[CobrastanJorji]

Let's Encrypt’s mission is to create a more secure and privacy-respecting web, except for people residing in countries with the most need for a more secure and privacy-respecting web. Sure, that's great.

That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.

[jaas]

Let's Encrypt continues to be available to almost every vulnerable population in the world, including those that need it most. I say almost as I'm hesitant to speak in absolutes regarding a topic as complex as this.

Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.

This subscriber agreement update was intended to better reflect our legal requirements. It does not reflect a major change in the service we provide. Our compliance program does evolve over time, and part of that is communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.

> That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.

It doesn't.

[morpheuskafka]

You issued a certificate for North Korea's email infrastructure as recently as six days ago:

https://crt.sh/?id=26878583197 (06/04/2026 smtp.star-co.net.kp) https://crt.sh/?id=20256841119 (08/11/2025 *.star.net.kp)

Star Joint Venture is the manager of the .kp TLD and one of DPRK's two email providers (the other is silibank.net.kp) [1], used as the official email for various government bodies ex. ipa817@star-co.net.kp (IP Office), kscost@star-co.net.kp (Sci/Tech Commission), ksf@star-co.net.kp (Ministry of Culture and Sports), mhs-ip@star-co.net.kp (Atomic Energy). It is also widely used by those universities and companies that engage with the outside world.

How did you determine that issuing a certificate to this domain or any .kp domain was compliant with the general ban on exporting goods and services to DPRK?

[throwaway2037]

This is incredible. How did you find these certs?

[morpheuskafka]

I only noticed the star net one (not sure if it’s even in use) when writing this. I noticed the Pyongyang Zoo (which shares an IP with the Architects Society—one on 443 and one on 80 lmao) first, just from flipping through their very small IP space on Shodan.

You can see them all on crt.sh, because LE has to upload them to a CT log for browsers to trust them. (That’s how most of those subdomain finder websites work too.) The email servers seem to have gotten certs from a for profit CA back in 2015, but I’m not sure if they ever used them. Most of their webspace seems to be HTTP only. (And it’s a good thing, because some of their Apache versions are potentially old enough to have Heartbleed.)

The architects website has some pretty cool PDF magazines btw. They also have several websites for their insurance company’s (perhaps some intl org needs them to have a website for listing)—that’s a core hard currency stream for them and they previously have been accused of submitting false losses.

[qingcharles]

Thank you. Had to go looking for these magazines.

http://www.koreanarchitecture.gov.kp/index.php?kt=TWFnYXppbm...

[FireBeyond]

> Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.

The agreement very plainly says otherwise:

> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions

The general population of those countries are absolutely "persons" "located in" a "country or territory that is the target of comprehensive U.S. sanctions."

> communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.

This tries to frame it as a comprehension issue. It's not.

The wording in your agreement is actually quite clear. I think it's reckless, if not disingenuous to frame this as "we really only mean government entities".

Apropos of anything else, it's also not how US sanctions work - they are absolutely aimed at both the populace as well as the government itself.

[undecisive]

They have "clarified" elsewhere on here that the normal citizenry get a legal exemption [waves hands mystically] somehow, and that they're only blocking people when they legally have to.

Obviously (to the rest of us) if the agreement says otherwise, then they're saying that it's LE that is forbidding the citizens of these countries, and it's not (entirely) the government's fault, which completely contradicts what they're trying to say.

We should probably be clear that this document is most likely a backside-covering exercise; it exists so that people can't sue LE for denial of service without a just cause, and so that the US can't prosecute them for intentionally shipping cryptographic services, or some such rubbish.

If you live entirely outside the US legal system, or its multifaceted tendrils, and if you don't make too much noise, you may be fine. Obviously that's a far cry from a "right to free speech" level of protection, but then LE have no obligation to provide that to people outside the US, and arguably non-rich citizens within the US lost that a long time ago.

[Citizen8396]

"Somehow" is addressed in my comment: https://news.ycombinator.com/item?id=48479348

[Citizen8396]

OFAC sanctions are far more nuanced than what you make them out to be. Very often "general licenses" are carved out for providing IT services or technology to individuals for personal use. The purpose of this is for censorship circumvention, which often supports American interests abroad.

This is not something that you apply for; a general license already applies to everyone. The legalese or restrictions companies use exist because they cannot (or will not) validate everyone is who they say they are. This obviously doesn't apply to companies who deal with controlled exports, where they are responsible for whoever ultimately receives the controlled export.

I am not a lawyer and this is not legal advice.

https://ofac.treasury.gov/selected-general-licenses-issued-o...

[FireBeyond]

I get this, but you say "very often", but it's not, and generally, looking at OFAC lists, there's only a few countries with personal carveouts (less than 5 of the countries on the list), usually for remittances, and in a few of those countries only to US persons residing there.

Generally the software carveouts are very limited - it's not just "providing IT services or technology to individuals for personal use", i.e. Sudan:

> software updates for medical devices to Sudan

Indeed, of the software carveouts listed on that page, only two are not related to the operation or update of medical devices:

- provision of Internet services to the people of the Ukraine (read: "Starlink")

- provision of messaging services to members of the Government of Venezuela.

[necovek]

Sounds like "comprehensive" does the heavy-lifting here (in "country or territory that is the target of comprehensive U.S. sanctions"): what countries are under comprehensive sanctions, and which are under non-comprehensive sanctions?

[jstanley]

It may be the case that "most of" their sanctions-related blocks apply only to governments (let's say there are 100 such blocks), while they still disallow usage by persons located in a country or territory that is the target of comprehensive US sanctions (let's say there are 50).

[chme]

I assumed that they meant that they will not enforce it via technical means.

[rootnod3]

Came here to quote exactly that paragraph.

[cpud36]

> Let's Encrypt continues to be available to almost every vulnerable population in the world, including those that need it most. I say almost as I'm hesitant to speak in absolutes regarding a topic as complex as this.

> Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.

It doesn't work that way.

Blocking governments from getting certs doesn't hurt them in the slightest. The government can just create their own pki.

But it hurts the general population instead. People do not live in vacuum, they still need to access government sites. And thus people are forced to install root certificates of questionable trust.

When Let's Encrypt blocks government entities, it instead puts respective vulnerable population in even less secure environment.

Although, given the current events, I am not sure Let's Encrypt continues to deserve the trust it had.

[CobrastanJorji]

Thanks for responding, and to clarify, I am confident that Let's Encrypt is shared as widely as they are able. Could you explain what that requirement does stem from?

[notamario]

When you say “our legal requirements” do you mean requirements LE imposes in its agreements or requires imposed on LE by governments?

[jaas]

I was referring to the requirements imposed on us. When it comes to sanctions, we do not block anything more than what is required by law.

[marcus_holmes]

The current US government sanctions political enemies [0].

Wouldn't the more rational response to this legal situation be to leave the USA and move somewhere more willing to respect international law?

[0] https://www.whitehouse.gov/presidential-actions/2025/02/impo...

[BLKNSLVR]

According to the current administration, almost half of the US is considered a political enemy of the current administration.

Soon they might be pushing for Operating Systems to gather political party preference information, so they can know who should be restricted from the use of strong encryption. The options being:

1. I love america

2. Radical left looney

3. Neither male nor female.

4. Those that tremble as if they were mad[0]

[0]: https://thewhippet.org/the-whippet-134-those-that-tremble/#c...

[marcus_holmes]

It'll be interesting when/if they sanction Antifa. Since it doesn't exist, you can't prove that you're not a member of it. So they get to sanction anyone.

[bawolff]

> move somewhere more willing to respect international law?

Some of these sanctions are required by international law (i.e. sanctions imposed by UNSC). For the other ones, international law generally lets countries have whatever trade policy they see fit including sanctions, unless they violate some other rule of international law or treaty obligation.

[marcus_holmes]

Sanctioning the ICC obviously has nothing to do with trade policy.

The USA signed the Rome Statute but never ratified it, and then withdrew its signatory status. There's an argument to be made that there was a treaty obligation there, but it's pretty weak.

[JuniperMesos]

Why would other countries be less likely to impose sanctions on their political enemies?

[fc417fc802]

I can't answer why or why not but just in terms of track record the US is fairly egregious. The executive attempts to coerce individual UN officials via sanctions. While it may not be strictly illegal it is clearly flagrantly unethical.

[hdgvhicv]

By whose law? Thailand? China? Germany? Afghanistan?

[loloquwowndueo]

I’m actually old enough to remember how PGP code was exported as a book printout because exporting computer code for cryptography with strong keys in digital form was disallowed but a book was fine (protected by first amendment rights). The printout was scanned abroad to reconstitute the source and build pgp legally.

[dsl]

> pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries

This is most likely OFAC. Lets Encrypt could apply for a license to do business with sanctioned entities, and given their use case it would most likely be approved.

https://ofac.treasury.gov/ofac-license-application-page

[greyface-]

OFAC regulates commerce, not speech. Let's Encrypt is not doing "business", they're operating a free informational service. Lots of organizations interpret any information exchange as subject to OFAC regulation, and you and Let's Encrypt have good company in this interpretation, but I think it's unnecessarily ceding ground.

[10000truths]

The government may use as wide of an interpretation of commerce as they can get away with. We've seen this happen before [0]. Sure, Let's Encrypt isn't taking money from the entities they offer certificates to. But the OFAC desk jockey assigned to that case only has to concoct some sufficiently plausible-sounding trail of money connecting the backing 501(c)3 and a sanctioned entity in order to levy penalties, and the legal team will not like that risk, even if it's unlikely for OFAC to win on appeal in a court.

[0]: https://en.wikipedia.org/wiki/Wickard_v._Filburn

[greyface-]

This is true, of course, and I understand why some companies don't want to take the risk. But I would hope that Let's Encrypt would take the opposite stance. They were born out of the EFF and have EFF & ACLU board members! These orgs live for this type of legal fight.

[thayne]

IANAL, but it seems like the argument from Wickard v Filburn would apply to LE. They may not be taking money but they do impact the commerce of the market for certificates.

I disagree with that ruling, and I have some serious problems with sanctions against entire countries/regions, but it definitely makes sense that LE would interpret it as being impacted by OFAC.

[morpheuskafka]

Providing information (website, CT log, CRL) is fine, but creating a certificate on request is clearly a service. How is that different than providing a computation or LLM output in response to a prompt? Moreover, it is clearly not just the physical act of signing a CSR, but the verification of ownership that comes with it. That's just as much as service fully automated as if a human were doing it.

Now, does this serve a policy purpose? Perhaps not--US computers trust plenty of non-US CAs that could continue to serve these customers. But that's not how comprehensive sanctions are set up, they are effectively a complete embargo.

A better question is whether telecom carveouts (general licenses) in the sanctions may allow this. That is a country by country question as each one is worded differently.

[greyface-]

OFAC has authority to regulate commercial services under the Commerce Clause. Not all services are commercial in nature. There is no economic exchange inherent in running a certificate authority. If LE charged money for certificates, that would be a different matter. LE's differentiating factor from the previous era of CAs is that they are non-commercial.

[throwaway2037]

GitHub was recently granted a license from OFAC to allow there services to be used from Iran. You can read about it here: https://github.com/github/site-policy/blob/main/Policies/oth...

And here: https://github.blog/news-insights/policy-news-and-insights/a...

[amluto]

IANAL, but this seems wrong.

In an alternate universe, Let’s Encrypt has a chat with someone and then states, publicly, like a speech, that they think that person owns a domain.

In our universe, Let’s Encrypt lets a client open an “account”, enters into a contract with the client (the contract is the topic of this entire post), and gives the client an API by which the client requests a certificate. Then Let’s Encrypt grants the certificate. Maybe the certificate is somehow speech. The rest sure doesn’t sound like speech to me.

[tbrownaw]

Wasn't there news a bit ago about some people being suddenly excluded from Linux kernel development for presumably similar reasons?

[rzerowan]

Seems in all thing tech at the moment the US legal system is accelearting a great split and erectinga digital iron curtain, from AI models to the more mundane like TLS certs. Its been standard for a while for many Linux distros based in the US to toe the party line - like RedHat having notices pretty similar to this one by LE. Seems any meaningful Open Projects will have to choose what path they want to take, be like RISC-V and relocate or LE and others and enforce the divide.

[thayne]

It isn't just the US. China, Russia, the EU, and Australia and probably others are all increasingly trying to create virtual walls of various forms in the internet.

[PalmPilotProMax]

It is in the nature of nation states to assert control over national borders. That the Internet and the globalised flow of information it enables circumvents this is a historical anomaly.

[xxpor]

The RISC-V move was laughable. It’s still US tech, developed largely with DARPA funds.

[throwaway2037]

Woah, I had no idea about DARPA and RISC-V. I wonder why they care about RISC-V so much? This is the best explanation that I can find:

    > Open source standards provide great benefits to U.S. taxpayers in reducing the cost of advanced military system development, and also increases security by allowing the government to build their own trusted implementations at low cost.

You can read more about it here: https://riscv.org/about/ -> See section "DARPA Influence"

About their move to Switzerland, they say:

    > RISC-V International has not incorporated in Switzerland based on any one country, company, government, or event. This move is reflective of community concern and managing strategic risk for our community investing in RISC-V for the next 50+ years.

[mschuster91]

So what? If I disagree with the direction any FOSS project (or its maintainers) is taking... I can just fork it. People have done that countless times in the history of FOSS, most notably in the xOffice schism.

[xxpor]

No remotely western company will risk US sanctions violations or whatever other regulatory burden by using US technology where it can't be used. Even Chinese companies depending on how state backed they are might not be willing to risk it.

[ifwinterco]

This is the big irony of the current situation: while the US is dependent on China for manufactured goods, China is dependent on the US for external demand for its manufactured goods.

One is the mirror image of the other and neither economy can exist in its current state in isolation.

So China has the US over a barrel when it comes to actually building stuff, rare earths and all of that, but equally US sanctions still have real bite (a lot more than China would like) because China does have to do a huge amount of international trade to export and externalise its surpluses.

They're stuck in this unhappy marriage

[re-thc]

> They're stuck in this unhappy marriage

Who says they’re stuck or unhappy?

This is politics. We’re all just bait. In reality they’re friends.

US and China have made more gains by pretending to be enemies than friends and they likely plotted it all together.

[GoblinSlayer]

It doesn't matter what technology is used, sanctions are imposed when USA doesn't like something.

[bigiain]

Some (well, at least one) of us are old enough to have owned one of these:

http://www.cypherspace.org/adam/uk-shirt.html

A t-shirt with a Perl script that implemented RSA encryption strong enough to be technically illegal to export from the US.

(I must sadly admit to being too cowardly/sensible to have taken that shirt to the US in the late 90s...)

[tolciho]

I wore the rsa-dolphin t-shirt all over the place and nobody batted an eye back then, but a dolphin made up of ASCII characters is quite a bit less obvious than the one you linked.

OpenBSD being based in Canada ships strong crypto, but has had a sometimes troubled relationship with certain regimes.

https://www.openbsd.org/lyrics.html#34

[dd8601fn]

DeCSS printed on stuff was a thing for a while, too.

[greyface-]

And if you missed the original run, you can buy a reprint from Adam's current company: https://store.blockstream.com/products/rsa-t-shirt

[wodenokoto]

> Let's Encrypt’s mission is to create a more secure and privacy-respecting web, except for people residing in countries with the most need for a more secure and privacy-respecting web. Sure, that's great.

If complying with the law gets in the way of the mission I’m not sure that counts as a change to the mission.

[Supermancho]

> If complying with a law gets in the way of the mission I’m not sure that counts as a change to the mission.

It's already illegal to use in NK, but if it's the US, well it's time to steer the mission around it? Gross.

[wodenokoto]

For an American enterprise? Yes, obviously.

Should NRA hand out guns to everyone who can’t get a permit where permits are required? Of course not. If they are against gun permits they have to fight the law, not break it.

[Supermancho]

The National Rifle Association (NRA) describes itself as America’s longest-standing civil rights organization.

That is a specific US-internal stance.

There's a list of organizations that started in the US, ultimately having had to work around the US legal system, in pursuit of their missions:

re Planned Parenthood Global, WikiLeaks, International Campaign to Ban Landmines, Center for Reproductive Rights, selected programs of the Human Rights Campaign Foundation, et al

[jjav]

This is why, as someone who works in security and encryption and has implemented web server TLS stacks and such, I still oppose the "always-https" idea.

TLS is awesome, one of the most valuable developments in Internet history. But, it is important to undewrstand that it is a double edged sword. Requiring a CA, which in practical terms means requiring a publicly known CA, is a choke point of freedom.

[__s]

http://www.geekytattoos.com/illegal-tattoos-rsa-tattoos

tattoo yourself with crypto code to become munitions

[p0w3n3d]

  to not export SSL technology to enemy countries

sounds like to not export mathematics

[bhhaskin]

It could also be an easy way to not have to implement backdoors for the government/military.

[lxgr]

What "backdoor" would Let's Encrypt even implement? That's not how a CA works.

They might be compelled to issue a certificate to an unauthorized (by browser PKI policies, not local law) entity, but that would be very conspicuous due to Certificate Transparency.

[firefax]

I suspect any "backdoor" would be inserted at the protocol level. See https://web.archive.org/web/20130918135152/http://www.thegua...

[jcranmer]

How would they do that? The ACME protocol is "take the basic artifacts you use for certificate signing, wrap them in JSON (cryptographically, using standard JWS), then send them over using HTTP + TLS." Every part of that is something for which there exists a buttload of implementations in whatever language you care to use.

[gopher_space]

> How would they do that?

Let me introduce you to the phrase "I don't see a mechanism."

[firefax]

>Let me introduce you to the phrase "I don't see a mechanism."

I'm not familiar with this phrase, but I think I did a good job citing a comparable example in my original post.

[throwaway85825]

If you truly need a secure and private web you should be using tor.

[Izmaki]

Say what, now?

Anonymity and encrypted communication are two very, very different things. Have one but not the other and you're essentially handing off your private data incl. passwords to whoever that has a tap on the communication between you and the server can fetch them, too. Have the other but not the one and everyone will know who you are, but they can't eavesdrop.

[firefax]

I've had people straight up serve me malware when you attempt to OSINT them with Tor. Sometimes you need different kinds of anonymity, and I see a lot of one sized fits all proclamations on HN.

[throwaway85825]

I've found lots on Iranians on tor.

[golem14]

I mean, noone is stopping someone to clone letsencrypt - it shouldn't be very hard.

Google had a similar dilemma - do they want to offer a (censored) service in China, and have a hope of keeping some marketshare, or not (and be kicked out immediately).

In this case though, it seems to be an unforced move by letsencrypt ? Or was it compelled by LEAs?