[jaas]

Let's Encrypt continues to be available to almost every vulnerable population in the world, including those that need it most. I say almost as I'm hesitant to speak in absolutes regarding a topic as complex as this.

Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.

This subscriber agreement update was intended to better reflect our legal requirements. It does not reflect a major change in the service we provide. Our compliance program does evolve over time, and part of that is communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.

> That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.

It doesn't.

[morpheuskafka]

You issued a certificate for North Korea's email infrastructure as recently as six days ago:

https://crt.sh/?id=26878583197 (06/04/2026 smtp.star-co.net.kp) https://crt.sh/?id=20256841119 (08/11/2025 *.star.net.kp)

Star Joint Venture is the manager of the .kp TLD and one of DPRK's two email providers (the other is silibank.net.kp) [1], used as the official email for various government bodies ex. ipa817@star-co.net.kp (IP Office), kscost@star-co.net.kp (Sci/Tech Commission), ksf@star-co.net.kp (Ministry of Culture and Sports), mhs-ip@star-co.net.kp (Atomic Energy). It is also widely used by those universities and companies that engage with the outside world.

How did you determine that issuing a certificate to this domain or any .kp domain was compliant with the general ban on exporting goods and services to DPRK?

[throwaway2037]

This is incredible. How did you find these certs?

[morpheuskafka]

I only noticed the star net one (not sure if it’s even in use) when writing this. I noticed the Pyongyang Zoo (which shares an IP with the Architects Society—one on 443 and one on 80 lmao) first, just from flipping through their very small IP space on Shodan.

You can see them all on crt.sh, because LE has to upload them to a CT log for browsers to trust them. (That’s how most of those subdomain finder websites work too.) The email servers seem to have gotten certs from a for profit CA back in 2015, but I’m not sure if they ever used them. Most of their webspace seems to be HTTP only. (And it’s a good thing, because some of their Apache versions are potentially old enough to have Heartbleed.)

The architects website has some pretty cool PDF magazines btw. They also have several websites for their insurance company’s (perhaps some intl org needs them to have a website for listing)—that’s a core hard currency stream for them and they previously have been accused of submitting false losses.

[qingcharles]

Thank you. Had to go looking for these magazines.

http://www.koreanarchitecture.gov.kp/index.php?kt=TWFnYXppbm...

[FireBeyond]

> Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.

The agreement very plainly says otherwise:

> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions

The general population of those countries are absolutely "persons" "located in" a "country or territory that is the target of comprehensive U.S. sanctions."

> communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.

This tries to frame it as a comprehension issue. It's not.

The wording in your agreement is actually quite clear. I think it's reckless, if not disingenuous to frame this as "we really only mean government entities".

Apropos of anything else, it's also not how US sanctions work - they are absolutely aimed at both the populace as well as the government itself.

[undecisive]

They have "clarified" elsewhere on here that the normal citizenry get a legal exemption [waves hands mystically] somehow, and that they're only blocking people when they legally have to.

Obviously (to the rest of us) if the agreement says otherwise, then they're saying that it's LE that is forbidding the citizens of these countries, and it's not (entirely) the government's fault, which completely contradicts what they're trying to say.

We should probably be clear that this document is most likely a backside-covering exercise; it exists so that people can't sue LE for denial of service without a just cause, and so that the US can't prosecute them for intentionally shipping cryptographic services, or some such rubbish.

If you live entirely outside the US legal system, or its multifaceted tendrils, and if you don't make too much noise, you may be fine. Obviously that's a far cry from a "right to free speech" level of protection, but then LE have no obligation to provide that to people outside the US, and arguably non-rich citizens within the US lost that a long time ago.

[Citizen8396]

"Somehow" is addressed in my comment: https://news.ycombinator.com/item?id=48479348

[Citizen8396]

OFAC sanctions are far more nuanced than what you make them out to be. Very often "general licenses" are carved out for providing IT services or technology to individuals for personal use. The purpose of this is for censorship circumvention, which often supports American interests abroad.

This is not something that you apply for; a general license already applies to everyone. The legalese or restrictions companies use exist because they cannot (or will not) validate everyone is who they say they are. This obviously doesn't apply to companies who deal with controlled exports, where they are responsible for whoever ultimately receives the controlled export.

I am not a lawyer and this is not legal advice.

https://ofac.treasury.gov/selected-general-licenses-issued-o...

[FireBeyond]

I get this, but you say "very often", but it's not, and generally, looking at OFAC lists, there's only a few countries with personal carveouts (less than 5 of the countries on the list), usually for remittances, and in a few of those countries only to US persons residing there.

Generally the software carveouts are very limited - it's not just "providing IT services or technology to individuals for personal use", i.e. Sudan:

> software updates for medical devices to Sudan

Indeed, of the software carveouts listed on that page, only two are not related to the operation or update of medical devices:

- provision of Internet services to the people of the Ukraine (read: "Starlink")

- provision of messaging services to members of the Government of Venezuela.

[necovek]

Sounds like "comprehensive" does the heavy-lifting here (in "country or territory that is the target of comprehensive U.S. sanctions"): what countries are under comprehensive sanctions, and which are under non-comprehensive sanctions?

[jstanley]

It may be the case that "most of" their sanctions-related blocks apply only to governments (let's say there are 100 such blocks), while they still disallow usage by persons located in a country or territory that is the target of comprehensive US sanctions (let's say there are 50).

[chme]

I assumed that they meant that they will not enforce it via technical means.

[rootnod3]

Came here to quote exactly that paragraph.

[CobrastanJorji]

Thanks for responding, and to clarify, I am confident that Let's Encrypt is shared as widely as they are able. Could you explain what that requirement does stem from?

[cpud36]

> Let's Encrypt continues to be available to almost every vulnerable population in the world, including those that need it most. I say almost as I'm hesitant to speak in absolutes regarding a topic as complex as this.

> Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.

It doesn't work that way.

Blocking governments from getting certs doesn't hurt them in the slightest. The government can just create their own pki.

But it hurts the general population instead. People do not live in vacuum, they still need to access government sites. And thus people are forced to install root certificates of questionable trust.

When Let's Encrypt blocks government entities, it instead puts respective vulnerable population in even less secure environment.

Although, given the current events, I am not sure Let's Encrypt continues to deserve the trust it had.

[notamario]

When you say “our legal requirements” do you mean requirements LE imposes in its agreements or requires imposed on LE by governments?

[jaas]

I was referring to the requirements imposed on us. When it comes to sanctions, we do not block anything more than what is required by law.

[marcus_holmes]

The current US government sanctions political enemies [0].

Wouldn't the more rational response to this legal situation be to leave the USA and move somewhere more willing to respect international law?

[0] https://www.whitehouse.gov/presidential-actions/2025/02/impo...

[BLKNSLVR]

According to the current administration, almost half of the US is considered a political enemy of the current administration.

Soon they might be pushing for Operating Systems to gather political party preference information, so they can know who should be restricted from the use of strong encryption. The options being:

1. I love america

2. Radical left looney

3. Neither male nor female.

4. Those that tremble as if they were mad[0]

[0]: https://thewhippet.org/the-whippet-134-those-that-tremble/#c...

[marcus_holmes]

It'll be interesting when/if they sanction Antifa. Since it doesn't exist, you can't prove that you're not a member of it. So they get to sanction anyone.

[ndsipa_pomu]

Proof has no relevance if you are prevented from accessing the legal system (e.g. thrown into a concentration camp for immigrants)

[bawolff]

> move somewhere more willing to respect international law?

Some of these sanctions are required by international law (i.e. sanctions imposed by UNSC). For the other ones, international law generally lets countries have whatever trade policy they see fit including sanctions, unless they violate some other rule of international law or treaty obligation.

[marcus_holmes]

Sanctioning the ICC obviously has nothing to do with trade policy.

The USA signed the Rome Statute but never ratified it, and then withdrew its signatory status. There's an argument to be made that there was a treaty obligation there, but it's pretty weak.

[bawolff]

I personally think sanctioning the ICC judges is a disgusting act. However ultimately all sanctions are decisions to refrain from trading with someone, so it is in a sense a trade policy. I think what you're getting at is that usa is implementing that policy to obtain a political/diplomatic goal, which is true, but you could say the same about most trade policies.

I think article 18(a) of the vienna convention of the law of treaties means that once you withdraw your signature, you no longer have any obligations in regards to the treaty.

Maybe you could make some sort of argument that the sanctions violate the purpose of the geneva convention as they are designed to prevent bringing to justice people accused of grave breaches of the geneva convention. Like its an attempt to frustrate the application of article 49 of the first geneva convention [Ianal]

[JuniperMesos]

Why would other countries be less likely to impose sanctions on their political enemies?

[fc417fc802]

I can't answer why or why not but just in terms of track record the US is fairly egregious. The executive attempts to coerce individual UN officials via sanctions. While it may not be strictly illegal it is clearly flagrantly unethical.

[hdgvhicv]

By whose law? Thailand? China? Germany? Afghanistan?