, foundation-backed fork of HashiCorp’s Terraform, Linux Foundation CEO Jim Zemlin told me that he believes “both Terraform and OpenTofu will succeed for different reasons.”
Terraform, in his view, will succeed because it’s great software with a credible company behind it. He also sees OpenTofu taking a big share of the market: “Nobody wants to invest large engineering resources into a project that isn’t neutrally owned or is owned and controlled by a single commercial entity.” This will lead to “better investment” in OpenTofu. Despite the relatively small companies contributing to OpenTofu today, Zemlin believes “downstream vendor dependence on the codeveloped OpenTofu will create a larger ecosystem as more providers reinvest to improve their downstream products.”
Maybe. Foundation-led projects fail all the time.
Why did Kubernetes succeed while OpenStack failed, despite both being filled to the brim with foundation-led communities? According to Zemlin, “it turns out containers [Kubernetes] were the right abstraction for cloud computing workloads and not VM’s [OpenStack].” Technology matters. No foundation can overcome being on the wrong side of customer choice for particular technologies.
This brings us back to ISRG and its mission. Similar to its observation in 2015 about website security, today ISRG sees an equally big issue with memory safety. As Gran puts it, “We looked at our infrastructure and various infrastructures out there that the Internet is reliant upon, and we saw how much of it is written in C and C++,” with all their problems of memory safety, bugs, and vulnerabilities. Why is this a problem now? After all, such languages have had issues for a long time. Gran credits Microsoft and Google for acknowledging that the vast majority of their vulnerabilities stemmed from memory safety problems, which pinpointed memory safety as a big issue, and one that could be solved through languages like Rust.
Will they succeed in a similar way as Let’s Encrypt? Nothing is certain, but the confluence of a big problem with a clear technology that can help (Rust, in this case) makes success far more likely. Whether you’re a nonprofit foundation or a for-profit company, a focus on solving a customer problem, along with a bit of luck in customer technology choices, seems to “guarantee” success.