| ▲ | Let's Encrypt bans certificate usage in any US sanctioned territory [pdf](letsencrypt.org) |
| 139 points by piskov 20 hours ago | 96 comments |
| |
|
| ▲ | CobrastanJorji 5 minutes ago | parent | next [-] |
| Let's Encrypt’s mission is to create a more secure and privacy-respecting web, except for people residing in countries with the most need for a more secure and privacy-respecting web. Sure, that's great. That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption. |
|
| ▲ | Insimwytim an hour ago | parent | prev | next [-] |
| Iran is blocking internet for months, US ...bans creation of secure connections - that'll show 'em! Russian quasi-government structures are spending quadrillion of rubles on a TSPU (censorship system) to spy on Russian residents, US ...helps them by making snooping on what is currently encrypted traffic possible by banning accessible encryption! |
| |
|
| ▲ | idoubtit 12 hours ago | parent | prev | next [-] |
| Couldn't LE have a branch in Europe or anywhere outside the USA and its minions? Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization. Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04: > You are not a person or entity that is: > (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target
of comprehensive U.S. sanctions; > (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; > or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). > You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations. |
| |
| ▲ | cassianoleal 11 hours ago | parent [-] | | They could, but if the branch didn’t follow these laws, the main US branch would still be liable. | | |
| ▲ | cromka 10 hours ago | parent [-] | | It's about time SOME entities start moving from US entirely. | | |
| ▲ | mikeyouse 2 hours ago | parent | next [-] | | RISC-V Foundation did.. though they go out of their way to talk about it in terms that try not to piss anyone off.. > "Across 2018-2019, the RISC-V community has reflected on the geo-political landscape and we have heard concerns from around the world that investment in RISC-V must come with IP access continuity to ensure a long-term strategic investment. We first mentioned our intentions to move at the December 2018 summit. Incorporation in Switzerland has the effect of calming concerns of political disruption to the open collaboration model. RISC-V International does not maintain any commercial interest in products or services as a non-profit, membership organization. There have not been any export restrictions on RISC-V in the US and we have complied with all US laws. The move does not circumvent any existing restrictions, but rather alleviates uncertainty going forward. > In March 2020, the RISC-V International Association was incorporated in Switzerland. Along with this, we shifted to a new, more inclusive membership structure. Members of RISC-V International have access to and participate in the development of the RISC-V ISA specification and extensions as well as related hardware and software. RISC-V has a Board of Directors composed of member representatives as well as a Technical Committee of work group leaders." > RISC-V International has not incorporated in Switzerland based on any one country, company, government, or event. This move is reflective of community concern and managing strategic risk for our community investing in RISC-V for the next 50+ years. > The IP contributed and produced by RISC-V International is held under industry and global standard licenses that are already open to leverage by any company regardless of jurisdiction. This licensing is a common open source approach to foster collaboration that is not tied to any geographic regulation. IP in the public domain has not been subject to export control. https://riscv.org/about/ | |
| ▲ | rafram an hour ago | parent | prev [-] | | Other countries sanction each other too. |
|
|
|
|
| ▲ | Igrom 10 hours ago | parent | prev | next [-] |
| It seems that, as soon as you transact with a sanctioned entity, you are globally in breach of the agreement and risking the revocation of all your certificates — also the ones for non-sanctioned countries. Front matter: - it is called a "Subscriber Agreement" and not anything that suggests that its scope is a single certificate
- it's a "contract [...] regarding Your [...] rights and duties relating to [...] Certificates" - plural
2.1 "Term": - "[the agreement] will remain in force during the entire period during which *any* of Your Certificates are valid" - plural
3.1 "Warranties": - "[by] requesting, accepting, or using *a* Let’s Encrypt Certificate" - plural
|
|
| ▲ | axiologist 7 hours ago | parent | prev | next [-] |
| This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership.
It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS.
That's digital tyranny in disguise. |
| |
| ▲ | MarleTangible 7 hours ago | parent | next [-] | | I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them. Most simple services may not need TLS, but with the ISPs eavesdropping on our communication, a form of secure communication is required and the currently best solution we have requires a trust-chain to be built. | | |
| ▲ | account42 3 hours ago | parent | next [-] | | Do we also need to put all our letters into strongboxes before we send them? Maybe we should have solve the ISP snooping problem by making that illegal instead. | | |
| ▲ | theamk 2 hours ago | parent [-] | | This just leaves every single public Wifi network - which used to mess with traffic a lot | | |
| |
| ▲ | Parodper 4 hours ago | parent | prev | next [-] | | We could, and should, switch to DANE. Or else, switch to how X.509 was supposed to be used, with each country running a CA for their nationals. | | |
| ▲ | theamk 3 hours ago | parent [-] | | I trust governments much less that a conglomerate of competing corporations. With all the problems with Web PKI, at least the bad actors are getting distrusted, and this provides a very strong enforcement on the rest. And Certificate Transparency makes sure the mis-issuance would be caught. It is not perfect by any means, but things are getting better. With DANE (or other country-issued certificates), every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. (In the past I'd say that only countries like Russia would do it.. but with today's climate, I am sure both US and many European countries will do that too) | | |
| ▲ | Parodper an hour ago | parent | next [-] | | > every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. Countries already have CA that issue certificates with more legal force than a handwritten signature. I can open a bank account, pay my taxes and sign up to all government services. But I can't use them for a webpage. > With DANE (or other country-issued certificates) DANE isn't a country-issued certificate. It's a scheme where you store your public keys on DNS records. Of course, now we have the issue that DNSSEC (signed DNS records) isn't widespread and the whole issue with DNS registries. | |
| ▲ | account42 3 hours ago | parent | prev [-] | | Pretty much any big government has a CA they can exert direct control over whenever needed. | | |
| ▲ | theamk 2 hours ago | parent [-] | | Maybe, but then can only do it once. Then they get caught, and their CA is distrusted. See Diginotar [0] for example. And things only gotten better since - we now have CT logs, and browsers require them, so any mis-issuance can be detected automatically, by any interested third party. If we go to DANE, we lose this all. "Oops, our CT uploader process failed, we will fix Real Soon(tm) we promise" - and what are browsers going to do? Distrust the entire country? [0] https://blog.mozilla.org/security/2011/09/02/diginotar-remov... | | |
| ▲ | JumpCrisscross 28 minutes ago | parent [-] | | Side note: “DigiNotar BV was a Dutch certificate authority from 1998 to 2011. It was acquired in January 2011 by VASCO and subsequently declared bankrupt in September of the same year” [1]. I didn’t realize the slapped their face on the pavement right after being acquired. [1] https://en.wikipedia.org/wiki/DigiNotar |
|
|
|
| |
| ▲ | thaumasiotes an hour ago | parent | prev [-] | | > I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them. Note that phones already try to prevent you from using a certificate that you provide yourself. |
| |
| ▲ | palmotea 4 hours ago | parent | prev [-] | | > This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise. I think the "digital tyranny" is a side effect, not the main goal. They're "mainly a means" to prevent certain kinds of MITM attacks. | | |
|
|
| ▲ | wnevets 42 minutes ago | parent | prev | next [-] |
| Maybe consolidating ~60% of the web's certificates on to a single provider was a mistake. |
| |
| ▲ | patmorgan23 32 minutes ago | parent [-] | | Well good thing everyone using the provider is using an open protocol and it's stupid easy to switch |
|
|
| ▲ | m2f2 13 hours ago | parent | prev | next [-] |
| Is this a canary? What's gonna happen if I were to begin or continue using one letsencrypt certificate from ... Greenland? Cuba? The EU? Has letsencrypt been served with a subpoena? |
| |
| ▲ | rafram an hour ago | parent [-] | | Neither Greenland nor the EU has been sanctioned by the US. | | |
|
|
| ▲ | karteum 7 hours ago | parent | prev | next [-] |
| Can anyone explain me what went wrong with http://www.cacert.org/ and why they are not supported by any major browser ? |
| |
| ▲ | em-bee 5 hours ago | parent [-] | | the wikipedia page has links to projects that removed CAcert where reasons are stated. the main one being that CAcert didn't complete a security audit or because they were not yet accepted by mozilla (because of the lack of an audit, but also because CAcert actually withdrew the request to be included). one group removed it because CAcert has a strict root redistribtion license that they can't follow. LWN has a good writeup on the audit situation as of 2014: https://lwn.net/Articles/590879/ |
|
|
| ▲ | piskov 20 hours ago | parent | prev | next [-] |
| > You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations |
|
| ▲ | theamk 19 hours ago | parent | prev | next [-] |
| Makes sense, they are US company. I am surprised it took them that long. |
| |
| ▲ | rwmj 11 hours ago | parent | next [-] | | "US company must obey US law" doesn't make for a very interesting headline. | | |
| ▲ | ceeam 8 hours ago | parent | next [-] | | "The world should stop trusting the US companies" OTOH... | | | |
| ▲ | ohmg 8 hours ago | parent | prev [-] | | The headline is more « US law is batshit and extends well beyond its borders with real world consequences » | | |
| ▲ | pavon an hour ago | parent | next [-] | | This is not an example of that. It is perfectly within US jurisdiction to prevent US companies from doing business with sanctioned countries. That is the point of a sanction, and US is in good company in choosing to use sanctions as a diplomatic tool. It is more of an example of how the internet/software industry is too consolidated to the US, and thus other countries are too dependent on the US in those areas. If the internet infrastructure was well distributed, then people in sanction countries could simply get certificates issued by a different CA, and in some cases they can. However, this is complicated by the fact that the list of trusted CAs is dominated by US organizations (Google, Mozilla, Apple, Microsoft). If you want to reach western audience you must use certs from a CA approved by them. | |
| ▲ | ezbie 4 hours ago | parent | prev [-] | | Exactly. Ever since I was a kid I never understood how the US has jurisdiction way beyond their borders. Then I graduated in International Relations and understood that the hole is much deeper than that. Now it's pretty obvious with all the shit that trump has been doing, but back then me and much of the people I know were oblivious to what US power really means. |
|
| |
| ▲ | account42 3 hours ago | parent | prev | next [-] | | It is however a reminder that "just use LE" is not a valid response to concerns about protocols/APIs/browsers/etc requiring TLS. | |
| ▲ | floper_a 7 hours ago | parent | prev [-] | | That's just another reminder that no one from outside of US should deal with US companies. |
|
|
| ▲ | 42droids 13 hours ago | parent | prev | next [-] |
| Has anyone got any experience with Zero SSL? https://zerossl.com/
It seems like a good EU alternative. |
| |
| ▲ | matharmin 6 minutes ago | parent | next [-] | | I use them in some cases to avoid the rate limits on LetsEncrypt, and they have better support for some older platforms (like ancient Android versions), and I'm pretty happy so far. I have a paid account to support them, but it's not a requirement for ACME certs. It works without issue with Kubernetes Certbot, and seamless to switch between ZeroSSL and LetsEncrypt. I can't comment on the EU part though - not that relevant in my case. | |
| ▲ | 47282847 13 hours ago | parent | prev | next [-] | | EU? There’s almost zero information on the company, no privacy policy? The only place I found any mention is the footer, “HID Global Corporation, part of ASSA ABLOY”. Assa Abloy seems Swedish but HID Global is a US company as far as a quick search goes. But without a proper company info page and privacy policy I wouldn’t consider it anywhere near a “good alternative” regardless. | | |
| ▲ | slau 13 hours ago | parent | next [-] | | HID was originally American and Scottish, but became fully American in 1994. HID was acquired by Assa Abloy in 2000. No idea whether that means we now consider it Swedish. ZeroSSL used to be Austrian until their acquisition in 2024. I used to work for a company that got acquired by HID. It looks like HID has retained their original offices in some form. | |
| ▲ | ZeroSSL 3 hours ago | parent | prev | next [-] | | Jumping in here since we’ve been seeing more mentions of ZeroSSL lately, likely related to the recent CA/B Forum discussions around 1‑year certificates and ACME automation. - We’re based in Austria (ZeroSSL GmbH). The company was acquired by HID in 2024, which is part of Assa Abloy (Sweden). - We’re not positioning ourselves as a purely EU-based CA substitute, and we generally don’t market it that way. - For DV certs specifically, we act as a distributor. Under the hood these are Sectigo-issued certificates, similar to how other providers (for example Namecheap) operate. Happy to clarify further if useful. | | |
| ▲ | redrblackr 43 minutes ago | parent | next [-] | | Any plans on becoming an independent CA? Would certificates issued in your name also risk being affected by US sanctions trough sentigo? | | |
| ▲ | orochimaaru 17 minutes ago | parent [-] | | If they do business in the US they will be expected to comply with US law - this includes their stock being traded on US stock exchanges. If they don’t have any business in the US and any financial ties to the US they won’t be subject to the sanctions. But I believe it will create issues if they want to enter the US market. |
| |
| ▲ | kruffalon an hour ago | parent | prev [-] | | > - We’re not positioning ourselves as a purely EU-based CA substitute, and we generally don’t market it that way. OK, but in the context of this topic thr interesting part isn't your marketing but your jurisdiction. Could you clarify which jurisdiction you operate under and a link on the ZeroSSL website that collaborates that? Thank you <3 |
| |
| ▲ | nomadwastaken 10 hours ago | parent | prev [-] | | The privacy policy is under legal in the footer, exactly where I'd expect it to be honest. It also gives the company registration:
> 1.1. We, ZeroSSL GmbH, FN 443956b (the “Company“)
and below that the company address (registered in Austria). Don't get me wrong, I agree that there is some lack of "who actually runs/controls this", especially on the about page where I expect such things to be. At the very least it's not as transparent as I'd wish from a CA. E.g their Certificate Agreement is from Sectigo, so are they involved? No mention anywhere else from what I can see. | | |
| ▲ | 47282847 6 hours ago | parent [-] | | I don’t see “legal” in the footer on mobile. Or any other link. Or a link to an About page in the main nav. There’s nothing. |
|
| |
| ▲ | linsomniac an hour ago | parent | prev | next [-] | | There was some subtle issue with ZeroSSL's implementation of ACME that I ran into with, IIRC, lego and domain certs and there was a ~5 year old lego open issue about it. That was a couple years ago, might be fixed, but my understanding at the time was that it was an issue with Zero's ACME implementation, so there may be dragons. | |
| ▲ | slau 13 hours ago | parent | prev | next [-] | | 3 90-day ACME certs for free. 180€/year for unlimited 90-day certs and 5 yearly ones. That’s a pretty steep increase. I would almost be more interested in a monthly fee per cert. | | |
| ▲ | nomadwastaken 10 hours ago | parent [-] | | From their docs[0] this doesn't seem to apply if using ACME, but they don't exactly make that clear... > By using ZeroSSL's ACME feature, you will be able to generate an unlimited amount of 90-day SSL certificates at no charge, also supporting multi-domain certificates and wildcards. Each certificate you create will be stored in your ZeroSSL account. [0]: https://zerossl.com/documentation/acme/ | | |
| ▲ | matharmin a few seconds ago | parent [-] | | Yeah, they don't make it that clear, but you get basically the same functionality as with LetsEncrypt for free, including wildcard certs. You basically only need to pay for manually issued certs, or some of their other additional features. |
|
| |
| ▲ | patrakov 5 hours ago | parent | prev | next [-] | | It's Sectigo under the hood. | |
| ▲ | nickf 11 hours ago | parent | prev [-] | | ZeroSSL aren't an EU-based alternative, unfortunately. |
|
|
| ▲ | Panzerschrek 12 hours ago | parent | prev | next [-] |
| Does it mean that russian/iranian web-sites using letsencrypt stop working and need to change their certificate provider? |
| |
| ▲ | altairprime 11 hours ago | parent | next [-] | | Depends on whether LE is compelled to terminate service to BGP AS numbers hosted in U.S.-sanctioned countries, and whether LE continues operating out of the U.S.. | |
| ▲ | account42 3 hours ago | parent | prev | next [-] | | Depending on how you are supposed to read "You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations." it could mean that you are not even allowed to use LE certificate to provide services to sanctioned entities as a random non-US company/person. | |
| ▲ | leosarev 3 hours ago | parent | prev | next [-] | | I hope not. We don't have any alternatives yet. | |
| ▲ | piskov 9 hours ago | parent | prev [-] | | They already revoced certificates for some russian sites |
|
|
| ▲ | RyeCombinator 13 hours ago | parent | prev | next [-] |
| Actalis https://actalis.com/ is a good EU alternative. |
| |
| ▲ | gapan 13 hours ago | parent [-] | | No it isn't. Not unless it's free. This is the main reason letsencrypt is so popular. | | |
| ▲ | crote 11 hours ago | parent | next [-] | | They do have a free plan with unlimited ACME DV certs, though! Not marketed very well and no wildcard certs, but it does exist. | | | |
| ▲ | RyeCombinator 4 hours ago | parent | prev [-] | | There is a free offering. |
|
|
|
| ▲ | DoctorOetker 12 hours ago | parent | prev | next [-] |
| > active eavesdropping (e.g., monster-in-the-middle attacks) is this standard MitM, or is it some crucially distinct variation? |
| |
| ▲ | thephyber 12 hours ago | parent | next [-] | | Man in the Middle Wiki: > Also known as a monster-in-the-middle,[1][2] machine-in-the-middle,[3] meddler-in-the-middle,[4] manipulator-in-the-middle,[5][6] person-in-the-middle[7] (PITM), or adversary-in-the-middle[8] (AITM) attack. | | | |
| ▲ | walletdrainer 12 hours ago | parent | prev [-] | | It's the American version, concepts like "man" and "woman" are deeply sexist and offensive in their culture. There are no men or women, only monsters. Let me also just leave this masterpiece right here https://blog.barracuda.com/2025/10/02/beyond-mitm-rising-dan... | | |
| ▲ | mmahd7456 an hour ago | parent | next [-] | | "concepts like "man" and "woman" are deeply sexist and offensive in their culture". Only to people who have a need to be offended. | |
| ▲ | cassianoleal 11 hours ago | parent | prev [-] | | I kinda like this framing. It effectively classifies companies such as Zscaler and CloudFlare as monsters. | | |
| ▲ | walletdrainer 9 hours ago | parent [-] | | It's particularly funny because "monster-in-the-middle" appears to be a deliberately quirky marketing term invented by cloudflare. | | |
| ▲ | wofo an hour ago | parent [-] | | Fun fact: some older articles were originally written using the term man-in-the-middle, but at some point were updated... except that the diagrams still use man-in-the-middle because search-and-replace doesn't work on images. |
|
|
|
|
|
| ▲ | greatgib 38 minutes ago | parent | prev | next [-] |
| To be put in perspective with their push for very short live certificates, like 7 days, with the argument that anyone can easily get certificate from at any time. But in fact, little by little you have all the stacks needed to be able to isolate some entities from internet at the us request in a very short time |
|
| ▲ | pxeger1 11 hours ago | parent | prev | next [-] |
| How are they going to enforce this? |
| |
| ▲ | nickf 6 hours ago | parent [-] | | I would imagine, as a CA that issues only DV certs, they'd disallow issuance to various ccTLDs, and perhaps stop newAccount registrations with email addresses at those ccTLDs. That's about as much as they could do - IP-blocking by region is ineffective and crude at best. |
|
|
| ▲ | ezbie 4 hours ago | parent | prev | next [-] |
| What in the actual fuck? |
|
| ▲ | diimdeep 8 hours ago | parent | prev | next [-] |
| the reach is by rough estimates ~2.5–6 million websites globally, 2–5 million of those in Russia and 0.3-1 million in Iran Whatever USofA, it's not hard to have their own cosmodrome and certificates. Tangential, in 2026 website certificates feel like nothing, disposable automation artifact, toxic max-security[1], vehicle for those who rent seek, fingerprint. [1] https://tom7.org/httpv/httpv.pdf |
|
| ▲ | phoe-krk 7 hours ago | parent | prev | next [-] |
| And now imagine that one of the Trump tantrums contains an announcement of sanctions against the European Union. |
|
| ▲ | cynicalsecurity an hour ago | parent | prev | next [-] |
| This actually makes sense. No freedom for the enemies of freedom. |
| |
| ▲ | mswphd an hour ago | parent | next [-] | | love thought-terminating cliches. really helps keep from actually thinking ever. | | |
| ▲ | cynicalsecurity an hour ago | parent [-] | | Your comment reads like a thought-terminating cliché. If Russia occupied your city, killed your family and friends and left you homeless, you might reconsider giving freedom to those who take it away from others. Unfortunately, sanctions are often very easy to evade. | | |
| ▲ | queenkjuul 3 minutes ago | parent | next [-] | | Ah right, that's why there's US sanctions on Israel? | |
| ▲ | contagiousflow an hour ago | parent | prev | next [-] | | Now imagine the USA did that to the city you live in... | | |
| ▲ | hinata08 37 minutes ago | parent [-] | | it can't happen, they only attack civilians in countries that have weapons of mass destruction or have a evil economic system of socialized healthcare and labor market They also don't like states that threaten business by turning workers into a commodity that you have to compensate each month ; Spain sunk the Maine ; and they had manifest destiny given from God to get rid of natives |
| |
| ▲ | Shish2k 41 minutes ago | parent | prev [-] | | This is a reasonable point, if "enemies of freedom" and "enemies of America" are synonymous... |
|
| |
| ▲ | CrzyLngPwd an hour ago | parent | prev | next [-] | | But what if you're the baddies? | |
| ▲ | hinata08 an hour ago | parent | prev [-] | | the list of ppl under US sanctions is staggering Europe starts to shield itself from the risk since Nicolas Guillou, the French ICC judge who issued a warrant against bibi got sanctioned (France officially protested about this case) China is being successful at blocking US firms out of their supply chains (they already use Linux on Loongarch processors with some homemade architecture and pioneer RISC V), since a bunch of their companies also got sanctions for supplying the governement US stands so much for freedom that it's the first country to refuse immigration to FIFA world cup teams and athletes, with Iranians not allowed to stay between games and Somali goalkeeper being turned away at the border. Germany itself didn't do for the 1936 Olympics. So at best, they're only shooting themselves in the foot by showing any US component in a supply chain is a risk, while using US clouds were already a risk of loss of revenue from FISA requests to undercut your bid and rot your company and using US dollars for trade was already a liability In the meantime, US companies can do anything, break any financial law and abuse every human right, they'll just sign DPAs to avoid prosecution |
|
|
| ▲ | Towaway69 12 hours ago | parent | prev | next [-] |
| Sanctioned has a double meaning here[1]: > 2. officially or formally ratified or confirmed. > 3. penalized, especially by way of discipline or to force compliance with legal obligations. So who can use lets encrypt? Those that are penalised or those that are confirmed. [1] https://www.dictionary.com/browse/sanctioned |
| |
| ▲ | thephyber 12 hours ago | parent [-] | | If you click the link… > [You certify to LetsEncrypt that] … > You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target
of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations. |
|
|
| ▲ | ComputerGuru an hour ago | parent | prev [-] |
| This is bullshit on par with the Chinese firewall, meant to effectively prevent the (entire!) western world from information by parties deemed persona non-grata. SSL certificates are supposed to be about security, not geopolitics. I'm pretty sure a LE server hitting an Iranian or North Korean endpoint and validating a crypto challenge does not break any OFAC or EAR rules, and no money changes hands. And if a non-US entity wants to do it, the US would just sanction them. Microsoft and Mozilla are certainly not going to include a North Korean or Russian state CA in the root trusted certs (and if they did, the US government could just threaten them with sanctions, too). Hard not to say "we warned you" about making self-signed certs completely unusable in favor of a very centralized approach. |
