Let's Encrypt bans certificate usage in any US sanctioned territory [pdf] (letsencrypt.org)
240 points by piskov a day ago
CobrastanJorji 3 hours ago
Let's Encrypt’s mission is to create a more secure and privacy-respecting web, except for people residing in countries with the most need for a more secure and privacy-respecting web. Sure, that's great.
That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.
rzerowan 3 hours ago
Seems in all thing tech at the moment the US legal system is accelearting a great split and erectinga digital iron curtain, from AI models to the more mundane like TLS certs. Its been standard for a while for many Linux distros based in the US to toe the party line - like RedHat having notices pretty similar to this one by LE. Seems any meaningful Open Projects will have to choose what path they want to take, be like RISC-V and relocate or LE and others and enforce the divide.
xxpor 2 hours ago
The RISC-V move was laughable. It’s still US tech, developed largely with DARPA funds.
dsl an hour ago
> pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries
This is most likely OFAC. Lets Encrypt could apply for a license to do business with sanctioned entities, and given their use case it would most likely be approved.
bhhaskin an hour ago
It could also be an easy way to not have to implement backdoors for the government/military.
lxgr 8 minutes ago
What "backdoor" would Let's Encrypt even implement? That's not how a CA works.
They might be compelled to issue a certificate to an unauthorized (by browser PKI policies, not local law) entity, but that would be very conspicuous due to Certificate Transparency.
throwaway85825 an hour ago
If you truly need a secure and private web you should be using tor.
Izmaki 33 minutes ago
Say what, now?
Anonymity and encrypted communication are two very, very different things. Have one but not the other and you're essentially handing off your private data incl. passwords to whoever that has a tap on the communication between you and the server can fetch them, too. Have the other but not the one and everyone will know who you are, but they can't eavesdrop.
idoubtit 15 hours ago
Couldn't LE have a branch in Europe or anywhere outside the USA and its minions?
Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization.
Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04:
> You are not a person or entity that is:
> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions;
> (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
> or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b).
> You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
cassianoleal 14 hours ago
They could, but if the branch didn’t follow these laws, the main US branch would still be liable.
cromka 13 hours ago
It's about time SOME entities start moving from US entirely.
mikeyouse 5 hours ago
rafram 5 hours ago
mfuzzey 2 hours ago
Just close down completely in the US and move to the EU
kube-system an hour ago
belorn an hour ago
Let's encrypt is not some code or even a company that you can split into different branches. Their existence is one based on trust relations that let's encrypt has with browsers and operative systems. It is in one part similar to both domain names and IP address space, in that the technical aspects of creating alternative roots is almost trivial in comparison to getting the trust that is required for an alternative root to be accepted by the rest of the world.
Let say someone created an Russian Let's Encrypt. It has all the technical aspects as regular LE in that you can request a certificate and get one through an acme challenge. That is all great and all, but no browser will recognize it as valid. No operative system will recognize it as valid. The Russian state might add the new LE as valid for government computers, but the real work would be to get any other participants in the world to do the same. The issue is not a technical one but rather a social one that is built on trust.
When Russia invaded Ukraine there was a major discussion if IANA/ICANN should have disconnected Russia from domain names and IP addresses. That discussion ended on a decision to not do that because the symbolic benefit was deemed minor compared to the harm to the system in large, especially once the war end. If you got two roots, then a domain name or IP address can now suddenly have two locations, and it would be a massive pain to try fix it even if people wanted to fix it. Certificate Authorities do not share this trait since there can be an almost unlimited number of roots and none of them can conflict with each other (assuming no hash collision). If Russia spins up a new CA then people can use that one today if they want to, and they can continue to do so after the war has ended.
PunchyHamster 2 hours ago
completely independent entity would be far better option. Protocol is open after all, just need pointing to different vendor
Insimwytim 4 hours ago
Iran is blocking internet for months, US ...bans creation of secure connections - that'll show 'em!
Russian quasi-government structures are spending quadrillion of rubles on a TSPU (censorship system) to spy on Russian residents, US ...helps them by making snooping on what is currently encrypted traffic possible by banning accessible encryption!
jaas 3 hours ago
Let's Encrypt certificates continue to be available in both Iran and Russia, just not for the Iranian and Russian governments.
The terms of service update to clarify what we have always done, comply with relevant law, has not changed the situation for either country.
joshuaissac 3 hours ago
> Let's Encrypt certificates continue to be available in both Iran and Russia, just not for the Iranian and Russian governments.
According to https://news.ycombinator.com/item?id=48457280 it affects all people ordinarily resident in those territories, not just their governments:
> You are not a person or entity that is:
> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions;
> [other 'or' conditions]
jaas an hour ago
lioeters 2 hours ago
john_strinlai 2 hours ago
you should update the documents to reflect this stance.
"You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; "
this says nothing (edit: specific) about government (edit: only), and is applicable to normal people in those areas.
joemi 2 hours ago
gnerd00 4 hours ago
wait until you find out about Facebook!
rerdavies 40 minutes ago
Is this actually new? Looks like a standard US export restriction for encryption technology to me. These sorts of restrictions have been around since the '90s.
Let's Encrypt becomes subject to US export restrictions on cryptography if they are a US company, or if they post anything to github or post anything to major app stores. Every app I have ever posted to Google Play has had to submit a form to the US government declaring what use they make of cryptography.
These restrictions have been in force since that late 1950s (with a long and complicated history with respect to computer cryptography). This particular text looks like a boilerplate restriction, that's required to comply with US EAR export requirements to me.
axiologist 11 hours ago
This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.
belorn 3 hours ago
While it seems like certificate authority has the primary control here, the real control lies in browsers and operative systems in which certificate authorities are trusted. Users also have, at least for the moment, control to add or remove certificate authorities, even if that control is slightly less clear for devices like smart phones.
Digital certificates that signs software packages are used to enforce exclusion by some manufacturers. Let's encrypt is not in that space to my knowledge, but it is a place where you the owner do not have the right to determine which certificate authority should be trusted, and generally the only one that is trusted is the manufacturer. Its arguable if we even should be calling such entities a certificate authority, even if they technically are the owner of the root certificate that signs the package.
MarleTangible 11 hours ago
I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them. Most simple services may not need TLS, but with the ISPs eavesdropping on our communication, a form of secure communication is required and the currently best solution we have requires a trust-chain to be built.
lesostep 2 hours ago
The problem is that finding a root source of trust aren't easy this days. LE was neutral, now nobody is.
Russian government issued their new root certificate years ago.
Nobody trusted it enough to request a certificate from them or install it on their computers. Including almost all of the russian residents.
If Let's Encrypt enforces the rules, as written in pdf, a lot of people would lose a choice.
Frankly, even publishing a statement like that would make the scales of trust tip for some.
happosai 3 hours ago
It is such a great improvement that ISPs cannot eavesdrop us anymore... only for everyone to terminate TLS at cloudflare so they (and thus US government) can now eavesdrop everyone.
Parodper 7 hours ago
We could, and should, switch to DANE. Or else, switch to how X.509 was supposed to be used, with each country running a CA for their nationals.
theamk 7 hours ago
thaumasiotes 4 hours ago
> I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them.
Note that phones already try to prevent you from using a certificate that you provide yourself.
account42 6 hours ago
Do we also need to put all our letters into strongboxes before we send them?
Maybe we should have solve the ISP snooping problem by making that illegal instead.
lxgr 2 minutes ago
theamk 5 hours ago
kube-system an hour ago
The entire point of a trust model is to exclude people. That's the stated goal.
If you want encryption without trust, just use self-signed certs.
lxgr a minute ago
If you don't care about who you're talking to, why use certificates at all?
13415 40 minutes ago
The problem is that the current trust model is totally untrustworthy.
kube-system 31 minutes ago
palmotea 7 hours ago
> This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.
I think the "digital tyranny" is a side effect, not the main goal. They're "mainly a means" to prevent certain kinds of MITM attacks.
watwut 3 hours ago
I always thought the main goal was to force people to pay money for certificates.
ekr____ 2 hours ago
account42 6 hours ago
You could that with a much saner approach like DANE.
franga2000 6 hours ago
Igrom 13 hours ago
It seems that, as soon as you transact with a sanctioned entity, you are globally in breach of the agreement and risking the revocation of all your certificates — also the ones for non-sanctioned countries.
Front matter:
- it is called a "Subscriber Agreement" and not anything that suggests that its scope is a single certificate
- it's a "contract [...] regarding Your [...] rights and duties relating to [...] Certificates" - plural
- "[the agreement] will remain in force during the entire period during which *any* of Your Certificates are valid" - plural
- "[by] requesting, accepting, or using *a* Let’s Encrypt Certificate" - pluralm2f2 16 hours ago
Is this a canary?
What's gonna happen if I were to begin or continue using one letsencrypt certificate from ... Greenland? Cuba? The EU?
Has letsencrypt been served with a subpoena?
tialaramex 2 hours ago
> Has letsencrypt been served with a subpoena?
While it's certainly possible that ISRG has been served a subpoena because it appears the US DOJ is now a mix of hacks and incompetent buffoons, it wouldn't matter because the whole point is that they don't know anything - what you told them is literally logged publicly for everybody to see without even knowing how to spell "subpoena" let alone issue one.
Some people have this insane idea that somehow the CA has some secret which either they minted and sent to the CA, or the CA minted and gave them a copy and so the US government could get this secret with a subpoena - but the whole fucking point of a Public Key Infrastructure is that we're using Public Key Encryption, if we were OK with everybody having secrets all over the place this entire thing wouldn't be needed.
toast0 8 minutes ago
> Some people have this insane idea that somehow the CA has some secret which either they minted and sent to the CA, or the CA minted and gave them a copy and so the US government could get this secret with a subpoena
LetsEncrypt certainly doesn't, but I've seen certificate storefronts that generate the key on their side and provide you the key and the certificate, so you don't have to figure out how to generate a key.
basilikum 2 hours ago
They have the secret of the private keys used to sign certificates.
Looking at LavaBit^1 I really would not be so comfortable. The world and especially the US has not gotten more free since then.
tialaramex an hour ago
rafram 5 hours ago
Neither Greenland nor the EU has been sanctioned by the US.
nitwit005 5 hours ago
They haven't been sanctioned, yet, but we live in a time where that's a real possibility.
piskov 2 hours ago
Have you heard about the judge from international court or whatever it is called?
https://www.france24.com/en/americas/20250820-us-hits-icc-wi...
rafram 2 hours ago
_ache_ 5 hours ago
Yet.
malfist 5 hours ago
So far
tempfile 5 hours ago
It is not exactly an outlandish suggestion that this may happen.
cyounkins an hour ago
Gotta love the word 'sanction'. It is it's own antonym! "The committee sanctioned the new policy." (approved it) "The committee sanctioned the rogue nation." (penalized it)
ale42 13 minutes ago
Time for a non-US equivalent of Let's Encrypt?
wnevets 4 hours ago
Maybe consolidating ~60% of the web's certificates on to a single provider was a mistake.
patmorgan23 4 hours ago
Well good thing everyone using the provider is using an open protocol and it's stupid easy to switch
wnevets 3 hours ago
Which free CA should I use instead of lets encrypt that has same browser support?
ygjb 3 hours ago
gruez 3 hours ago
pratyahava 3 hours ago
can you please suggest any alternatives to switch to? i hardly can find any alternative which provides free service and is a non-profit org at the same time.
VortexLain 3 hours ago
Now this is very bad, as bad as it can get. As soon as all local services will stop working in sanctioned countries, those countries' governments will force all users to either install a root certificate or lose access to all local services and websites. And then it will be possible to use that root certificate for MITM attacks. In the worst case scenario, after the majority of users will install the root certificate, state DPIs will MITM all traffic and will block all un-MITMable traffic.
yurish 2 hours ago
Don't understand why you have been downvoted. Russian government have already attempted to push forward their root certificate for banking using Yandex browser, now this.
karteum 10 hours ago
Can anyone explain me what went wrong with http://www.cacert.org/ and why they are not supported by any major browser ?
em-bee 9 hours ago
the wikipedia page has links to projects that removed CAcert where reasons are stated. the main one being that CAcert didn't complete a security audit or because they were not yet accepted by mozilla (because of the lack of an audit, but also because CAcert actually withdrew the request to be included). one group removed it because CAcert has a strict root redistribtion license that they can't follow.
LWN has a good writeup on the audit situation as of 2014: https://lwn.net/Articles/590879/
mrweasel 3 hours ago
This should be one of those things that should be an quick EU win. Running Let's Encrypt is $3-4mill a year, the EU probably uses that on pencils.
The EU could easily bootstrap a Let's Encrypt competitor if it truly cared about removing dependencies on US based entities.
zajio1am 2 hours ago
Yes, but EU would have to convince Google and Apple to get a new root certificate to browsers.
xxpor 2 hours ago
Do you really think the EU wants to sign up for PR that’s essentially “the US is being too mean to Russia” right now?
flumpcakes an hour ago
I think the EU should do it regardless of Russia. The EU should invest in its own technology and not depend so much on an increasingly undependable ally.
niemandhier 3 hours ago
It their right to do that.
But can we still trust them?
I am not well versed in how their systemwide certificate issuance works: If they have to add this to their terms to comply with their government, could the same government use pressure to leverage let’s encrypt to do harm.
joemi 2 hours ago
Is Let's Encrypt the only provider of SSL certificates?
Genuine question! Because I assumed there were other places you could get a SSL certificate, but people in this thread seem to be implying that without Let's Encrypt, there's no way for people in those sanctioned territories to get a cert.
hinata08 2 hours ago
If it was a genuine question, the genuine answer is it's the provider that democratised streamlined ACME certificate verification and made it for free
No account, no payment, a single bash command or a certbot that runs regularly and you have your own globally recognised certificate
Historically, providers used to make the most frictions so that they could justify absolutely crazy fees for signing any certificates. It doesn't goes down well in DevOps, it doesn't work with indies who don't have 3 to 4 digits figures to blow in httpS, everyone including organisations ended up making certificates authorities of their own to sign stuff... and let's encrypt was successful at making certificates easy, free and actually secure
Fnoord 2 hours ago
> Is Let's Encrypt the only provider of SSL certificates?
No.
nicce 2 hours ago
There are some options. actalis.com is European alternative but free tier is a bit less than Let's Encrypt.
herbst 2 hours ago
If nothing has changed it's still the only one that's free and instant. Back in the day you'd had to pay $10/y and install manually
kube-system an hour ago
piskov a day ago
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations
RyeCombinator 16 hours ago
Actalis https://actalis.com/ is a good EU alternative.
gapan 16 hours ago
No it isn't. Not unless it's free.
This is the main reason letsencrypt is so popular.
crote 14 hours ago
They do have a free plan with unlimited ACME DV certs, though! Not marketed very well and no wildcard certs, but it does exist.
orphea 9 hours ago
RyeCombinator 7 hours ago
There is a free offering.
theamk a day ago
Makes sense, they are US company. I am surprised it took them that long.
rwmj 14 hours ago
"US company must obey US law" doesn't make for a very interesting headline.
ceeam 11 hours ago
"The world should stop trusting the US companies" OTOH...
cyanydeez 5 hours ago
ohmg 11 hours ago
The headline is more « US law is batshit and extends well beyond its borders with real world consequences »
pavon 4 hours ago
kube-system an hour ago
ezbie 7 hours ago
zajio1am 2 hours ago
account42 6 hours ago
It is however a reminder that "just use LE" is not a valid response to concerns about protocols/APIs/browsers/etc requiring TLS.
floper_a 11 hours ago
That's just another reminder that no one from outside of US should deal with US companies.
bigfishrunning 3 hours ago
Of course not! just find viable alternatives to Microsoft, Apple, Mozilla, YCombinator, Google, Intel, AMD, ...
In all seriousness, as an American I'd love to see a healthier, more well-distributed tech industry, but I don't see many companies stepping up to provide competing services. It's my understanding that china has alternatives to many of these products/services, but I really don't see how anyone in Europe could possibly use a US-free internet.
Galanwe 3 hours ago
42droids 17 hours ago
Has anyone got any experience with Zero SSL? https://zerossl.com/ It seems like a good EU alternative.
47282847 16 hours ago
EU? There’s almost zero information on the company, no privacy policy? The only place I found any mention is the footer, “HID Global Corporation, part of ASSA ABLOY”. Assa Abloy seems Swedish but HID Global is a US company as far as a quick search goes. But without a proper company info page and privacy policy I wouldn’t consider it anywhere near a “good alternative” regardless.
ZeroSSL 7 hours ago
Jumping in here since we’ve been seeing more mentions of ZeroSSL lately, likely related to the recent CA/B Forum discussions around 1‑year certificates and ACME automation.
- We’re based in Austria (ZeroSSL GmbH). The company was acquired by HID in 2024, which is part of Assa Abloy (Sweden).
- We’re not positioning ourselves as a purely EU-based CA substitute, and we generally don’t market it that way.
- For DV certs specifically, we act as a distributor. Under the hood these are Sectigo-issued certificates, similar to how other providers (for example Namecheap) operate.
Happy to clarify further if useful.
kruffalon 5 hours ago
hoistbypetard 3 hours ago
redrblackr 4 hours ago
slau 16 hours ago
HID was originally American and Scottish, but became fully American in 1994.
HID was acquired by Assa Abloy in 2000. No idea whether that means we now consider it Swedish.
ZeroSSL used to be Austrian until their acquisition in 2024.
I used to work for a company that got acquired by HID. It looks like HID has retained their original offices in some form.
nomadwastaken 14 hours ago
The privacy policy is under legal in the footer, exactly where I'd expect it to be honest. It also gives the company registration: > 1.1. We, ZeroSSL GmbH, FN 443956b (the “Company“) and below that the company address (registered in Austria).
Don't get me wrong, I agree that there is some lack of "who actually runs/controls this", especially on the about page where I expect such things to be.
At the very least it's not as transparent as I'd wish from a CA. E.g their Certificate Agreement is from Sectigo, so are they involved? No mention anywhere else from what I can see.
47282847 9 hours ago
matharmin 3 hours ago
I use them in some cases to avoid the rate limits on LetsEncrypt, and they have better support for some older platforms (like ancient Android versions), and I'm pretty happy so far. I have a paid account to support them, but it's not a requirement for ACME certs. It works without issue with Kubernetes Certbot, and seamless to switch between ZeroSSL and LetsEncrypt.
I can't comment on the EU part though - not that relevant in my case.
linsomniac 4 hours ago
There was some subtle issue with ZeroSSL's implementation of ACME that I ran into with, IIRC, lego and domain certs and there was a ~5 year old lego open issue about it. That was a couple years ago, might be fixed, but my understanding at the time was that it was an issue with Zero's ACME implementation, so there may be dragons.
slau 16 hours ago
3 90-day ACME certs for free. 180€/year for unlimited 90-day certs and 5 yearly ones.
That’s a pretty steep increase. I would almost be more interested in a monthly fee per cert.
nomadwastaken 14 hours ago
From their docs[0] this doesn't seem to apply if using ACME, but they don't exactly make that clear...
> By using ZeroSSL's ACME feature, you will be able to generate an unlimited amount of 90-day SSL certificates at no charge, also supporting multi-domain certificates and wildcards. Each certificate you create will be stored in your ZeroSSL account.
matharmin 3 hours ago
nickf 14 hours ago
ZeroSSL aren't an EU-based alternative, unfortunately.
patrakov 8 hours ago
It's Sectigo under the hood.
DoctorOetker 16 hours ago
> active eavesdropping (e.g., monster-in-the-middle attacks)
is this standard MitM, or is it some crucially distinct variation?
thephyber 15 hours ago
Man in the Middle Wiki:
> Also known as a monster-in-the-middle,[1][2] machine-in-the-middle,[3] meddler-in-the-middle,[4] manipulator-in-the-middle,[5][6] person-in-the-middle[7] (PITM), or adversary-in-the-middle[8] (AITM) attack.
walletdrainer 15 hours ago
Those sources feel more than slightly contrived.
Panzerschrek 15 hours ago
Does it mean that russian/iranian web-sites using letsencrypt stop working and need to change their certificate provider?
altairprime 14 hours ago
Depends on whether LE is compelled to terminate service to BGP AS numbers hosted in U.S.-sanctioned countries, and whether LE continues operating out of the U.S..
account42 6 hours ago
Depending on how you are supposed to read "You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations." it could mean that you are not even allowed to use LE certificate to provide services to sanctioned entities as a random non-US company/person.
leosarev 6 hours ago
I hope not. We don't have any alternatives yet.
CaliforniaKarl 2 hours ago
piskov 12 hours ago
They already revoced certificates for some russian sites
pratyahava 2 hours ago
any details on that? links to people reporting it?
mollydzy 15 minutes ago
vklyuchi sait brusha shlyuha
nikolay 3 hours ago
Yeah, let everybody build and use their own services, and then the US will end up having less control and visibility. Great tactics!
mollydzy 15 minutes ago
otkroite sait brusha pj
ComputerGuru 4 hours ago
This is bullshit on par with the Chinese firewall, meant to effectively prevent the (entire!) western world from information by parties deemed persona non-grata. SSL certificates are supposed to be about security, not geopolitics.
I'm pretty sure a LE server hitting an Iranian or North Korean endpoint and validating a crypto challenge does not break any OFAC or EAR rules, and no money changes hands. And if a non-US entity wants to do it, the US would just sanction them. Microsoft and Mozilla are certainly not going to include a North Korean or Russian state CA in the root trusted certs (and if they did, the US government could just threaten them with sanctions, too).
Hard not to say "we warned you" about making self-signed certs completely unusable in favor of a very centralized approach.
markhahn 12 minutes ago
huh? the linked document shows that bullet item as deleted.
mollydzy 10 minutes ago
123
pxeger1 14 hours ago
How are they going to enforce this?
nickf 10 hours ago
I would imagine, as a CA that issues only DV certs, they'd disallow issuance to various ccTLDs, and perhaps stop newAccount registrations with email addresses at those ccTLDs. That's about as much as they could do - IP-blocking by region is ineffective and crude at best.
greatgib 4 hours ago
To be put in perspective with their push for very short live certificates, like 7 days, with the argument that anyone can easily get certificate from at any time.
But in fact, little by little you have all the stacks needed to be able to isolate some entities from internet at the us request in a very short time
mollydzy 14 minutes ago
ale
OutOfHere 3 hours ago
I had the parent organization of LetsEncrypt (Internet Security Research Group) in my Will, but after reading this, I will remove it immediately. US sanctions harm too many innocent people.
diimdeep 11 hours ago
the reach is by rough estimates ~2.5–6 million websites globally, 2–5 million of those in Russia and 0.3-1 million in Iran
Whatever USofA, it's not hard to have their own cosmodrome and certificates.
Tangential, in 2026 website certificates feel like nothing, disposable automation artifact, toxic max-security[1], vehicle for those who rent seek, fingerprint.
phoe-krk 10 hours ago
And now imagine that one of the Trump tantrums contains an announcement of sanctions against the European Union.
jalospinoso 5 hours ago
The uninteresting version of this is “US entity follows US law.”
The interesting version is that Web PKI is not just cryptographic infrastructure. It is also a policy distribution system. A browser trust store, a CA, a subscriber agreement, revocation rules, export controls, and sanctions law all end up in the request path of "can this site speak HTTPS to normal users?"
That does not make Let’s Encrypt uniquely bad. Any CA has some jurisdiction, owners, contracts, root-program obligations, abuse process, and legal exposure. Moving the CA changes the governance surface; it does not remove governance.
But it does mean "just use Let’s Encrypt" is not a neutral answer when protocols, browsers, APIs, app stores, or regulators effectively require TLS. The operational dependency is not only ACME uptime and certificate issuance. It is also jurisdictional continuity.
The hard product question is what failure mode we want:
1. Web PKI: power concentrates in CAs, browsers, and root programs. 2. DANE/DNSSEC: power shifts toward DNS operators, registries, registrars, and governments. 3. Self-signed / TOFU / pinning: power shifts toward application-specific trust and worse UX. 4. Multiple CAs: better resilience, but still bounded by browser trust stores and legal chokepoints.
There is no apolitical trust system here. There are only different control planes with different failure modes.
The practical ask from Let’s Encrypt should be clarity: issuance vs renewal vs revocation, existing certs vs future certs, domain location vs subscriber location, hosting location vs user location, and how they interpret “use” of a certificate. Without that, operators are left guessing whether this is a narrow compliance clause or a broad infrastructure-risk event.
ezbie 7 hours ago
What in the actual fuck?
cynicalsecurity 5 hours ago
This actually makes sense. No freedom for the enemies of freedom.
hinata08 4 hours ago
the list of ppl under US sanctions is staggering
Europe starts to shield itself from the risk since Nicolas Guillou, the French ICC judge who issued a warrant against bibi got sanctioned (France officially protested about this case)
China is being successful at blocking US firms out of their supply chains (they already use Linux on Loongarch processors with some homemade architecture and pioneer RISC V), since a bunch of their companies also got sanctions for supplying the governement
US stands so much for freedom that it's the first country to refuse immigration to FIFA world cup teams and athletes, with Iranians not allowed to stay between games and Somali goalkeeper being turned away at the border. Germany itself didn't do for the 1936 Olympics.
So at best, they're only shooting themselves in the foot by showing any US component in a supply chain is a risk, while using US clouds were already a risk of loss of revenue from FISA requests to undercut your bid and rot your company and using US dollars for trade was already a liability
In the meantime, US companies can do anything, break any financial law and abuse every human right, they'll just sign DPAs to avoid prosecution
CrzyLngPwd 5 hours ago
But what if you're the baddies?
bigfishrunning 3 hours ago
Then try not to be completely dependent on the products of a company that is under the control of your enemy.
mswphd 5 hours ago
love thought-terminating cliches. really helps keep from actually thinking ever.
cynicalsecurity 5 hours ago
Your comment reads like a thought-terminating cliché. If Russia occupied your city, killed your family and friends and left you homeless, you might reconsider giving freedom to those who take it away from others. Unfortunately, sanctions are often very easy to evade.
Shish2k 4 hours ago
contagiousflow 4 hours ago
queenkjuul 3 hours ago
Towaway69 15 hours ago
Sanctioned has a double meaning here[1]:
> 2. officially or formally ratified or confirmed.
> 3. penalized, especially by way of discipline or to force compliance with legal obligations.
So who can use lets encrypt? Those that are penalised or those that are confirmed.
thephyber 15 hours ago
If you click the link…
> [You certify to LetsEncrypt that] …
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
gossamer 2 hours ago
It took me a minute to understand the original post because the verb sanction means both itself and basically the opposite of itself. It would be better to say "any territory that the US has levied sanctions against". I thought LetsEncrypt had banned its usage in the US! The word for words like sanction is contronym.