Posted by piskov 21 hours ago
HID was acquired by Assa Abloy in 2000. No idea whether that means we now consider it Swedish.
ZeroSSL used to be Austrian until their acquisition in 2024.
I used to work for a company that got acquired by HID. It looks like HID has retained their original offices in some form.
- We’re based in Austria (ZeroSSL GmbH). The company was acquired by HID in 2024, which is part of Assa Abloy (Sweden).
- We’re not positioning ourselves as a purely EU-based CA substitute, and we generally don’t market it that way.
- For DV certs specifically, we act as a distributor. Under the hood these are Sectigo-issued certificates, similar to how other providers (for example Namecheap) operate.
Happy to clarify further if useful.
OK, but in the context of this topic thr interesting part isn't your marketing but your jurisdiction.
Could you clarify which jurisdiction you operate under and a link on the ZeroSSL website that collaborates that?
Thank you <3
There's no reason to believe they're any less subject to US jurisdiction than LetsEncrypt.
Sadly, their United Terms and Conditions in section 8.2 are even more restrictive than LE's. They reject any entity "located in, incorporated under the laws of, or owned (meaning 50% or greater ownership interest) or otherwise, directly or indirectly, controlled by, or acting on behalf of, a person located in, residing in, or organized under the laws of any country sanctioned under the laws of the U.S. or E.U." See https://www.sectigo.com/uploads/backgrounds/United-Terms-and...
From a layman point of view, it could even mean that the ICC and the UN are prohibited from using Sectigo. The Customer must have no "affiliates, officers, directors, or employees" that are on sanction lists, and the US have sanctioned some high-profile members of the UN and the ICC that spoke about the genocide in Gaza.
If they don’t have any business in the US and any financial ties to the US they won’t be subject to the sanctions. But I believe it will create issues if they want to enter the US market.
Don't get me wrong, I agree that there is some lack of "who actually runs/controls this", especially on the about page where I expect such things to be.
At the very least it's not as transparent as I'd wish from a CA. E.g their Certificate Agreement is from Sectigo, so are they involved? No mention anywhere else from what I can see.
I can't comment on the EU part though - not that relevant in my case.
That’s a pretty steep increase. I would almost be more interested in a monthly fee per cert.
> By using ZeroSSL's ACME feature, you will be able to generate an unlimited amount of 90-day SSL certificates at no charge, also supporting multi-domain certificates and wildcards. Each certificate you create will be stored in your ZeroSSL account.
This is the main reason letsencrypt is so popular.
is this standard MitM, or is it some crucially distinct variation?
> Also known as a monster-in-the-middle,[1][2] machine-in-the-middle,[3] meddler-in-the-middle,[4] manipulator-in-the-middle,[5][6] person-in-the-middle[7] (PITM), or adversary-in-the-middle[8] (AITM) attack.
Only to people who have a need to be offended.
But in fact, little by little you have all the stacks needed to be able to isolate some entities from internet at the us request in a very short time
Whatever USofA, it's not hard to have their own cosmodrome and certificates.
Tangential, in 2026 website certificates feel like nothing, disposable automation artifact, toxic max-security[1], vehicle for those who rent seek, fingerprint.
The interesting version is that Web PKI is not just cryptographic infrastructure. It is also a policy distribution system. A browser trust store, a CA, a subscriber agreement, revocation rules, export controls, and sanctions law all end up in the request path of "can this site speak HTTPS to normal users?"
That does not make Let’s Encrypt uniquely bad. Any CA has some jurisdiction, owners, contracts, root-program obligations, abuse process, and legal exposure. Moving the CA changes the governance surface; it does not remove governance.
But it does mean "just use Let’s Encrypt" is not a neutral answer when protocols, browsers, APIs, app stores, or regulators effectively require TLS. The operational dependency is not only ACME uptime and certificate issuance. It is also jurisdictional continuity.
The hard product question is what failure mode we want:
1. Web PKI: power concentrates in CAs, browsers, and root programs. 2. DANE/DNSSEC: power shifts toward DNS operators, registries, registrars, and governments. 3. Self-signed / TOFU / pinning: power shifts toward application-specific trust and worse UX. 4. Multiple CAs: better resilience, but still bounded by browser trust stores and legal chokepoints.
There is no apolitical trust system here. There are only different control planes with different failure modes.
The practical ask from Let’s Encrypt should be clarity: issuance vs renewal vs revocation, existing certs vs future certs, domain location vs subscriber location, hosting location vs user location, and how they interpret “use” of a certificate. Without that, operators are left guessing whether this is a narrow compliance clause or a broad infrastructure-risk event.