Let's Encrypt’s mission is to create a more secure and privacy-respecting web, except for people residing in countries with the most need for a more secure and privacy-respecting web. Sure, that's great.
That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.
Let's Encrypt continues to be available to almost every vulnerable population in the world, including those that need it most. I say almost as I'm hesitant to speak in absolutes regarding a topic as complex as this.
Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.
This subscriber agreement update was intended to better reflect our legal requirements. It does not reflect a major change in the service we provide. Our compliance program does evolve over time, and part of that is communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.
> That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.
It doesn't.
You issued a certificate for North Korea's email infrastructure as recently as six days ago:
https://crt.sh/?id=26878583197 (06/04/2026 smtp.star-co.net.kp) https://crt.sh/?id=20256841119 (08/11/2025 *.star.net.kp)
Star Joint Venture is the manager of the .kp TLD and one of DPRK's two email providers (the other is silibank.net.kp) [1], used as the official email for various government bodies ex. ipa817@star-co.net.kp (IP Office), kscost@star-co.net.kp (Sci/Tech Commission), ksf@star-co.net.kp (Ministry of Culture and Sports), mhs-ip@star-co.net.kp (Atomic Energy). It is also widely used by those universities and companies that engage with the outside world.
How did you determine that issuing a certificate to this domain or any .kp domain was compliant with the general ban on exporting goods and services to DPRK?
Thanks for responding, and to clarify, I am confident that Let's Encrypt is shared as widely as they are able. Could you explain what that requirement does stem from?
When you say “our legal requirements” do you mean requirements LE imposes in its agreements or requires imposed on LE by governments?
I was referring to the requirements imposed on us. When it comes to sanctions, we do not block anything more than what is required by law.
The current US government sanctions political enemies [0].
Wouldn't the more rational response to this legal situation be to leave the USA and move somewhere more willing to respect international law?
[0] https://www.whitehouse.gov/presidential-actions/2025/02/impo...
According to the current administration, almost half of the US is considered a political enemy of the current administration.
Soon they might be pushing for Operating Systems to gather political party preference information, so they can know who should be restricted from the use of strong encryption. The options being:
1. I love america
2. Radical left looney
3. Neither male nor female.
4. Those that tremble as if they were mad[0]
[0]: https://thewhippet.org/the-whippet-134-those-that-tremble/#c...
It'll be interesting when/if they sanction Antifa. Since it doesn't exist, you can't prove that you're not a member of it. So they get to sanction anyone.
Proof has no relevance if you are prevented from accessing the legal system (e.g. thrown into a concentration camp for immigrants)
> move somewhere more willing to respect international law?
Some of these sanctions are required by international law (i.e. sanctions imposed by UNSC). For the other ones, international law generally lets countries have whatever trade policy they see fit including sanctions, unless they violate some other rule of international law or treaty obligation.
Sanctioning the ICC obviously has nothing to do with trade policy.
The USA signed the Rome Statute but never ratified it, and then withdrew its signatory status. There's an argument to be made that there was a treaty obligation there, but it's pretty weak.
I personally think sanctioning the ICC judges is a disgusting act. However ultimately all sanctions are decisions to refrain from trading with someone, so it is in a sense a trade policy. I think what you're getting at is that usa is implementing that policy to obtain a political/diplomatic goal, which is true, but you could say the same about most trade policies.
I think article 18(a) of the vienna convention of the law of treaties means that once you withdraw your signature, you no longer have any obligations in regards to the treaty.
Maybe you could make some sort of argument that the sanctions violate the purpose of the geneva convention as they are designed to prevent bringing to justice people accused of grave breaches of the geneva convention. Like its an attempt to frustrate the application of article 49 of the first geneva convention [Ianal]
Why would other countries be less likely to impose sanctions on their political enemies?
I can't answer why or why not but just in terms of track record the US is fairly egregious. The executive attempts to coerce individual UN officials via sanctions. While it may not be strictly illegal it is clearly flagrantly unethical.
By whose law? Thailand? China? Germany? Afghanistan?
> Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.
The agreement very plainly says otherwise:
> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions
The general population of those countries are absolutely "persons" "located in" a "country or territory that is the target of comprehensive U.S. sanctions."
> communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.
This tries to frame it as a comprehension issue. It's not.
The wording in your agreement is actually quite clear. I think it's reckless, if not disingenuous to frame this as "we really only mean government entities".
Apropos of anything else, it's also not how US sanctions work - they are absolutely aimed at both the populace as well as the government itself.
They have "clarified" elsewhere on here that the normal citizenry get a legal exemption [waves hands mystically] somehow, and that they're only blocking people when they legally have to.
Obviously (to the rest of us) if the agreement says otherwise, then they're saying that it's LE that is forbidding the citizens of these countries, and it's not (entirely) the government's fault, which completely contradicts what they're trying to say.
We should probably be clear that this document is most likely a backside-covering exercise; it exists so that people can't sue LE for denial of service without a just cause, and so that the US can't prosecute them for intentionally shipping cryptographic services, or some such rubbish.
If you live entirely outside the US legal system, or its multifaceted tendrils, and if you don't make too much noise, you may be fine. Obviously that's a far cry from a "right to free speech" level of protection, but then LE have no obligation to provide that to people outside the US, and arguably non-rich citizens within the US lost that a long time ago.
It may be the case that "most of" their sanctions-related blocks apply only to governments (let's say there are 100 such blocks), while they still disallow usage by persons located in a country or territory that is the target of comprehensive US sanctions (let's say there are 50).
I assumed that they meant that they will not enforce it via technical means.
Came here to quote exactly that paragraph.
I’m actually old enough to remember how PGP code was exported as a book printout because exporting computer code for cryptography with strong keys in digital form was disallowed but a book was fine (protected by first amendment rights). The printout was scanned abroad to reconstitute the source and build pgp legally.
> pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries
This is most likely OFAC. Lets Encrypt could apply for a license to do business with sanctioned entities, and given their use case it would most likely be approved.
https://ofac.treasury.gov/ofac-license-application-page
OFAC regulates commerce, not speech. Let's Encrypt is not doing "business", they're operating a free informational service. Lots of organizations interpret any information exchange as subject to OFAC regulation, and you and Let's Encrypt have good company in this interpretation, but I think it's unnecessarily ceding ground.
The government may use as wide of an interpretation of commerce as they can get away with. We've seen this happen before [0]. Sure, Let's Encrypt isn't taking money from the entities they offer certificates to. But the OFAC desk jockey assigned to that case only has to concoct some sufficiently plausible-sounding trail of money connecting the backing 501(c)3 and a sanctioned entity in order to levy penalties, and the legal team will not like that risk, even if it's unlikely for OFAC to win on appeal in a court.
[0]: https://en.wikipedia.org/wiki/Wickard_v._Filburn
This is true, of course, and I understand why some companies don't want to take the risk. But I would hope that Let's Encrypt would take the opposite stance. They were born out of the EFF and have EFF & ACLU board members! These orgs live for this type of legal fight.
IANAL, but it seems like the argument from Wickard v Filburn would apply to LE. They may not be taking money but they do impact the commerce of the market for certificates.
I disagree with that ruling, and I have some serious problems with sanctions against entire countries/regions, but it definitely makes sense that LE would interpret it as being impacted by OFAC.
IANAL, but this seems wrong.
In an alternate universe, Let’s Encrypt has a chat with someone and then states, publicly, like a speech, that they think that person owns a domain.
In our universe, Let’s Encrypt lets a client open an “account”, enters into a contract with the client (the contract is the topic of this entire post), and gives the client an API by which the client requests a certificate. Then Let’s Encrypt grants the certificate. Maybe the certificate is somehow speech. The rest sure doesn’t sound like speech to me.
Wasn't there news a bit ago about some people being suddenly excluded from Linux kernel development for presumably similar reasons?
Seems in all thing tech at the moment the US legal system is accelearting a great split and erectinga digital iron curtain, from AI models to the more mundane like TLS certs. Its been standard for a while for many Linux distros based in the US to toe the party line - like RedHat having notices pretty similar to this one by LE. Seems any meaningful Open Projects will have to choose what path they want to take, be like RISC-V and relocate or LE and others and enforce the divide.
It isn't just the US. China, Russia, the EU, and Australia and probably others are all increasingly trying to create virtual walls of various forms in the internet.
It is in the nature of nation states to assert control over national borders. That the Internet and the globalised flow of information it enables circumvents this is a historical anomaly.
The RISC-V move was laughable. It’s still US tech, developed largely with DARPA funds.
So what? If I disagree with the direction any FOSS project (or its maintainers) is taking... I can just fork it. People have done that countless times in the history of FOSS, most notably in the xOffice schism.
No remotely western company will risk US sanctions violations or whatever other regulatory burden by using US technology where it can't be used. Even Chinese companies depending on how state backed they are might not be willing to risk it.
This is the big irony of the current situation: while the US is dependent on China for manufactured goods, China is dependent on the US for external demand for its manufactured goods.
One is the mirror image of the other and neither economy can exist in its current state in isolation.
So China has the US over a barrel when it comes to actually building stuff, rare earths and all of that, but equally US sanctions still have real bite (a lot more than China would like) because China does have to do a huge amount of international trade to export and externalise its surpluses.
They're stuck in this unhappy marriage
> They're stuck in this unhappy marriage
Who says they’re stuck or unhappy?
This is politics. We’re all just bait. In reality they’re friends.
US and China have made more gains by pretending to be enemies than friends and they likely plotted it all together.
It doesn't matter what technology is used, sanctions are imposed when USA doesn't like something.
Some (well, at least one) of us are old enough to have owned one of these:
http://www.cypherspace.org/adam/uk-shirt.html
A t-shirt with a Perl script that implemented RSA encryption strong enough to be technically illegal to export from the US.
(I must sadly admit to being too cowardly/sensible to have taken that shirt to the US in the late 90s...)
I wore the rsa-dolphin t-shirt all over the place and nobody batted an eye back then, but a dolphin made up of ASCII characters is quite a bit less obvious than the one you linked.
OpenBSD being based in Canada ships strong crypto, but has had a sometimes troubled relationship with certain regimes.
https://www.openbsd.org/lyrics.html#34
DeCSS printed on stuff was a thing for a while, too.
And if you missed the original run, you can buy a reprint from Adam's current company: https://store.blockstream.com/products/rsa-t-shirt
This is why, as someone who works in security and encryption and has implemented web server TLS stacks and such, I still oppose the "always-https" idea.
TLS is awesome, one of the most valuable developments in Internet history. But, it is important to undewrstand that it is a double edged sword. Requiring a CA, which in practical terms means requiring a publicly known CA, is a choke point of freedom.
> Let's Encrypt’s mission is to create a more secure and privacy-respecting web, except for people residing in countries with the most need for a more secure and privacy-respecting web. Sure, that's great.
If complying with the law gets in the way of the mission I’m not sure that counts as a change to the mission.
> If complying with a law gets in the way of the mission I’m not sure that counts as a change to the mission.
It's already illegal to use in NK, but if it's the US, well it's time to steer the mission around it? Gross.
For an American enterprise? Yes, obviously.
Should NRA hand out guns to everyone who can’t get a permit where permits are required? Of course not. If they are against gun permits they have to fight the law, not break it.
http://www.geekytattoos.com/illegal-tattoos-rsa-tattoos
tattoo yourself with crypto code to become munitions
It could also be an easy way to not have to implement backdoors for the government/military.
What "backdoor" would Let's Encrypt even implement? That's not how a CA works.
They might be compelled to issue a certificate to an unauthorized (by browser PKI policies, not local law) entity, but that would be very conspicuous due to Certificate Transparency.
I suspect any "backdoor" would be inserted at the protocol level. See https://web.archive.org/web/20130918135152/http://www.thegua...
How would they do that? The ACME protocol is "take the basic artifacts you use for certificate signing, wrap them in JSON (cryptographically, using standard JWS), then send them over using HTTP + TLS." Every part of that is something for which there exists a buttload of implementations in whatever language you care to use.
> How would they do that?
Let me introduce you to the phrase "I don't see a mechanism."
>Let me introduce you to the phrase "I don't see a mechanism."
I'm not familiar with this phrase, but I think I did a good job citing a comparable example in my original post.
> Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with "brute force",
Things that definitely don't happen. Those same encryption standards are used by the US military, and the international cryptography community can pretty readily rule out keyed backdoors.
The thought that supercomputers could break Internet encryption by brute force is laughable. One would have to be innumerate to think such a thing.
I mean, noone is stopping someone to clone letsencrypt - it shouldn't be very hard.
Google had a similar dilemma - do they want to offer a (censored) service in China, and have a hope of keeping some marketshare, or not (and be kicked out immediately).
In this case though, it seems to be an unforced move by letsencrypt ? Or was it compelled by LEAs?
If you truly need a secure and private web you should be using tor.
Say what, now?
Anonymity and encrypted communication are two very, very different things. Have one but not the other and you're essentially handing off your private data incl. passwords to whoever that has a tap on the communication between you and the server can fetch them, too. Have the other but not the one and everyone will know who you are, but they can't eavesdrop.
I've had people straight up serve me malware when you attempt to OSINT them with Tor. Sometimes you need different kinds of anonymity, and I see a lot of one sized fits all proclamations on HN.
I've found lots on Iranians on tor.