Internet Security Research Group
The Internet Security Research Group (ISRG) is a California-based public-benefit nonprofit corporation founded in May 2013 to protect Internet users by reducing monetary, technological, and informational barriers to secure and privacy-respecting communications.[1] ISRG operates the Let's Encrypt certificate authority, a free, automated, and open service that issues Transport Layer Security (TLS) certificates to enable HTTPS encryption for websites worldwide.[2] Through this initiative, ISRG has facilitated the issuance of hundreds of millions of certificates, with over 700 million active certificates securing numerous domains as of 2024, markedly increasing the prevalence of encrypted web traffic.[2] Founded by cryptographers Josh Aas and Eric Rescorla, ISRG received initial support from organizations including Mozilla, the Electronic Frontier Foundation, Cisco, Akamai, and the University of Michigan.[1] Beyond Let's Encrypt, ISRG pursues public-benefit digital infrastructure projects such as Prossimo, focused on memory safety in software to prevent common vulnerabilities, and Divvi Up, which develops tools for privacy-preserving measurement.[1] These efforts underscore ISRG's commitment to empirical advancements in Internet security without reliance on paid certification models that previously hindered widespread adoption.[1]History
Founding and Origins
The Internet Security Research Group (ISRG) was incorporated as a California public benefit corporation in May 2013.[1] It was established by Josh Aas, then at Mozilla, and Eric Rescorla, also from Mozilla, to create a nonprofit home for public-benefit digital infrastructure projects aimed at enhancing Internet security and privacy.[1] [3] The organization's initial focus was on developing and operating the Let's Encrypt certificate authority to automate and provide free TLS/SSL certificates, thereby reducing financial, technological, and educational barriers to widespread adoption of secure web communications.[1] The origins of ISRG trace back to collaborative research efforts beginning in 2012, when a team led by Alex Halderman at the University of Michigan and Peter Eckersley at the Electronic Frontier Foundation (EFF) developed the ACME protocol for automated certificate management.[4] [5] This work addressed the high costs and manual processes that limited HTTPS deployment, with early involvement from Mozilla personnel including Aas and Rescorla, who later formalized the entity.[6] Halderman and others joined Aas and Rescorla in leading ISRG shortly after incorporation, building on these technical foundations to pursue a vision of universal web encryption.[3] Founding sponsors included Mozilla, EFF, the University of Michigan, Cisco, and Akamai, providing initial resources and expertise to operationalize projects like Let's Encrypt, which was publicly announced in November 2014.[1] [6] ISRG was recognized as a 501(c)(3) tax-exempt organization under EIN 46-3344200, enabling it to accept donations and grants for its mission-driven activities.[1]Early Milestones and Let's Encrypt Launch
Following its incorporation, the Internet Security Research Group (ISRG) initiated intensive engineering and policy development for Let's Encrypt in mid-October 2014, aiming to create a free, automated certificate authority to promote widespread HTTPS adoption.[7] This effort built on collaborations with founding sponsors including Mozilla, the Electronic Frontier Foundation, the University of Michigan, Cisco, and Akamai, who provided early technical and financial support to address barriers like cost and complexity in obtaining TLS certificates.[1] [8] A key milestone occurred on November 18, 2014, when ISRG publicly announced the Let's Encrypt project, outlining its goal to automate certificate issuance via the ACME protocol and eliminate manual processes that hindered web encryption.[9] By June 4, 2015, ISRG generated its root certificate (ISRG Root X1, an RSA 4096-bit key) and intermediate certificates, establishing the foundational public key infrastructure necessary for trust.[10] On June 16, 2015, ISRG released its launch timeline, planning initial limited certificate issuance the week of July 27, 2015, followed by general availability the week of September 14, 2015, with provisions for controlled testing to validate security, compliance, and scalability.[7] Let's Encrypt launched on September 14, 2015, issuing its first certificate to the domain helloworld.letsencrypt.org, coinciding with ISRG's submission of its root certificate for inclusion in major browser trust stores.[11] To ensure immediate compatibility before full root trust propagation, early certificates were cross-signed by IdenTrust, a pre-existing trusted authority, allowing validation without disrupting user experiences.[7] This approach marked a pivotal advancement in accessible web security, enabling automated renewals and free issuance to reduce the prevalence of unencrypted traffic.[12]Expansion Beyond Certificates
In late 2020, following the operational stability and widespread adoption of Let's Encrypt, the Internet Security Research Group (ISRG) initiated efforts to broaden its mission beyond certificate issuance, aiming to address systemic vulnerabilities in internet infrastructure and privacy challenges. The organization's 2020 annual report highlighted these "initial steps" as a strategic pivot to remove additional barriers to a secure and open internet, building on the success of enabling HTTPS ubiquity.[13] A key development occurred on December 9, 2020, when the ISRG board approved a dedicated memory safety initiative, resulting in the launch of Prossimo later that year. Prossimo targets the pervasive risks of memory-unsafe languages like C and C++ in security-critical software—responsible for approximately 70% of high-severity vulnerabilities in such systems—by funding and coordinating migrations to memory-safe alternatives such as Rust. Early efforts included prototypes for components like DNS resolvers and SSH implementations, with the project emphasizing pragmatic, incremental adoption in open-source internet protocols to reduce exploitable bugs without disrupting existing deployments.[14][5][15] Complementing this, ISRG launched Divvi Up in 2021 as a privacy-preserving telemetry service, enabling organizations to aggregate user metrics without exposing individual data through cryptographic protocols like Prio (a verifiable secret-sharing system) and differential privacy. The project stemmed from 2020 collaborations on exposure notification apps during the COVID-19 pandemic, where needs for anonymized usage statistics highlighted gaps in traditional analytics; by December 2021, it had formalized under its current name, supporting applications in web, mobile, and machine learning contexts while prioritizing open-source implementation and verifiable accuracy.[16][1][17]Organizational Structure
Governance and Leadership
The Internet Security Research Group (ISRG) operates as a California public benefit corporation and is recognized as a 501(c)(3) tax-exempt nonprofit organization under IRS EIN 46-3344200.[18] Its governance is primarily directed by a board of directors, which oversees strategic decisions, project approvals, and financial accountability, including endorsements of initiatives such as the privacy-preserving metrics project Divvi Up on October 26, 2020.[19] The board composition reflects affiliations with technology companies, academic institutions, and advocacy groups, emphasizing expertise in internet security and policy.[18] Current board members include:- Josh Aas (ISRG)
- Richard Barnes (Cisco)
- Vicky Chin (Mozilla)
- Jennifer Granick (Independent)
- Aanchal Gupta (Independent)
- J. Alex Halderman (University of Michigan)
- Pascal Jaillon (OVHcloud)
- David Nalley (Amazon)
- Erica Portnoy (Electronic Frontier Foundation)
- Christine Runnegar (Independent, Chair).[18][20]