Let's Encrypt bans certificate usage in any US sanctioned territory [pdf]

idoubtit 1 hour ago |

Couldn't LE have a branch in Europe or anywhere outside the USA and its minions?

Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization.

Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04:

> You are not a person or entity that is:

> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions;

> (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;

> or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b).

> You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.

cassianoleal 15 minutes ago | |

They could, but if the branch didn’t follow these laws, the main US branch would still be liable.

m2f2 2 hours ago |

Is this a canary?

What's gonna happen if I were to begin or continue using one letsencrypt certificate from ... Greenland? Cuba? The EU?

Has letsencrypt been served with a subpoena?

pxeger1 17 minutes ago |

How are they going to enforce this?

Towaway69 1 hour ago |

Sanctioned has a double meaning here[1]:

> 2. officially or formally ratified or confirmed.

> 3. penalized, especially by way of discipline or to force compliance with legal obligations.

So who can use lets encrypt? Those that are penalised or those that are confirmed.

[1] https://www.dictionary.com/browse/sanctioned

thephyber 1 hour ago | |

If you click the link…

> [You certify to LetsEncrypt that] …

> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.

Panzerschrek 1 hour ago |

Does it mean that russian/iranian web-sites using letsencrypt stop working and need to change their certificate provider?

altairprime 16 minutes ago | |

Depends on whether LE is compelled to terminate service to BGP AS numbers hosted in U.S.-sanctioned countries, and whether LE continues operating out of the U.S..

DoctorOetker 1 hour ago |

> active eavesdropping (e.g., monster-in-the-middle attacks)

is this standard MitM, or is it some crucially distinct variation?

thephyber 1 hour ago | |

Man in the Middle Wiki:

> Also known as a monster-in-the-middle,[1][2] machine-in-the-middle,[3] meddler-in-the-middle,[4] manipulator-in-the-middle,[5][6] person-in-the-middle[7] (PITM), or adversary-in-the-middle[8] (AITM) attack.

walletdrainer 1 hour ago | | |

Those sources feel more than slightly contrived.

walletdrainer 1 hour ago | |

It's the American version, concepts like "man" and "woman" are deeply sexist and offensive in their culture. There are no men or women, only monsters.

Let me also just leave this masterpiece right here https://blog.barracuda.com/2025/10/02/beyond-mitm-rising-dan...

cassianoleal 13 minutes ago | | |

I kinda like this framing. It effectively classifies companies such as Zscaler and CloudFlare as monsters.

RyeCombinator 2 hours ago |

Actalis https://actalis.com/ is a good EU alternative.

gapan 2 hours ago | |

No it isn't. Not unless it's free.

This is the main reason letsencrypt is so popular.

crote 48 minutes ago | | |

They do have a free plan with unlimited ACME DV certs, though! Not marketed very well and no wildcard certs, but it does exist.

42droids 3 hours ago |

Has anyone got any experience with Zero SSL? https://zerossl.com/ It seems like a good EU alternative.

47282847 2 hours ago | |

EU? There’s almost zero information on the company, no privacy policy? The only place I found any mention is the footer, “HID Global Corporation, part of ASSA ABLOY”. Assa Abloy seems Swedish but HID Global is a US company as far as a quick search goes. But without a proper company info page and privacy policy I wouldn’t consider it anywhere near a “good alternative” regardless.

nomadwastaken 5 minutes ago | | |

The privacy policy is under legal in the footer, exactly where I'd expect it to be honest. It also gives the company registration: > 1.1. We, ZeroSSL GmbH, FN 443956b (the “Company“) and below that the company address (registered in Austria).

Don't get me wrong, I agree that there is some lack of "who actually runs/controls this", especially on the about page where I expect such things to be.

At the very least it's not as transparent as I'd wish from a CA. E.g their Certificate Agreement is from Sectigo, so are they involved? No mention anywhere else from what I can see.

slau 2 hours ago | | |

HID was originally American and Scottish, but became fully American in 1994.

HID was acquired by Assa Abloy in 2000. No idea whether that means we now consider it Swedish.

ZeroSSL used to be Austrian until their acquisition in 2024.

I used to work for a company that got acquired by HID. It looks like HID has retained their original offices in some form.

nickf 35 minutes ago | |

ZeroSSL aren't an EU-based alternative, unfortunately.

slau 2 hours ago | |

3 90-day ACME certs for free. 180€/year for unlimited 90-day certs and 5 yearly ones.

That’s a pretty steep increase. I would almost be more interested in a monthly fee per cert.

nomadwastaken 2 minutes ago | | |

From their docs[0] this doesn't seem to apply if using ACME, but they don't exactly make that clear...

> By using ZeroSSL's ACME feature, you will be able to generate an unlimited amount of 90-day SSL certificates at no charge, also supporting multi-domain certificates and wildcards. Each certificate you create will be stored in your ZeroSSL account.

[0]: https://zerossl.com/documentation/acme/

piskov 9 hours ago |

> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations

theamk 8 hours ago |

Makes sense, they are US company. I am surprised it took them that long.

rwmj 13 minutes ago | |

"US company must obey US law" doesn't make for a very interesting headline.