Iran is blocking internet for months, US ...bans creation of secure connections - that'll show 'em!
Russian quasi-government structures are spending quadrillion of rubles on a TSPU (censorship system) to spy on Russian residents, US ...helps them by making snooping on what is currently encrypted traffic possible by banning accessible encryption!
gnerd00 29 minutes ago [-]
wait until you find out about Facebook!
idoubtit 12 hours ago [-]
Couldn't LE have a branch in Europe or anywhere outside the USA and its minions?
Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization.
Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04:
> You are not a person or entity that is:
> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target
of comprehensive U.S. sanctions;
> (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
> or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b).
> You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
cassianoleal 10 hours ago [-]
They could, but if the branch didn’t follow these laws, the main US branch would still be liable.
cromka 10 hours ago [-]
It's about time SOME entities start moving from US entirely.
mikeyouse 1 hours ago [-]
RISC-V Foundation did.. though they go out of their way to talk about it in terms that try not to piss anyone off..
> "Across 2018-2019, the RISC-V community has reflected on the geo-political landscape and we have heard concerns from around the world that investment in RISC-V must come with IP access continuity to ensure a long-term strategic investment. We first mentioned our intentions to move at the December 2018 summit. Incorporation in Switzerland has the effect of calming concerns of political disruption to the open collaboration model. RISC-V International does not maintain any commercial interest in products or services as a non-profit, membership organization. There have not been any export restrictions on RISC-V in the US and we have complied with all US laws. The move does not circumvent any existing restrictions, but rather alleviates uncertainty going forward.
> In March 2020, the RISC-V International Association was incorporated in Switzerland. Along with this, we shifted to a new, more inclusive membership structure. Members of RISC-V International have access to and participate in the development of the RISC-V ISA specification and extensions as well as related hardware and software. RISC-V has a Board of Directors composed of member representatives as well as a Technical Committee of work group leaders."
> RISC-V International has not incorporated in Switzerland based on any one country, company, government, or event. This move is reflective of community concern and managing strategic risk for our community investing in RISC-V for the next 50+ years.
> The IP contributed and produced by RISC-V International is held under industry and global standard licenses that are already open to leverage by any company regardless of jurisdiction. This licensing is a common open source approach to foster collaboration that is not tied to any geographic regulation. IP in the public domain has not been subject to export control.
Perhaps they should build their own vs acting indignant and entitled to an American service built on American money.
rafram 1 hours ago [-]
Other countries sanction each other too.
Igrom 10 hours ago [-]
It seems that, as soon as you transact with a sanctioned entity, you are globally in breach of the agreement and risking the revocation of all your certificates — also the ones for non-sanctioned countries.
Front matter:
- it is called a "Subscriber Agreement" and not anything that suggests that its scope is a single certificate
- it's a "contract [...] regarding Your [...] rights and duties relating to [...] Certificates" - plural
2.1 "Term":
- "[the agreement] will remain in force during the entire period during which *any* of Your Certificates are valid" - plural
3.1 "Warranties":
- "[by] requesting, accepting, or using *a* Let’s Encrypt Certificate" - plural
axiologist 7 hours ago [-]
This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership.
It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS.
That's digital tyranny in disguise.
MarleTangible 7 hours ago [-]
I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them. Most simple services may not need TLS, but with the ISPs eavesdropping on our communication, a form of secure communication is required and the currently best solution we have requires a trust-chain to be built.
account42 2 hours ago [-]
Do we also need to put all our letters into strongboxes before we send them?
Maybe we should have solve the ISP snooping problem by making that illegal instead.
theamk 2 hours ago [-]
This just leaves every single public Wifi network - which used to mess with traffic a lot
cyanydeez 1 hours ago [-]
Guys, we live in a society.
Parodper 4 hours ago [-]
We could, and should, switch to DANE. Or else, switch to how X.509 was supposed to be used, with each country running a CA for their nationals.
theamk 3 hours ago [-]
I trust governments much less that a conglomerate of competing corporations.
With all the problems with Web PKI, at least the bad actors are getting distrusted, and this provides a very strong enforcement on the rest. And Certificate Transparency makes sure the mis-issuance would be caught. It is not perfect by any means, but things are getting better.
With DANE (or other country-issued certificates), every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. (In the past I'd say that only countries like Russia would do it.. but with today's climate, I am sure both US and many European countries will do that too)
Parodper 1 hours ago [-]
> every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse.
Countries already have CA that issue certificates with more legal force than a handwritten signature. I can open a bank account, pay my taxes and sign up to all government services. But I can't use them for a webpage.
> With DANE (or other country-issued certificates)
DANE isn't a country-issued certificate. It's a scheme where you store your public keys on DNS records. Of course, now we have the issue that DNSSEC (signed DNS records) isn't widespread and the whole issue with DNS registries.
account42 2 hours ago [-]
Pretty much any big government has a CA they can exert direct control over whenever needed.
theamk 2 hours ago [-]
Maybe, but then can only do it once. Then they get caught, and their CA is distrusted. See Diginotar [0] for example.
And things only gotten better since - we now have CT logs, and browsers require them, so any mis-issuance can be detected automatically, by any interested third party.
If we go to DANE, we lose this all. "Oops, our CT uploader process failed, we will fix Real Soon(tm) we promise" - and what are browsers going to do? Distrust the entire country?
Side note: “DigiNotar BV was a Dutch certificate authority from 1998 to 2011. It was acquired in January 2011 by VASCO and subsequently declared bankrupt in September of the same year” [1].
I didn’t realize the slapped their face on the pavement right after being acquired.
> I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them.
Note that phones already try to prevent you from using a certificate that you provide yourself.
palmotea 3 hours ago [-]
> This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.
I think the "digital tyranny" is a side effect, not the main goal. They're "mainly a means" to prevent certain kinds of MITM attacks.
account42 2 hours ago [-]
You could that with a much saner approach like DANE.
franga2000 2 hours ago [-]
Not back when SSL and the PKI ecosystem was developed.
m2f2 13 hours ago [-]
Is this a canary?
What's gonna happen if I were to begin or continue using one letsencrypt certificate from ... Greenland? Cuba? The EU?
Has letsencrypt been served with a subpoena?
rafram 1 hours ago [-]
Neither Greenland nor the EU has been sanctioned by the US.
nitwit005 1 hours ago [-]
They haven't been sanctioned, yet, but we live in a time where that's a real possibility.
18 minutes ago [-]
_ache_ 1 hours ago [-]
Yet.
malfist 1 hours ago [-]
So far
tempfile 1 hours ago [-]
It is not exactly an outlandish suggestion that this may happen.
wnevets 26 minutes ago [-]
Maybe consolidating ~60% of the web's certificates on to a single provider was a mistake.
patmorgan23 15 minutes ago [-]
Well good thing everyone using the provider is using an open protocol and it's stupid easy to switch
karteum 7 hours ago [-]
Can anyone explain me what went wrong with http://www.cacert.org/ and why they are not supported by any major browser ?
em-bee 5 hours ago [-]
the wikipedia page has links to projects that removed CAcert where reasons are stated. the main one being that CAcert didn't complete a security audit or because they were not yet accepted by mozilla (because of the lack of an audit, but also because CAcert actually withdrew the request to be included). one group removed it because CAcert has a strict root redistribtion license that they can't follow.
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations
theamk 19 hours ago [-]
Makes sense, they are US company. I am surprised it took them that long.
rwmj 10 hours ago [-]
"US company must obey US law" doesn't make for a very interesting headline.
ceeam 8 hours ago [-]
"The world should stop trusting the US companies" OTOH...
cyanydeez 1 hours ago [-]
more optimistic would be "World should decentralize America's trust"
ohmg 8 hours ago [-]
The headline is more « US law is batshit and extends well beyond its borders with real world consequences »
pavon 30 minutes ago [-]
This is not an example of that. It is perfectly within US jurisdiction to prevent US companies from doing business with sanctioned countries. That is the point of a sanction, and US is in good company in choosing to use sanctions as a diplomatic tool.
It is more of an example of how the internet/software industry is too consolidated to the US, and thus other countries are too dependent on the US in those areas. If the internet infrastructure was well distributed, then people in sanction countries could simply get certificates issued by a different CA, and in some cases they can. However, this is complicated by the fact that the list of trusted CAs is dominated by US organizations (Google, Mozilla, Apple, Microsoft). If you want to reach western audience you must use certs from a CA approved by them.
ezbie 3 hours ago [-]
Exactly. Ever since I was a kid I never understood how the US has jurisdiction way beyond their borders.
Then I graduated in International Relations and understood that the hole is much deeper than that.
Now it's pretty obvious with all the shit that trump has been doing, but back then me and much of the people I know were oblivious to what US power really means.
account42 2 hours ago [-]
It is however a reminder that "just use LE" is not a valid response to concerns about protocols/APIs/browsers/etc requiring TLS.
floper_a 7 hours ago [-]
That's just another reminder that no one from outside of US should deal with US companies.
42droids 13 hours ago [-]
Has anyone got any experience with Zero SSL? https://zerossl.com/
It seems like a good EU alternative.
47282847 13 hours ago [-]
EU? There’s almost zero information on the company, no privacy policy? The only place I found any mention is the footer, “HID Global Corporation, part of ASSA ABLOY”. Assa Abloy seems Swedish but HID Global is a US company as far as a quick search goes. But without a proper company info page and privacy policy I wouldn’t consider it anywhere near a “good alternative” regardless.
slau 12 hours ago [-]
HID was originally American and Scottish, but became fully American in 1994.
HID was acquired by Assa Abloy in 2000. No idea whether that means we now consider it Swedish.
ZeroSSL used to be Austrian until their acquisition in 2024.
I used to work for a company that got acquired by HID. It looks like HID has retained their original offices in some form.
ZeroSSL 3 hours ago [-]
Jumping in here since we’ve been seeing more mentions of ZeroSSL lately, likely related to the recent CA/B Forum discussions around 1‑year certificates and ACME automation.
- We’re based in Austria (ZeroSSL GmbH). The company was acquired by HID in 2024, which is part of Assa Abloy (Sweden).
- We’re not positioning ourselves as a purely EU-based CA substitute, and we generally don’t market it that way.
- For DV certs specifically, we act as a distributor. Under the hood these are Sectigo-issued certificates, similar to how other providers (for example Namecheap) operate.
Happy to clarify further if useful.
redrblackr 27 minutes ago [-]
Any plans on becoming an independent CA? Would certificates issued in your name also risk being affected by US sanctions trough sentigo?
orochimaaru 1 minutes ago [-]
If they do business in the US they will be expected to comply with US law - this includes their stock being traded on US stock exchanges.
If they don’t have any business in the US and any financial ties to the US they won’t be subject to the sanctions. But I believe it will create issues if they want to enter the US market.
kruffalon 1 hours ago [-]
> - We’re not positioning ourselves as a purely EU-based CA substitute, and we generally don’t market it that way.
OK, but in the context of this topic thr interesting part isn't your marketing but your jurisdiction.
Could you clarify which jurisdiction you operate under and a link on the ZeroSSL website that collaborates that?
Thank you <3
nomadwastaken 10 hours ago [-]
The privacy policy is under legal in the footer, exactly where I'd expect it to be honest. It also gives the company registration:
> 1.1. We, ZeroSSL GmbH, FN 443956b (the “Company“)
and below that the company address (registered in Austria).
Don't get me wrong, I agree that there is some lack of "who actually runs/controls this", especially on the about page where I expect such things to be.
At the very least it's not as transparent as I'd wish from a CA. E.g their Certificate Agreement is from Sectigo, so are they involved? No mention anywhere else from what I can see.
47282847 5 hours ago [-]
I don’t see “legal” in the footer on mobile. Or any other link. Or a link to an About page in the main nav. There’s nothing.
linsomniac 49 minutes ago [-]
There was some subtle issue with ZeroSSL's implementation of ACME that I ran into with, IIRC, lego and domain certs and there was a ~5 year old lego open issue about it. That was a couple years ago, might be fixed, but my understanding at the time was that it was an issue with Zero's ACME implementation, so there may be dragons.
slau 12 hours ago [-]
3 90-day ACME certs for free. 180€/year for unlimited 90-day certs and 5 yearly ones.
That’s a pretty steep increase. I would almost be more interested in a monthly fee per cert.
nomadwastaken 10 hours ago [-]
From their docs[0] this doesn't seem to apply if using ACME, but they don't exactly make that clear...
> By using ZeroSSL's ACME feature, you will be able to generate an unlimited amount of 90-day SSL certificates at no charge, also supporting multi-domain certificates and wildcards. Each certificate you create will be stored in your ZeroSSL account.
ZeroSSL aren't an EU-based alternative, unfortunately.
Panzerschrek 12 hours ago [-]
Does it mean that russian/iranian web-sites using letsencrypt stop working and need to change their certificate provider?
altairprime 10 hours ago [-]
Depends on whether LE is compelled to terminate service to BGP AS numbers hosted in U.S.-sanctioned countries, and whether LE continues operating out of the U.S..
account42 2 hours ago [-]
Depending on how you are supposed to read "You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations." it could mean that you are not even allowed to use LE certificate to provide services to sanctioned entities as a random non-US company/person.
leosarev 3 hours ago [-]
I hope not. We don't have any alternatives yet.
piskov 8 hours ago [-]
They already revoced certificates for some russian sites
> active eavesdropping (e.g., monster-in-the-middle attacks)
is this standard MitM, or is it some crucially distinct variation?
thephyber 12 hours ago [-]
Man in the Middle Wiki:
> Also known as a monster-in-the-middle,[1][2] machine-in-the-middle,[3] meddler-in-the-middle,[4] manipulator-in-the-middle,[5][6] person-in-the-middle[7] (PITM), or adversary-in-the-middle[8] (AITM) attack.
walletdrainer 11 hours ago [-]
Those sources feel more than slightly contrived.
walletdrainer 11 hours ago [-]
It's the American version, concepts like "man" and "woman" are deeply sexist and offensive in their culture. There are no men or women, only monsters.
"concepts like "man" and "woman" are deeply sexist and offensive in their culture".
Only to people who have a need to be offended.
cassianoleal 10 hours ago [-]
I kinda like this framing. It effectively classifies companies such as Zscaler and CloudFlare as monsters.
walletdrainer 8 hours ago [-]
It's particularly funny because "monster-in-the-middle" appears to be a deliberately quirky marketing term invented by cloudflare.
wofo 35 minutes ago [-]
Fun fact: some older articles were originally written using the term man-in-the-middle, but at some point were updated... except that the diagrams still use man-in-the-middle because search-and-replace doesn't work on images.
greatgib 22 minutes ago [-]
To be put in perspective with their push for very short live certificates, like 7 days, with the argument that anyone can easily get certificate from at any time.
But in fact, little by little you have all the stacks needed to be able to isolate some entities from internet at the us request in a very short time
pxeger1 10 hours ago [-]
How are they going to enforce this?
nickf 6 hours ago [-]
I would imagine, as a CA that issues only DV certs, they'd disallow issuance to various ccTLDs, and perhaps stop newAccount registrations with email addresses at those ccTLDs. That's about as much as they could do - IP-blocking by region is ineffective and crude at best.
diimdeep 7 hours ago [-]
the reach is by rough estimates ~2.5–6 million websites globally, 2–5 million of those in Russia and 0.3-1 million in Iran
Whatever USofA, it's not hard to have their own cosmodrome and certificates.
Tangential, in 2026 website certificates feel like nothing, disposable automation artifact, toxic max-security[1], vehicle for those who rent seek, fingerprint.
And now imagine that one of the Trump tantrums contains an announcement of sanctions against the European Union.
jalospinoso 1 hours ago [-]
[flagged]
psy0p 46 minutes ago [-]
[dead]
cynicalsecurity 1 hours ago [-]
This actually makes sense. No freedom for the enemies of freedom.
mswphd 1 hours ago [-]
love thought-terminating cliches. really helps keep from actually thinking ever.
cynicalsecurity 58 minutes ago [-]
Your comment reads like a thought-terminating cliché. If Russia occupied your city, killed your family and friends and left you homeless, you might reconsider giving freedom to those who take it away from others. Unfortunately, sanctions are often very easy to evade.
contagiousflow 31 minutes ago [-]
Now imagine the USA did that to the city you live in...
hinata08 20 minutes ago [-]
it can't happen, they only attack civilians in countries that have weapons of mass destruction or have a evil economic system of socialized healthcare and labor market
They also don't like states that threaten business by turning workers into a commodity that you have to compensate each month ; Spain sunk the Maine ; and they had manifest destiny given from God to get rid of natives
Shish2k 25 minutes ago [-]
This is a reasonable point, if "enemies of freedom" and "enemies of America" are synonymous...
greyface- 24 minutes ago [-]
[dead]
CrzyLngPwd 59 minutes ago [-]
But what if you're the baddies?
hinata08 45 minutes ago [-]
the list of ppl under US sanctions is staggering
Europe starts to shield itself from the risk since Nicolas Guillou, the French ICC judge who issued a warrant against bibi got sanctioned (France officially protested about this case)
China is being successful at blocking US firms out of their supply chains (they already use Linux on Loongarch processors with some homemade architecture and pioneer RISC V), since a bunch of their companies also got sanctions for supplying the governement
US stands so much for freedom that it's the first country to refuse immigration to FIFA world cup teams and athletes, with Iranians not allowed to stay between games and Somali goalkeeper being turned away at the border. Germany itself didn't do for the 1936 Olympics.
So at best, they're only shooting themselves in the foot by showing any US component in a supply chain is a risk, while using US clouds were already a risk of loss of revenue from FISA requests to undercut your bid and rot your company and using US dollars for trade was already a liability
In the meantime, US companies can do anything, break any financial law and abuse every human right, they'll just sign DPAs to avoid prosecution
Towaway69 12 hours ago [-]
Sanctioned has a double meaning here[1]:
> 2. officially or formally ratified or confirmed.
> 3. penalized, especially by way of discipline or to force compliance with legal obligations.
So who can use lets encrypt? Those that are penalised or those that are confirmed.
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target
of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
ComputerGuru 33 minutes ago [-]
This is bullshit on par with the Chinese firewall, meant to effectively prevent the (entire!) western world from information by parties deemed persona non-grata. SSL certificates are supposed to be about security, not geopolitics.
I'm pretty sure a LE server hitting an Iranian or North Korean endpoint and validating a crypto challenge does not break any OFAC or EAR rules, and no money changes hands. And if a non-US entity wants to do it, the US would just sanction them. Microsoft and Mozilla are certainly not going to include a North Korean or Russian state CA in the root trusted certs (and if they did, the US government could just threaten them with sanctions, too).
Hard not to say "we warned you" about making self-signed certs completely unusable in favor of a very centralized approach.
Rendered at 18:04:43 GMT+0000 (Coordinated Universal Time) with Vercel.
Russian quasi-government structures are spending quadrillion of rubles on a TSPU (censorship system) to spy on Russian residents, US ...helps them by making snooping on what is currently encrypted traffic possible by banning accessible encryption!
Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization.
Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04:
> You are not a person or entity that is:
> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions;
> (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
> or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b).
> You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
> "Across 2018-2019, the RISC-V community has reflected on the geo-political landscape and we have heard concerns from around the world that investment in RISC-V must come with IP access continuity to ensure a long-term strategic investment. We first mentioned our intentions to move at the December 2018 summit. Incorporation in Switzerland has the effect of calming concerns of political disruption to the open collaboration model. RISC-V International does not maintain any commercial interest in products or services as a non-profit, membership organization. There have not been any export restrictions on RISC-V in the US and we have complied with all US laws. The move does not circumvent any existing restrictions, but rather alleviates uncertainty going forward.
> In March 2020, the RISC-V International Association was incorporated in Switzerland. Along with this, we shifted to a new, more inclusive membership structure. Members of RISC-V International have access to and participate in the development of the RISC-V ISA specification and extensions as well as related hardware and software. RISC-V has a Board of Directors composed of member representatives as well as a Technical Committee of work group leaders."
> RISC-V International has not incorporated in Switzerland based on any one country, company, government, or event. This move is reflective of community concern and managing strategic risk for our community investing in RISC-V for the next 50+ years.
> The IP contributed and produced by RISC-V International is held under industry and global standard licenses that are already open to leverage by any company regardless of jurisdiction. This licensing is a common open source approach to foster collaboration that is not tied to any geographic regulation. IP in the public domain has not been subject to export control.
https://riscv.org/about/
Front matter:
2.1 "Term": 3.1 "Warranties":Maybe we should have solve the ISP snooping problem by making that illegal instead.
With all the problems with Web PKI, at least the bad actors are getting distrusted, and this provides a very strong enforcement on the rest. And Certificate Transparency makes sure the mis-issuance would be caught. It is not perfect by any means, but things are getting better.
With DANE (or other country-issued certificates), every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. (In the past I'd say that only countries like Russia would do it.. but with today's climate, I am sure both US and many European countries will do that too)
Countries already have CA that issue certificates with more legal force than a handwritten signature. I can open a bank account, pay my taxes and sign up to all government services. But I can't use them for a webpage.
> With DANE (or other country-issued certificates)
DANE isn't a country-issued certificate. It's a scheme where you store your public keys on DNS records. Of course, now we have the issue that DNSSEC (signed DNS records) isn't widespread and the whole issue with DNS registries.
And things only gotten better since - we now have CT logs, and browsers require them, so any mis-issuance can be detected automatically, by any interested third party.
If we go to DANE, we lose this all. "Oops, our CT uploader process failed, we will fix Real Soon(tm) we promise" - and what are browsers going to do? Distrust the entire country?
[0] https://blog.mozilla.org/security/2011/09/02/diginotar-remov...
I didn’t realize the slapped their face on the pavement right after being acquired.
[1] https://en.wikipedia.org/wiki/DigiNotar
Note that phones already try to prevent you from using a certificate that you provide yourself.
I think the "digital tyranny" is a side effect, not the main goal. They're "mainly a means" to prevent certain kinds of MITM attacks.
What's gonna happen if I were to begin or continue using one letsencrypt certificate from ... Greenland? Cuba? The EU?
Has letsencrypt been served with a subpoena?
LWN has a good writeup on the audit situation as of 2014: https://lwn.net/Articles/590879/
It is more of an example of how the internet/software industry is too consolidated to the US, and thus other countries are too dependent on the US in those areas. If the internet infrastructure was well distributed, then people in sanction countries could simply get certificates issued by a different CA, and in some cases they can. However, this is complicated by the fact that the list of trusted CAs is dominated by US organizations (Google, Mozilla, Apple, Microsoft). If you want to reach western audience you must use certs from a CA approved by them.
Then I graduated in International Relations and understood that the hole is much deeper than that.
Now it's pretty obvious with all the shit that trump has been doing, but back then me and much of the people I know were oblivious to what US power really means.
HID was acquired by Assa Abloy in 2000. No idea whether that means we now consider it Swedish.
ZeroSSL used to be Austrian until their acquisition in 2024.
I used to work for a company that got acquired by HID. It looks like HID has retained their original offices in some form.
- We’re based in Austria (ZeroSSL GmbH). The company was acquired by HID in 2024, which is part of Assa Abloy (Sweden).
- We’re not positioning ourselves as a purely EU-based CA substitute, and we generally don’t market it that way.
- For DV certs specifically, we act as a distributor. Under the hood these are Sectigo-issued certificates, similar to how other providers (for example Namecheap) operate.
Happy to clarify further if useful.
If they don’t have any business in the US and any financial ties to the US they won’t be subject to the sanctions. But I believe it will create issues if they want to enter the US market.
OK, but in the context of this topic thr interesting part isn't your marketing but your jurisdiction.
Could you clarify which jurisdiction you operate under and a link on the ZeroSSL website that collaborates that?
Thank you <3
Don't get me wrong, I agree that there is some lack of "who actually runs/controls this", especially on the about page where I expect such things to be.
At the very least it's not as transparent as I'd wish from a CA. E.g their Certificate Agreement is from Sectigo, so are they involved? No mention anywhere else from what I can see.
That’s a pretty steep increase. I would almost be more interested in a monthly fee per cert.
> By using ZeroSSL's ACME feature, you will be able to generate an unlimited amount of 90-day SSL certificates at no charge, also supporting multi-domain certificates and wildcards. Each certificate you create will be stored in your ZeroSSL account.
[0]: https://zerossl.com/documentation/acme/
This is the main reason letsencrypt is so popular.
is this standard MitM, or is it some crucially distinct variation?
> Also known as a monster-in-the-middle,[1][2] machine-in-the-middle,[3] meddler-in-the-middle,[4] manipulator-in-the-middle,[5][6] person-in-the-middle[7] (PITM), or adversary-in-the-middle[8] (AITM) attack.
Let me also just leave this masterpiece right here https://blog.barracuda.com/2025/10/02/beyond-mitm-rising-dan...
Only to people who have a need to be offended.
But in fact, little by little you have all the stacks needed to be able to isolate some entities from internet at the us request in a very short time
Whatever USofA, it's not hard to have their own cosmodrome and certificates.
Tangential, in 2026 website certificates feel like nothing, disposable automation artifact, toxic max-security[1], vehicle for those who rent seek, fingerprint.
[1] https://tom7.org/httpv/httpv.pdf
They also don't like states that threaten business by turning workers into a commodity that you have to compensate each month ; Spain sunk the Maine ; and they had manifest destiny given from God to get rid of natives
Europe starts to shield itself from the risk since Nicolas Guillou, the French ICC judge who issued a warrant against bibi got sanctioned (France officially protested about this case)
China is being successful at blocking US firms out of their supply chains (they already use Linux on Loongarch processors with some homemade architecture and pioneer RISC V), since a bunch of their companies also got sanctions for supplying the governement
US stands so much for freedom that it's the first country to refuse immigration to FIFA world cup teams and athletes, with Iranians not allowed to stay between games and Somali goalkeeper being turned away at the border. Germany itself didn't do for the 1936 Olympics.
So at best, they're only shooting themselves in the foot by showing any US component in a supply chain is a risk, while using US clouds were already a risk of loss of revenue from FISA requests to undercut your bid and rot your company and using US dollars for trade was already a liability
In the meantime, US companies can do anything, break any financial law and abuse every human right, they'll just sign DPAs to avoid prosecution
> 2. officially or formally ratified or confirmed.
> 3. penalized, especially by way of discipline or to force compliance with legal obligations.
So who can use lets encrypt? Those that are penalised or those that are confirmed.
[1] https://www.dictionary.com/browse/sanctioned
> [You certify to LetsEncrypt that] …
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
I'm pretty sure a LE server hitting an Iranian or North Korean endpoint and validating a crypto challenge does not break any OFAC or EAR rules, and no money changes hands. And if a non-US entity wants to do it, the US would just sanction them. Microsoft and Mozilla are certainly not going to include a North Korean or Russian state CA in the root trusted certs (and if they did, the US government could just threaten them with sanctions, too).
Hard not to say "we warned you" about making self-signed certs completely unusable in favor of a very centralized approach.