Let's Encrypt’s mission is to create a more secure and privacy-respecting web, except for people residing in countries with the most need for a more secure and privacy-respecting web. Sure, that's great.

That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.

Iran is blocking internet for months, US ...bans creation of secure connections - that'll show 'em!

Russian quasi-government structures are spending quadrillion of rubles on a TSPU (censorship system) to spy on Russian residents, US ...helps them by making snooping on what is currently encrypted traffic possible by banning accessible encryption!

Couldn't LE have a branch in Europe or anywhere outside the USA and its minions?

Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization.

Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04:

> You are not a person or entity that is:

> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions;

> (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;

> or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b).

> You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.

It seems that, as soon as you transact with a sanctioned entity, you are globally in breach of the agreement and risking the revocation of all your certificates — also the ones for non-sanctioned countries.

Front matter:

   - it is called a "Subscriber Agreement" and not anything that suggests that its scope is a single certificate

   - it's a "contract [...] regarding Your [...] rights and duties relating to [...] Certificates" - plural

2.1 "Term":

  - "[the agreement] will remain in force during the entire period during which *any* of Your Certificates are valid" - plural

3.1 "Warranties":

  - "[by] requesting, accepting, or using *a* Let’s Encrypt Certificate" - plural

This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.

Maybe consolidating ~60% of the web's certificates on to a single provider was a mistake.

Is this a canary?

What's gonna happen if I were to begin or continue using one letsencrypt certificate from ... Greenland? Cuba? The EU?

Has letsencrypt been served with a subpoena?

Can anyone explain me what went wrong with http://www.cacert.org/ and why they are not supported by any major browser ?

> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations

Makes sense, they are US company. I am surprised it took them that long.

Has anyone got any experience with Zero SSL? https://zerossl.com/ It seems like a good EU alternative.

Does it mean that russian/iranian web-sites using letsencrypt stop working and need to change their certificate provider?

Actalis https://actalis.com/ is a good EU alternative.

> active eavesdropping (e.g., monster-in-the-middle attacks)

is this standard MitM, or is it some crucially distinct variation?

To be put in perspective with their push for very short live certificates, like 7 days, with the argument that anyone can easily get certificate from at any time.

But in fact, little by little you have all the stacks needed to be able to isolate some entities from internet at the us request in a very short time

How are they going to enforce this?

What in the actual fuck?

the reach is by rough estimates ~2.5–6 million websites globally, 2–5 million of those in Russia and 0.3-1 million in Iran

Whatever USofA, it's not hard to have their own cosmodrome and certificates.

Tangential, in 2026 website certificates feel like nothing, disposable automation artifact, toxic max-security[1], vehicle for those who rent seek, fingerprint.

[1] https://tom7.org/httpv/httpv.pdf

And now imagine that one of the Trump tantrums contains an announcement of sanctions against the European Union.

[flagged]

[dead]

This actually makes sense. No freedom for the enemies of freedom.

Sanctioned has a double meaning here[1]:

> 2. officially or formally ratified or confirmed.

> 3. penalized, especially by way of discipline or to force compliance with legal obligations.

So who can use lets encrypt? Those that are penalised or those that are confirmed.

[1] https://www.dictionary.com/browse/sanctioned

This is bullshit on par with the Chinese firewall, meant to effectively prevent the (entire!) western world from information by parties deemed persona non-grata. SSL certificates are supposed to be about security, not geopolitics.

I'm pretty sure a LE server hitting an Iranian or North Korean endpoint and validating a crypto challenge does not break any OFAC or EAR rules, and no money changes hands. And if a non-US entity wants to do it, the US would just sanction them. Microsoft and Mozilla are certainly not going to include a North Korean or Russian state CA in the root trusted certs (and if they did, the US government could just threaten them with sanctions, too).

Hard not to say "we warned you" about making self-signed certs completely unusable in favor of a very centralized approach.