The secure‑web stack has evolved more over the past two years than in the previous five. Here’s a quick mid‑2025 update covering the most significant shifts: from protocol updates to certificate automation.
1. TLS 1.3 is now the standard
- 93% of Cloudflare’s connections are now using TLS 1.3, a huge increase from less than 1% in 2018. This seven‑year‑old spec has become the baseline for browsers and CDNs.
- Major players like Chrome, Firefox, and Cloudflare have brought back Encrypted Client Hello (ECH) after a few bumps in 2023, helping hide the Server Name Indication for better HTTPS privacy.
2. Post‑quantum security makes its entrance
- Cloudflare’s data shows that about 2% of all TLS 1.3 handshakes now use a hybrid Kyber + X25519 key exchange. Expect adoption to hit double digits by year‑end as the draft RFCs settle.
- With NIST finalizing its first round of post‑quantum cryptography standards this spring, browsers are gearing up to accept new post‑quantum ciphersuites without the need for a brand‑new “TLS 1.4”.
3. Streamlined automation in the ACME ecosystem
Let’s Encrypt is keeping things innovative:
| New feature | What it solves | Status (2024‑25) |
|---|---|---|
| Cross‑sign sunset | Drops the legacy IdenTrust chain, leading to 40% smaller handshakes | Default since Feb 2024, removed entirely Jun 2024 |
| ACME Renewal Info (ARI) | Lets CAs tell clients exactly when to renew - key for upcoming 7‑day certs | Shipping; Tailscale integrated in two days |
| Certificate Profiles | Offers a choice between a “classic” profile and a leaner “tlsserver” profile, with a 6‑day variant on the way | In staging since Jan 2025 |
Elsewhere, AWS, Google, and Azure now provide ACME endpoints for their load balancers, while smaller CAs like ZeroSSL and Buypass have followed Let’s Encrypt’s lead with 90‑day DV certificates and fully automated issuance.
4. Shorter certificate lifetimes
The CA/Browser Forum voted in April 2025 to reduce maximum certificate lifetimes from 398 days to just 47 days by March 2029 (with transitional periods at 200 days in 2026 and 100 days in 2027). This change makes manual renewals impractical, pushing everyone towards full automation.
Key takeaways
TLS is stronger, leaner, and on the road to quantum resilience, while certificate management is becoming fully automated with even shorter lifespans. And despite ongoing political debates over encryption backdoors, market forces and browser policies are steadily pushing the public web towards modern, robust encryption.
Sources
- Cloudflare Blog – “The State of the Post‑Quantum Internet”
- RIPE Labs – “Security Control Changes Due to TLS Encrypted ClientHello”
- Let’s Encrypt – “Takeaways from Tailscale’s Adoption of ARI”
- Let’s Encrypt – “Announcing Certificate Profile Selection”
- BleepingComputer – “SSL/TLS Certificate Lifespans Reduced to 47 Days by 2029”