Couldn't LE have a branch in Europe or anywhere outside the USA and its minions?
Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization.
Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04:
> You are not a person or entity that is:
> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target
of comprehensive U.S. sanctions;
> (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
> or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b).
> You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
cassianoleal 6 hours ago [-]
They could, but if the branch didn’t follow these laws, the main US branch would still be liable.
cromka 6 hours ago [-]
It's about time SOME entities start moving from US entirely.
Igrom 5 hours ago [-]
It seems that, as soon as you transact with a sanctioned entity, you are globally in breach of the agreement and risking the revocation of all your certificates — also the ones for non-sanctioned countries.
Front matter:
- it is called a "Subscriber Agreement" and not anything that suggests that its scope is a single certificate
- it's a "contract [...] regarding Your [...] rights and duties relating to [...] Certificates" - plural
2.1 "Term":
- "[the agreement] will remain in force during the entire period during which *any* of Your Certificates are valid" - plural
3.1 "Warranties":
- "[by] requesting, accepting, or using *a* Let’s Encrypt Certificate" - plural
axiologist 3 hours ago [-]
This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership.
It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS.
That's digital tyranny in disguise.
MarleTangible 3 hours ago [-]
I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them. Most simple services may not need TLS, but with the ISPs eavesdropping on our communication, a form of secure communication is required and the currently best solution we have requires a trust-chain to be built.
m2f2 8 hours ago [-]
Is this a canary?
What's gonna happen if I were to begin or continue using one letsencrypt certificate from ... Greenland? Cuba? The EU?
Has letsencrypt been served with a subpoena?
piskov 15 hours ago [-]
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations
karteum 2 hours ago [-]
Can anyone explain me what went wrong with http://www.cacert.org/ and why they are not supported by any major browser ?
em-bee 39 minutes ago [-]
the wikipedia page has links to projects that removed CAcert where reasons are stated. the main one being that CAcert didn't complete a security audit or because they were not yet accepted by mozilla (because of the lack of an audit, but also because CAcert actually withdrew the request to be included). one group removed it because CAcert has a strict root redistribtion license that they can't follow.
Does it mean that russian/iranian web-sites using letsencrypt stop working and need to change their certificate provider?
altairprime 6 hours ago [-]
Depends on whether LE is compelled to terminate service to BGP AS numbers hosted in U.S.-sanctioned countries, and whether LE continues operating out of the U.S..
piskov 4 hours ago [-]
They already revoced certificates for some russian sites
42droids 9 hours ago [-]
Has anyone got any experience with Zero SSL? https://zerossl.com/
It seems like a good EU alternative.
47282847 8 hours ago [-]
EU? There’s almost zero information on the company, no privacy policy? The only place I found any mention is the footer, “HID Global Corporation, part of ASSA ABLOY”. Assa Abloy seems Swedish but HID Global is a US company as far as a quick search goes. But without a proper company info page and privacy policy I wouldn’t consider it anywhere near a “good alternative” regardless.
slau 8 hours ago [-]
HID was originally American and Scottish, but became fully American in 1994.
HID was acquired by Assa Abloy in 2000. No idea whether that means we now consider it Swedish.
ZeroSSL used to be Austrian until their acquisition in 2024.
I used to work for a company that got acquired by HID. It looks like HID has retained their original offices in some form.
nomadwastaken 6 hours ago [-]
The privacy policy is under legal in the footer, exactly where I'd expect it to be honest. It also gives the company registration:
> 1.1. We, ZeroSSL GmbH, FN 443956b (the “Company“)
and below that the company address (registered in Austria).
Don't get me wrong, I agree that there is some lack of "who actually runs/controls this", especially on the about page where I expect such things to be.
At the very least it's not as transparent as I'd wish from a CA. E.g their Certificate Agreement is from Sectigo, so are they involved? No mention anywhere else from what I can see.
47282847 1 hours ago [-]
I don’t see “legal” in the footer on mobile. Or any other link. Or a link to an About page in the main nav. There’s nothing.
patrakov 38 minutes ago [-]
It's Sectigo under the hood.
slau 8 hours ago [-]
3 90-day ACME certs for free. 180€/year for unlimited 90-day certs and 5 yearly ones.
That’s a pretty steep increase. I would almost be more interested in a monthly fee per cert.
nomadwastaken 6 hours ago [-]
From their docs[0] this doesn't seem to apply if using ACME, but they don't exactly make that clear...
> By using ZeroSSL's ACME feature, you will be able to generate an unlimited amount of 90-day SSL certificates at no charge, also supporting multi-domain certificates and wildcards. Each certificate you create will be stored in your ZeroSSL account.
ZeroSSL aren't an EU-based alternative, unfortunately.
theamk 15 hours ago [-]
Makes sense, they are US company. I am surprised it took them that long.
rwmj 6 hours ago [-]
"US company must obey US law" doesn't make for a very interesting headline.
ceeam 3 hours ago [-]
"The world should stop trusting the US companies" OTOH...
ohmg 3 hours ago [-]
The headline is more « US law is batshit and extends well beyond its borders with real world consequences »
floper_a 3 hours ago [-]
That's just another reminder that no one from outside of US should deal with US companies.
DoctorOetker 8 hours ago [-]
> active eavesdropping (e.g., monster-in-the-middle attacks)
is this standard MitM, or is it some crucially distinct variation?
thephyber 7 hours ago [-]
Man in the Middle Wiki:
> Also known as a monster-in-the-middle,[1][2] machine-in-the-middle,[3] meddler-in-the-middle,[4] manipulator-in-the-middle,[5][6] person-in-the-middle[7] (PITM), or adversary-in-the-middle[8] (AITM) attack.
walletdrainer 7 hours ago [-]
Those sources feel more than slightly contrived.
walletdrainer 7 hours ago [-]
It's the American version, concepts like "man" and "woman" are deeply sexist and offensive in their culture. There are no men or women, only monsters.
I would imagine, as a CA that issues only DV certs, they'd disallow issuance to various ccTLDs, and perhaps stop newAccount registrations with email addresses at those ccTLDs. That's about as much as they could do - IP-blocking by region is ineffective and crude at best.
diimdeep 3 hours ago [-]
the reach is by rough estimates ~2.5–6 million websites globally, 2–5 million of those in Russia and 0.3-1 million in Iran
Whatever USofA, it's not hard to have their own cosmodrome and certificates.
Tangential, in 2026 website certificates feel like nothing, disposable automation artifact, toxic max-security[1], vehicle for those who rent seek, fingerprint.
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target
of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
Rendered at 13:49:48 GMT+0000 (Coordinated Universal Time) with Vercel.
Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization.
Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04:
> You are not a person or entity that is:
> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions;
> (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;
> or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b).
> You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.
Front matter:
2.1 "Term": 3.1 "Warranties":What's gonna happen if I were to begin or continue using one letsencrypt certificate from ... Greenland? Cuba? The EU?
Has letsencrypt been served with a subpoena?
LWN has a good writeup on the audit situation as of 2014: https://lwn.net/Articles/590879/
HID was acquired by Assa Abloy in 2000. No idea whether that means we now consider it Swedish.
ZeroSSL used to be Austrian until their acquisition in 2024.
I used to work for a company that got acquired by HID. It looks like HID has retained their original offices in some form.
Don't get me wrong, I agree that there is some lack of "who actually runs/controls this", especially on the about page where I expect such things to be.
At the very least it's not as transparent as I'd wish from a CA. E.g their Certificate Agreement is from Sectigo, so are they involved? No mention anywhere else from what I can see.
That’s a pretty steep increase. I would almost be more interested in a monthly fee per cert.
> By using ZeroSSL's ACME feature, you will be able to generate an unlimited amount of 90-day SSL certificates at no charge, also supporting multi-domain certificates and wildcards. Each certificate you create will be stored in your ZeroSSL account.
[0]: https://zerossl.com/documentation/acme/
is this standard MitM, or is it some crucially distinct variation?
> Also known as a monster-in-the-middle,[1][2] machine-in-the-middle,[3] meddler-in-the-middle,[4] manipulator-in-the-middle,[5][6] person-in-the-middle[7] (PITM), or adversary-in-the-middle[8] (AITM) attack.
Let me also just leave this masterpiece right here https://blog.barracuda.com/2025/10/02/beyond-mitm-rising-dan...
This is the main reason letsencrypt is so popular.
Whatever USofA, it's not hard to have their own cosmodrome and certificates.
Tangential, in 2026 website certificates feel like nothing, disposable automation artifact, toxic max-security[1], vehicle for those who rent seek, fingerprint.
[1] https://tom7.org/httpv/httpv.pdf
> 2. officially or formally ratified or confirmed.
> 3. penalized, especially by way of discipline or to force compliance with legal obligations.
So who can use lets encrypt? Those that are penalised or those that are confirmed.
[1] https://www.dictionary.com/browse/sanctioned
> [You certify to LetsEncrypt that] …
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.