Let's Encrypt bans certificate usage in any US sanctioned territory [pdf]

Posted by piskov 6 days ago

Let's Encrypt bans certificate usage in any US sanctioned territory [pdf](letsencrypt.org)

454 points | 382 commentspage 4

trumpdong 5 days ago|

We all knew something like this was coming when we decided to centralise the web around Let's Encrypt.

In reality of course you can probably just ignore this as long as you request the certificate from a proxy in a nonsanctioned country and you don't stick out to the government.

ale42 5 days ago||

Time for a non-US equivalent of Let's Encrypt?

trumpdong 5 days ago|

How will you get Mozilla and Google to trust it?

Especially since sanctions are transitive. Mozilla and Google, being US companies, are actually not allowed to trust any entity whose purpose is to work around sanctions. Their members could go to jail for that.

nikolay 5 days ago||

Yeah, let everybody build and use their own services, and then the US will end up having less control and visibility. Great tactics!

aussieguy1234 5 days ago||

Dictators love it when their citizens can't use encryption. It makes them much easier to control and monitor.

boomlinde 4 days ago||

What other CAs implement ACME? Are there any free alternatives outside the US?

ebiederm 5 days ago||

Weird. The copy I read says they have just deleted that section of their user agreement.

pxeger1 6 days ago||

How are they going to enforce this?

nickf 5 days ago|

I would imagine, as a CA that issues only DV certs, they'd disallow issuance to various ccTLDs, and perhaps stop newAccount registrations with email addresses at those ccTLDs. That's about as much as they could do - IP-blocking by region is ineffective and crude at best.

morpheuskafka 4 days ago||

The question is, will that be enough? If OFAC can demonstrate that even with such restrictions, sanctioned entities are frequently obtaining certificates, they may be forced to require account creation or something else as a means of limiting that.

They also likely would have to implement some kind of domain name screening, just like banks have to block transfers that mention "Havana" or "Tehran".

They are currently not doing anything, even ccTLD blocks. They have issued certificates for .kp domains this month and in August of last year.

someguyornotidk 5 days ago||

A lot of the pushback browser vendors got for locking APIs behind so-called "secure contexts" was because everyone (including them) knew this would happen. If there is a centralized system, some politician will manage to find a way to fuck with it.

Iran and other tyrannical governments can easily set up their own CAs and force their citizens to use them. Iran likely already has this infra in place. This ban does nothing but highlights LE as the liability it is. The decades-old certificate authority scheme is no longer fit for purpose and needs to go.

If you're a web developer, consider offering your site through public key-addressable networks. Reticulum and Tor are good options that work today.

ysmoradi 4 days ago||

PLEASE DON'T DO THIS )":

diimdeep 5 days ago|

the reach is by rough estimates ~2.5–6 million websites globally, 2–5 million of those in Russia and 0.3-1 million in Iran

Whatever USofA, it's not hard to have their own cosmodrome and certificates.

Tangential, in 2026 website certificates feel like nothing, disposable automation artifact, toxic max-security[1], vehicle for those who rent seek, fingerprint.

[1] https://tom7.org/httpv/httpv.pdf

More comments...