Iran is blocking internet for months, US ...bans creation of secure connections - that'll show 'em!<p>Russian quasi-government structures are spending quadrillion of rubles on a TSPU (censorship system) to spy on Russian residents, US ...helps them by making snooping on what is currently encrypted traffic possible by banning accessible encryption!
Couldn't LE have a branch in Europe or anywhere outside the USA and its minions?<p>Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization.<p>Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04:<p>> You are not a person or entity that is:<p>> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target
of comprehensive U.S. sanctions;<p>> (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;<p>> or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b).<p>> You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
Maybe consolidating ~60% of the web's certificates on to a single provider was a mistake.
It seems that, as soon as you transact with a sanctioned entity, you are globally in breach of the agreement and risking the revocation of <i>all</i> your certificates — also the ones for non-sanctioned countries.<p>Front matter:<p><pre><code> - it is called a "Subscriber Agreement" and not anything that suggests that its scope is a single certificate
- it's a "contract [...] regarding Your [...] rights and duties relating to [...] Certificates" - plural
</code></pre>
2.1 "Term":<p><pre><code> - "[the agreement] will remain in force during the entire period during which *any* of Your Certificates are valid" - plural
</code></pre>
3.1 "Warranties":<p><pre><code> - "[by] requesting, accepting, or using *a* Let’s Encrypt Certificate" - plural</code></pre>
This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership.
It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS.
That's digital tyranny in disguise.
I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them. Most simple services may not need TLS, but with the ISPs eavesdropping on our communication, a form of secure communication is required and the currently best solution we have requires a trust-chain to be built.
Do we also need to put all our letters into strongboxes before we send them?<p>Maybe we should have solve the ISP snooping problem by making that illegal instead.
We could, and should, switch to DANE. Or else, switch to how X.509 was supposed to be used, with each country running a CA for their nationals.
I trust governments much less that a conglomerate of competing corporations.<p>With all the problems with Web PKI, at least the bad actors are getting distrusted, and this provides a very strong enforcement on the rest. And Certificate Transparency makes sure the mis-issuance would be caught. It is not perfect by any means, but things are getting better.<p>With DANE (or other country-issued certificates), every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. (In the past I'd say that only countries like Russia would do it.. but with today's climate, I am sure both US and many European countries will do that too)
> every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse.<p>Countries already have CA that issue certificates with more legal force than a handwritten signature. I can open a bank account, pay my taxes and sign up to all government services. But I can't use them for a webpage.<p>> With DANE (or other country-issued certificates)<p>DANE isn't a country-issued certificate. It's a scheme where you store your public keys on DNS records. Of course, now we have the issue that DNSSEC (signed DNS records) isn't widespread and the whole issue with DNS registries.
Pretty much any big government has a CA they can exert direct control over whenever needed.
Maybe, but then can only do it once. Then they get caught, and their CA is distrusted. See Diginotar [0] for example.<p>And things only gotten better since - we now have CT logs, and browsers require them, so any mis-issuance can be detected automatically, by any interested third party.<p>If we go to DANE, we lose this all. "Oops, our CT uploader process failed, we will fix Real Soon(tm) we promise" - and what are browsers going to do? Distrust the entire country?<p>[0] <a href="https://blog.mozilla.org/security/2011/09/02/diginotar-removal-follow-up/" rel="nofollow">https://blog.mozilla.org/security/2011/09/02/diginotar-remov...</a>
> I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them.<p>Note that phones already try to prevent you from using a certificate that you provide yourself.
> This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.<p>I think the "digital tyranny" is a side effect, not the main goal. They're "mainly a means" to prevent certain kinds of MITM attacks.
Is this a canary?<p>What's gonna happen if I were to begin or continue using one letsencrypt certificate from ... Greenland? Cuba? The EU?<p>Has letsencrypt been served with a subpoena?
Can anyone explain me what went wrong with <a href="http://www.cacert.org/" rel="nofollow">http://www.cacert.org/</a> and why they are not supported by any major browser ?
the wikipedia page has links to projects that removed CAcert where reasons are stated. the main one being that CAcert didn't complete a security audit or because they were not yet accepted by mozilla (because of the lack of an audit, but also because CAcert actually withdrew the request to be included). one group removed it because CAcert has a strict root redistribtion license that they can't follow.<p>LWN has a good writeup on the audit situation as of 2014: <a href="https://lwn.net/Articles/590879/" rel="nofollow">https://lwn.net/Articles/590879/</a>
To be put in perspective with their push for very short live certificates, like 7 days, with the argument that anyone can easily get certificate from at any time.<p>But in fact, little by little you have all the stacks needed to be able to isolate some entities from internet at the us request in a very short time
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations
Makes sense, they are US company. I am surprised it took them that long.
"US company must obey US law" doesn't make for a very interesting headline.
It is however a reminder that "just use LE" is not a valid response to concerns about protocols/APIs/browsers/etc requiring TLS.
That's just another reminder that no one from outside of US should deal with US companies.
Does it mean that russian/iranian web-sites using letsencrypt stop working and need to change their certificate provider?
Depends on whether LE is compelled to terminate service to BGP AS numbers hosted in U.S.-sanctioned countries, and whether LE continues operating out of the U.S..
Depending on how you are supposed to read "You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations." it could mean that you are not even allowed to use LE certificate to provide services to sanctioned entities as a random non-US company/person.
I hope not. We don't have any alternatives yet.
They already revoced certificates for some russian sites
Actalis <a href="https://actalis.com/" rel="nofollow">https://actalis.com/</a> is a good EU alternative.
> active eavesdropping (e.g., monster-in-the-middle attacks)<p>is this standard MitM, or is it some crucially distinct variation?
Man in the Middle Wiki:<p>> Also known as a monster-in-the-middle,[1][2] machine-in-the-middle,[3] meddler-in-the-middle,[4] manipulator-in-the-middle,[5][6] person-in-the-middle[7] (PITM), or adversary-in-the-middle[8] (AITM) attack.
It's the American version, concepts like "man" and "woman" are deeply sexist and offensive in their culture. There are no men or women, only monsters.<p>Let me also just leave this masterpiece right here <a href="https://blog.barracuda.com/2025/10/02/beyond-mitm-rising-danger-adversary-middle-attacks" rel="nofollow">https://blog.barracuda.com/2025/10/02/beyond-mitm-rising-dan...</a>
"concepts like "man" and "woman" are deeply sexist and offensive in their culture".<p>Only to people who have a need to be offended.
I kinda like this framing. It effectively classifies companies such as Zscaler and CloudFlare as monsters.
Has anyone got any experience with Zero SSL? <a href="https://zerossl.com/" rel="nofollow">https://zerossl.com/</a>
It seems like a good EU alternative.
There was some subtle issue with ZeroSSL's implementation of ACME that I ran into with, IIRC, lego and domain certs and there was a ~5 year old lego open issue about it. That was a couple years ago, might be fixed, but my understanding at the time was that it was an issue with Zero's ACME implementation, so there may be dragons.
EU? There’s almost zero information on the company, no privacy policy? The only place I found any mention is the footer, “HID Global Corporation, part of ASSA ABLOY”. Assa Abloy seems Swedish but HID Global is a US company as far as a quick search goes. But without a proper company info page and privacy policy I wouldn’t consider it anywhere near a “good alternative” regardless.
HID was originally American and Scottish, but became fully American in 1994.<p>HID was acquired by Assa Abloy in 2000. No idea whether that means we now consider it Swedish.<p>ZeroSSL used to be Austrian until their acquisition in 2024.<p>I used to work for a company that got acquired by HID. It looks like HID has retained their original offices in some form.
Jumping in here since we’ve been seeing more mentions of ZeroSSL lately, likely related to the recent CA/B Forum discussions around 1‑year certificates and ACME automation.<p>- We’re based in Austria (ZeroSSL GmbH). The company was acquired by HID in 2024, which is part of Assa Abloy (Sweden).<p>- We’re not positioning ourselves as a purely EU-based CA substitute, and we generally don’t market it that way.<p>- For DV certs specifically, we act as a distributor. Under the hood these are Sectigo-issued certificates, similar to how other providers (for example Namecheap) operate.<p>Happy to clarify further if useful.
Any plans on becoming an independent CA? Would certificates issued in your name also risk being affected by US sanctions trough sentigo?
> - We’re not positioning ourselves as a purely EU-based CA substitute, and we generally don’t market it that way.<p>OK, but in the context of this topic thr interesting part isn't your marketing but your jurisdiction.<p>Could you clarify which jurisdiction you operate under and a link on the ZeroSSL website that collaborates that?<p>Thank you <3
The privacy policy is under legal in the footer, exactly where I'd expect it to be honest. It also gives the company registration:
> 1.1. We, ZeroSSL GmbH, FN 443956b (the “Company“)
and below that the company address (registered in Austria).<p>Don't get me wrong, I agree that there is some lack of "who actually runs/controls this", especially on the about page where I expect such things to be.<p>At the very least it's not as transparent as I'd wish from a CA. E.g their Certificate Agreement is from Sectigo, so are they involved? No mention anywhere else from what I can see.
3 90-day ACME certs for free. 180€/year for unlimited 90-day certs and 5 yearly ones.<p>That’s a pretty steep increase. I would almost be more interested in a monthly fee per cert.
From their docs[0] this doesn't seem to apply if using ACME, but they don't exactly make that clear...<p>> By using ZeroSSL's ACME feature, you will be able to generate an unlimited amount of 90-day SSL certificates at no charge, also supporting multi-domain certificates and wildcards. Each certificate you create will be stored in your ZeroSSL account.<p>[0]: <a href="https://zerossl.com/documentation/acme/" rel="nofollow">https://zerossl.com/documentation/acme/</a>
It's Sectigo under the hood.
ZeroSSL aren't an EU-based alternative, unfortunately.
How are they going to enforce this?
I would imagine, as a CA that issues only DV certs, they'd disallow issuance to various ccTLDs, and perhaps stop newAccount registrations with email addresses at those ccTLDs. That's about as much as they could do - IP-blocking by region is ineffective and crude at best.
the reach is by rough estimates ~2.5–6 million websites globally, 2–5 million of those in Russia and 0.3-1 million in Iran<p>Whatever USofA, it's not hard to have their own cosmodrome and certificates.<p>Tangential, in 2026 website certificates feel like nothing, disposable automation artifact, toxic max-security[1], vehicle for those who rent seek, fingerprint.<p>[1] <a href="https://tom7.org/httpv/httpv.pdf" rel="nofollow">https://tom7.org/httpv/httpv.pdf</a>
What in the actual fuck?
And now imagine that one of the Trump tantrums contains an announcement of sanctions against the European Union.
[flagged]
[dead]
This actually makes sense. No freedom for the enemies of freedom.
the list of ppl under US sanctions is staggering<p>Europe starts to shield itself from the risk since the French ICC judge who issued a warrant against bibi got sanctioned (France officially protested about this case)<p>China is being successful at blocking US firms out of their supply chains (they already use Linux on Loongarch processors with some homemade architecture and pioneer RISC V), since a bunch of their companies also got sanctions for supplying the governement<p>US stands so much for freedom that it's the first country to refuse immigration to FIFA world cup teams and athletes, with Iranians not allowed to stay between games and Somali goalkeeper being turned away at the border. Germany itself didn't do for the 1936 Olympics.<p>So at best, they're only shooting themselves in the foot by showing any US component in a supply chain is a risk, while using US clouds were already a risk of loss of revenue from FISA requests to undercut your bid and rot your company and using US dollars for trade was already a liability<p>In the meantime, US companies can do anything, break any financial law and abuse every human right, they'll just sign DPAs to avoid prosecution
But what if you're the baddies?
love thought-terminating cliches. really helps keep from actually thinking ever.
Your comment reads like a thought-terminating cliché. If Russia occupied your city, killed your family and friends and left you homeless, you might reconsider giving freedom to those who take it away from others. Unfortunately, sanctions are often very easy to evade.
Now imagine the USA did that to the city you live in...
This is a reasonable point, if "enemies of freedom" and "enemies of America" are synonymous...
[dead]
Sanctioned has a double meaning here[1]:<p>> 2. officially or formally ratified or confirmed.<p>> 3. penalized, especially by way of discipline or to force compliance with legal obligations.<p>So who can use lets encrypt? Those that are penalised or those that are confirmed.<p>[1] <a href="https://www.dictionary.com/browse/sanctioned" rel="nofollow">https://www.dictionary.com/browse/sanctioned</a>
If you click the link…<p>> [You certify to LetsEncrypt that] …<p>> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target
of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
This is bullshit on par with the Chinese firewall, meant to effectively prevent the (entire!) western world from information by parties deemed persona non-grata. SSL certificates are supposed to be about security, not geopolitics.<p>I'm pretty sure a LE server hitting an Iranian or North Korean endpoint and validating a crypto challenge does not break any OFAC or EAR rules, and no money changes hands. And if a non-US entity wants to do it, the US would just sanction them. Microsoft and Mozilla are certainly not going to include a North Korean or Russian state CA in the root trusted certs (and if they did, the US government could just threaten them with sanctions, too).<p>Hard not to say "we warned you" about making self-signed certs completely unusable in favor of a very centralized approach.