Let's Encrypt bans certificate usage in any US sanctioned territory [pdf]

Posted by piskov 19 hours ago

Let's Encrypt bans certificate usage in any US sanctioned territory [pdf](letsencrypt.org)

145 points | 97 comments

CobrastanJorji 10 minutes ago|

Let's Encrypt’s mission is to create a more secure and privacy-respecting web, except for people residing in countries with the most need for a more secure and privacy-respecting web. Sure, that's great.

That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.

Insimwytim 1 hour ago||

Iran is blocking internet for months, US ...bans creation of secure connections - that'll show 'em!

Russian quasi-government structures are spending quadrillion of rubles on a TSPU (censorship system) to spy on Russian residents, US ...helps them by making snooping on what is currently encrypted traffic possible by banning accessible encryption!

gnerd00 50 minutes ago|

wait until you find out about Facebook!

idoubtit 11 hours ago||

Couldn't LE have a branch in Europe or anywhere outside the USA and its minions?

Because they're betraying their own goals, as stated in their About page: “It is a service run for the public’s benefit. [...] Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. [...] Let’s Encrypt is a joint effort to benefit the community, beyond the control of any one organization.” Now they own they are under the control of a political organization.

Here is the paragraph Let's Encrypt added to their Subscription Agreement on 2026-06-04:

> You are not a person or entity that is:

> (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions;

> (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations;

> or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b).

> You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.

cassianoleal 10 hours ago|

They could, but if the branch didn’t follow these laws, the main US branch would still be liable.

cromka 10 hours ago||

It's about time SOME entities start moving from US entirely.

mikeyouse 1 hour ago|||

RISC-V Foundation did.. though they go out of their way to talk about it in terms that try not to piss anyone off..

> "Across 2018-2019, the RISC-V community has reflected on the geo-political landscape and we have heard concerns from around the world that investment in RISC-V must come with IP access continuity to ensure a long-term strategic investment. We first mentioned our intentions to move at the December 2018 summit. Incorporation in Switzerland has the effect of calming concerns of political disruption to the open collaboration model. RISC-V International does not maintain any commercial interest in products or services as a non-profit, membership organization. There have not been any export restrictions on RISC-V in the US and we have complied with all US laws. The move does not circumvent any existing restrictions, but rather alleviates uncertainty going forward.

> In March 2020, the RISC-V International Association was incorporated in Switzerland. Along with this, we shifted to a new, more inclusive membership structure. Members of RISC-V International have access to and participate in the development of the RISC-V ISA specification and extensions as well as related hardware and software. RISC-V has a Board of Directors composed of member representatives as well as a Technical Committee of work group leaders."

> RISC-V International has not incorporated in Switzerland based on any one country, company, government, or event. This move is reflective of community concern and managing strategic risk for our community investing in RISC-V for the next 50+ years.

> The IP contributed and produced by RISC-V International is held under industry and global standard licenses that are already open to leverage by any company regardless of jurisdiction. This licensing is a common open source approach to foster collaboration that is not tied to any geographic regulation. IP in the public domain has not been subject to export control.

https://riscv.org/about/

naturalmovement 1 hour ago||||

[flagged]

rafram 1 hour ago|||

Other countries sanction each other too.

Igrom 10 hours ago||

It seems that, as soon as you transact with a sanctioned entity, you are globally in breach of the agreement and risking the revocation of all your certificates — also the ones for non-sanctioned countries.

Front matter:

   - it is called a "Subscriber Agreement" and not anything that suggests that its scope is a single certificate

   - it's a "contract [...] regarding Your [...] rights and duties relating to [...] Certificates" - plural

2.1 "Term":

  - "[the agreement] will remain in force during the entire period during which *any* of Your Certificates are valid" - plural

3.1 "Warranties":

  - "[by] requesting, accepting, or using *a* Let’s Encrypt Certificate" - plural

axiologist 7 hours ago||

This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.

MarleTangible 7 hours ago||

I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them. Most simple services may not need TLS, but with the ISPs eavesdropping on our communication, a form of secure communication is required and the currently best solution we have requires a trust-chain to be built.

account42 2 hours ago|||

Do we also need to put all our letters into strongboxes before we send them?

Maybe we should have solve the ISP snooping problem by making that illegal instead.

theamk 2 hours ago||

This just leaves every single public Wifi network - which used to mess with traffic a lot

cyanydeez 1 hour ago||

Guys, we live in a society.

Parodper 3 hours ago||||

We could, and should, switch to DANE. Or else, switch to how X.509 was supposed to be used, with each country running a CA for their nationals.

theamk 3 hours ago||

I trust governments much less that a conglomerate of competing corporations.

With all the problems with Web PKI, at least the bad actors are getting distrusted, and this provides a very strong enforcement on the rest. And Certificate Transparency makes sure the mis-issuance would be caught. It is not perfect by any means, but things are getting better.

With DANE (or other country-issued certificates), every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse. (In the past I'd say that only countries like Russia would do it.. but with today's climate, I am sure both US and many European countries will do that too)

Parodper 1 hour ago|||

> every government will absolutely double-issue certificates to police, secret service and friends of goverment, and no one will have any recourse.

Countries already have CA that issue certificates with more legal force than a handwritten signature. I can open a bank account, pay my taxes and sign up to all government services. But I can't use them for a webpage.

> With DANE (or other country-issued certificates)

DANE isn't a country-issued certificate. It's a scheme where you store your public keys on DNS records. Of course, now we have the issue that DNSSEC (signed DNS records) isn't widespread and the whole issue with DNS registries.

account42 2 hours ago|||

Pretty much any big government has a CA they can exert direct control over whenever needed.

theamk 2 hours ago||

Maybe, but then can only do it once. Then they get caught, and their CA is distrusted. See Diginotar [0] for example.

And things only gotten better since - we now have CT logs, and browsers require them, so any mis-issuance can be detected automatically, by any interested third party.

If we go to DANE, we lose this all. "Oops, our CT uploader process failed, we will fix Real Soon(tm) we promise" - and what are browsers going to do? Distrust the entire country?

[0] https://blog.mozilla.org/security/2011/09/02/diginotar-remov...

JumpCrisscross 33 minutes ago|||

Side note: “DigiNotar BV was a Dutch certificate authority from 1998 to 2011. It was acquired in January 2011 by VASCO and subsequently declared bankrupt in September of the same year” [1].

I didn’t realize the slapped their face on the pavement right after being acquired.

[1] https://en.wikipedia.org/wiki/DigiNotar

thaumasiotes 1 hour ago|||

> I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them.

Note that phones already try to prevent you from using a certificate that you provide yourself.

palmotea 3 hours ago||

> This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.

I think the "digital tyranny" is a side effect, not the main goal. They're "mainly a means" to prevent certain kinds of MITM attacks.

account42 2 hours ago||

You could that with a much saner approach like DANE.

franga2000 2 hours ago||

Not back when SSL and the PKI ecosystem was developed.

m2f2 13 hours ago||

Is this a canary?

What's gonna happen if I were to begin or continue using one letsencrypt certificate from ... Greenland? Cuba? The EU?

Has letsencrypt been served with a subpoena?

rafram 1 hour ago|

Neither Greenland nor the EU has been sanctioned by the US.

nitwit005 1 hour ago|||

They haven't been sanctioned, yet, but we live in a time where that's a real possibility.

_ache_ 1 hour ago||||

Yet.

malfist 1 hour ago||||

So far

tempfile 1 hour ago|||

It is not exactly an outlandish suggestion that this may happen.

wnevets 47 minutes ago||

Maybe consolidating ~60% of the web's certificates on to a single provider was a mistake.

patmorgan23 37 minutes ago|

Well good thing everyone using the provider is using an open protocol and it's stupid easy to switch

karteum 6 hours ago||

Can anyone explain me what went wrong with http://www.cacert.org/ and why they are not supported by any major browser ?

em-bee 5 hours ago|

the wikipedia page has links to projects that removed CAcert where reasons are stated. the main one being that CAcert didn't complete a security audit or because they were not yet accepted by mozilla (because of the lack of an audit, but also because CAcert actually withdrew the request to be included). one group removed it because CAcert has a strict root redistribtion license that they can't follow.

LWN has a good writeup on the audit situation as of 2014: https://lwn.net/Articles/590879/

piskov 19 hours ago||

> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations

theamk 19 hours ago|

Makes sense, they are US company. I am surprised it took them that long.

rwmj 10 hours ago||

"US company must obey US law" doesn't make for a very interesting headline.

ceeam 7 hours ago|||

"The world should stop trusting the US companies" OTOH...

cyanydeez 1 hour ago||

more optimistic would be "World should decentralize America's trust"

ohmg 7 hours ago|||

The headline is more « US law is batshit and extends well beyond its borders with real world consequences »

pavon 51 minutes ago|||

This is not an example of that. It is perfectly within US jurisdiction to prevent US companies from doing business with sanctioned countries. That is the point of a sanction, and US is in good company in choosing to use sanctions as a diplomatic tool.

It is more of an example of how the internet/software industry is too consolidated to the US, and thus other countries are too dependent on the US in those areas. If the internet infrastructure was well distributed, then people in sanction countries could simply get certificates issued by a different CA, and in some cases they can. However, this is complicated by the fact that the list of trusted CAs is dominated by US organizations (Google, Mozilla, Apple, Microsoft). If you want to reach western audience you must use certs from a CA approved by them.

ezbie 3 hours ago|||

Exactly. Ever since I was a kid I never understood how the US has jurisdiction way beyond their borders.

Then I graduated in International Relations and understood that the hole is much deeper than that.

Now it's pretty obvious with all the shit that trump has been doing, but back then me and much of the people I know were oblivious to what US power really means.

account42 2 hours ago|||

It is however a reminder that "just use LE" is not a valid response to concerns about protocols/APIs/browsers/etc requiring TLS.

floper_a 7 hours ago||

That's just another reminder that no one from outside of US should deal with US companies.

More comments...