HN

Need help?
<- Back
Let's Encrypt bans certificate usage in any US sanctioned territory [pdf]

Let's Encrypt bans certificate usage in any US sanctioned territory [pdf]

piskov

Comments (149)

  • CobrastanJorji
    Let's Encrypt’s mission is to create a more secure and privacy-respecting web, except for people residing in countries with the most need for a more secure and privacy-respecting web. Sure, that's great.That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.
  • idoubtit
    Couldn't LE have a branch in Europe or anywhere outside the USA and its minions?Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization.Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04:> You are not a person or entity that is:> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions;> (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;> or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b).> You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
  • Insimwytim
    Iran is blocking internet for months, US ...bans creation of secure connections - that'll show 'em!Russian quasi-government structures are spending quadrillion of rubles on a TSPU (censorship system) to spy on Russian residents, US ...helps them by making snooping on what is currently encrypted traffic possible by banning accessible encryption!
  • axiologist
    This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.
  • Igrom
    It seems that, as soon as you transact with a sanctioned entity, you are globally in breach of the agreement and risking the revocation of all your certificates — also the ones for non-sanctioned countries.Front matter: - it is called a "Subscriber Agreement" and not anything that suggests that its scope is a single certificate - it's a "contract [...] regarding Your [...] rights and duties relating to [...] Certificates" - plural 2.1 "Term": - "[the agreement] will remain in force during the entire period during which *any* of Your Certificates are valid" - plural 3.1 "Warranties": - "[by] requesting, accepting, or using *a* Let’s Encrypt Certificate" - plural
  • joemi
    Is Let's Encrypt the only provider of SSL certificates?Genuine question! Because I assumed there were other places you could get a SSL certificate, but people in this thread seem to be implying that without Let's Encrypt, there's no way for people in those sanctioned territories to get a cert.
  • m2f2
    Is this a canary?What's gonna happen if I were to begin or continue using one letsencrypt certificate from ... Greenland? Cuba? The EU?Has letsencrypt been served with a subpoena?
  • mrweasel
    This should be one of those things that should be an quick EU win. Running Let's Encrypt is $3-4mill a year, the EU probably uses that on pencils.The EU could easily bootstrap a Let's Encrypt competitor if it truly cared about removing dependencies on US based entities.
  • wnevets
    Maybe consolidating ~60% of the web's certificates on to a single provider was a mistake.
  • niemandhier
    It their right to do that.But can we still trust them?I am not well versed in how their systemwide certificate issuance works: If they have to add this to their terms to comply with their government, could the same government use pressure to leverage let’s encrypt to do harm.
  • VortexLain
    Now this is very bad, as bad as it can get. As soon as all local services will stop working in sanctioned countries, those countries' governments will force all users to either install a root certificate or lose access to all local services and websites. And then it will be possible to use that root certificate for MITM attacks. In the worst case scenario, after the majority of users will install the root certificate, state DPIs will MITM all traffic and will block all un-MITMable traffic.
  • karteum
    Can anyone explain me what went wrong with http://www.cacert.org/ and why they are not supported by any major browser ?
  • piskov
    > You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations
  • theamk
    Makes sense, they are US company. I am surprised it took them that long.
  • RyeCombinator
    Actalis https://actalis.com/ is a good EU alternative.
  • nikolay
    Yeah, let everybody build and use their own services, and then the US will end up having less control and visibility. Great tactics!
  • DoctorOetker
    > active eavesdropping (e.g., monster-in-the-middle attacks)is this standard MitM, or is it some crucially distinct variation?
  • 42droids
    Has anyone got any experience with Zero SSL? https://zerossl.com/ It seems like a good EU alternative.
  • Panzerschrek
    Does it mean that russian/iranian web-sites using letsencrypt stop working and need to change their certificate provider?
  • greatgib
    To be put in perspective with their push for very short live certificates, like 7 days, with the argument that anyone can easily get certificate from at any time.But in fact, little by little you have all the stacks needed to be able to isolate some entities from internet at the us request in a very short time
  • OutOfHere
    I had the parent organization of LetsEncrypt (Internet Security Research Group) in my Will, but after reading this, I will remove it immediately. US sanctions harm too many innocents.
  • anon
    undefined
  • pxeger1
    How are they going to enforce this?
  • ComputerGuru
    This is bullshit on par with the Chinese firewall, meant to effectively prevent the (entire!) western world from information by parties deemed persona non-grata. SSL certificates are supposed to be about security, not geopolitics.I'm pretty sure a LE server hitting an Iranian or North Korean endpoint and validating a crypto challenge does not break any OFAC or EAR rules, and no money changes hands. And if a non-US entity wants to do it, the US would just sanction them. Microsoft and Mozilla are certainly not going to include a North Korean or Russian state CA in the root trusted certs (and if they did, the US government could just threaten them with sanctions, too).Hard not to say "we warned you" about making self-signed certs completely unusable in favor of a very centralized approach.
  • diimdeep
    the reach is by rough estimates ~2.5–6 million websites globally, 2–5 million of those in Russia and 0.3-1 million in IranWhatever USofA, it's not hard to have their own cosmodrome and certificates.Tangential, in 2026 website certificates feel like nothing, disposable automation artifact, toxic max-security[1], vehicle for those who rent seek, fingerprint.[1] https://tom7.org/httpv/httpv.pdf
  • snowflaxxx
    [flagged]
  • phoe-krk
    And now imagine that one of the Trump tantrums contains an announcement of sanctions against the European Union.
  • ezbie
    What in the actual fuck?
  • jalospinoso
    The uninteresting version of this is “US entity follows US law.”The interesting version is that Web PKI is not just cryptographic infrastructure. It is also a policy distribution system. A browser trust store, a CA, a subscriber agreement, revocation rules, export controls, and sanctions law all end up in the request path of "can this site speak HTTPS to normal users?"That does not make Let’s Encrypt uniquely bad. Any CA has some jurisdiction, owners, contracts, root-program obligations, abuse process, and legal exposure. Moving the CA changes the governance surface; it does not remove governance.But it does mean "just use Let’s Encrypt" is not a neutral answer when protocols, browsers, APIs, app stores, or regulators effectively require TLS. The operational dependency is not only ACME uptime and certificate issuance. It is also jurisdictional continuity.The hard product question is what failure mode we want:1. Web PKI: power concentrates in CAs, browsers, and root programs. 2. DANE/DNSSEC: power shifts toward DNS operators, registries, registrars, and governments. 3. Self-signed / TOFU / pinning: power shifts toward application-specific trust and worse UX. 4. Multiple CAs: better resilience, but still bounded by browser trust stores and legal chokepoints.There is no apolitical trust system here. There are only different control planes with different failure modes.The practical ask from Let’s Encrypt should be clarity: issuance vs renewal vs revocation, existing certs vs future certs, domain location vs subscriber location, hosting location vs user location, and how they interpret “use” of a certificate. Without that, operators are left guessing whether this is a narrow compliance clause or a broad infrastructure-risk event.
  • psy0p
    [dead]
  • cynicalsecurity
    This actually makes sense. No freedom for the enemies of freedom.
  • Towaway69
    Sanctioned has a double meaning here[1]:> 2. officially or formally ratified or confirmed.> 3. penalized, especially by way of discipline or to force compliance with legal obligations.So who can use lets encrypt? Those that are penalised or those that are confirmed.[1] https://www.dictionary.com/browse/sanctioned