Seems in all thing tech at the moment the US legal system is accelearting a great split and erectinga digital iron curtain, from AI models to the more mundane like TLS certs. Its been standard for a while for many Linux distros based in the US to toe the party line - like RedHat having notices pretty similar to this one by LE. Seems any meaningful Open Projects will have to choose what path they want to take, be like RISC-V and relocate or LE and others and enforce the divide.

If you truly need a secure and private web you should be using tor.

They could, but if the branch didn’t follow these laws, the main US branch would still be liable.

completely independent entity would be far better option. Protocol is open after all, just need pointing to different vendor

Let's Encrypt certificates continue to be available in both Iran and Russia, just not for the Iranian and Russian governments.

The terms of service update to clarify what we have always done, comply with relevant law, has not changed the situation for either country.

wait until you find out about Facebook!

The entire point of a trust model is to exclude people. That's the stated goal.

If you want encryption without trust, just use self-signed certs.

While it seems like certificate authority has the primary control here, the real control lies in browsers and operative systems in which certificate authorities are trusted. Users also have, at least for the moment, control to add or remove certificate authorities, even if that control is slightly less clear for devices like smart phones.

Digital certificates that signs software packages are used to enforce exclusion by some manufacturers. Let's encrypt is not in that space to my knowledge, but it is a place where you the owner do not have the right to determine which certificate authority should be trusted, and generally the only one that is trusted is the manufacturer. Its arguable if we even should be calling such entities a certificate authority, even if they technically are the owner of the root certificate that signs the package.

I always saw it as a trust-chain and think that anyone is welcomed to create a root certificate and distribute it to whomever trusts them. Most simple services may not need TLS, but with the ISPs eavesdropping on our communication, a form of secure communication is required and the currently best solution we have requires a trust-chain to be built.

> This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.

I think the "digital tyranny" is a side effect, not the main goal. They're "mainly a means" to prevent certain kinds of MITM attacks.

> Has letsencrypt been served with a subpoena?

While it's certainly possible that ISRG has been served a subpoena because it appears the US DOJ is now a mix of hacks and incompetent buffoons, it wouldn't matter because the whole point is that they don't know anything - what you told them is literally logged publicly for everybody to see without even knowing how to spell "subpoena" let alone issue one.

Some people have this insane idea that somehow the CA has some secret which either they minted and sent to the CA, or the CA minted and gave them a copy and so the US government could get this secret with a subpoena - but the whole fucking point of a Public Key Infrastructure is that we're using Public Key Encryption, if we were OK with everybody having secrets all over the place this entire thing wouldn't be needed.

Neither Greenland nor the EU has been sanctioned by the US.

Well good thing everyone using the provider is using an open protocol and it's stupid easy to switch

If it was a genuine question, the genuine answer is it's the provider that democratised streamlined ACME certificate verification and made it for free

No account, no payment, a single bash command or a certbot that runs regularly and you have your own globally recognised certificate

Historically, providers used to make the most frictions so that they could justify absolutely crazy fees for signing any certificates. It doesn't goes down well in DevOps, it doesn't work with indies who don't have 3 to 4 digits figures to blow in httpS, everyone including organisations ended up making certificates authorities of their own to sign stuff... and let's encrypt was successful at making certificates easy, free and actually secure

If nothing has changed it's still the only one that's free and instant. Back in the day you'd had to pay $10/y and install manually

There are some options. actalis.com is European alternative but free tier is a bit less than Let's Encrypt.

> Is Let's Encrypt the only provider of SSL certificates?

No.

Yes, but EU would have to convince Google and Apple to get a new root certificate to browsers.

Do you really think the EU wants to sign up for PR that’s essentially “the US is being too mean to Russia” right now?

the wikipedia page has links to projects that removed CAcert where reasons are stated. the main one being that CAcert didn't complete a security audit or because they were not yet accepted by mozilla (because of the lack of an audit, but also because CAcert actually withdrew the request to be included). one group removed it because CAcert has a strict root redistribtion license that they can't follow.

LWN has a good writeup on the audit situation as of 2014: https://lwn.net/Articles/590879/

Don't understand why you have been downvoted. Russian government have already attempted to push forward their root certificate for banking using Yandex browser, now this.

"US company must obey US law" doesn't make for a very interesting headline.

It is however a reminder that "just use LE" is not a valid response to concerns about protocols/APIs/browsers/etc requiring TLS.

That's just another reminder that no one from outside of US should deal with US companies.

No it isn't. Not unless it's free.

This is the main reason letsencrypt is so popular.

Man in the Middle Wiki:

> Also known as a monster-in-the-middle,[1][2] machine-in-the-middle,[3] meddler-in-the-middle,[4] manipulator-in-the-middle,[5][6] person-in-the-middle[7] (PITM), or adversary-in-the-middle[8] (AITM) attack.

EU? There’s almost zero information on the company, no privacy policy? The only place I found any mention is the footer, “HID Global Corporation, part of ASSA ABLOY”. Assa Abloy seems Swedish but HID Global is a US company as far as a quick search goes. But without a proper company info page and privacy policy I wouldn’t consider it anywhere near a “good alternative” regardless.

I use them in some cases to avoid the rate limits on LetsEncrypt, and they have better support for some older platforms (like ancient Android versions), and I'm pretty happy so far. I have a paid account to support them, but it's not a requirement for ACME certs. It works without issue with Kubernetes Certbot, and seamless to switch between ZeroSSL and LetsEncrypt.

I can't comment on the EU part though - not that relevant in my case.

There was some subtle issue with ZeroSSL's implementation of ACME that I ran into with, IIRC, lego and domain certs and there was a ~5 year old lego open issue about it. That was a couple years ago, might be fixed, but my understanding at the time was that it was an issue with Zero's ACME implementation, so there may be dragons.

3 90-day ACME certs for free. 180€/year for unlimited 90-day certs and 5 yearly ones.

That’s a pretty steep increase. I would almost be more interested in a monthly fee per cert.

ZeroSSL aren't an EU-based alternative, unfortunately.

It's Sectigo under the hood.

Depends on whether LE is compelled to terminate service to BGP AS numbers hosted in U.S.-sanctioned countries, and whether LE continues operating out of the U.S..

Depending on how you are supposed to read "You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations." it could mean that you are not even allowed to use LE certificate to provide services to sanctioned entities as a random non-US company/person.

I hope not. We don't have any alternatives yet.

They already revoced certificates for some russian sites

I would imagine, as a CA that issues only DV certs, they'd disallow issuance to various ccTLDs, and perhaps stop newAccount registrations with email addresses at those ccTLDs. That's about as much as they could do - IP-blocking by region is ineffective and crude at best.

the list of ppl under US sanctions is staggering

Europe starts to shield itself from the risk since Nicolas Guillou, the French ICC judge who issued a warrant against bibi got sanctioned (France officially protested about this case)

China is being successful at blocking US firms out of their supply chains (they already use Linux on Loongarch processors with some homemade architecture and pioneer RISC V), since a bunch of their companies also got sanctions for supplying the governement

US stands so much for freedom that it's the first country to refuse immigration to FIFA world cup teams and athletes, with Iranians not allowed to stay between games and Somali goalkeeper being turned away at the border. Germany itself didn't do for the 1936 Olympics.

So at best, they're only shooting themselves in the foot by showing any US component in a supply chain is a risk, while using US clouds were already a risk of loss of revenue from FISA requests to undercut your bid and rot your company and using US dollars for trade was already a liability

In the meantime, US companies can do anything, break any financial law and abuse every human right, they'll just sign DPAs to avoid prosecution

But what if you're the baddies?

love thought-terminating cliches. really helps keep from actually thinking ever.

If you click the link…

> [You certify to LetsEncrypt that] …

> You are not a person or entity that is: (a) located in, organized under the laws of, or ordinarily resident in any country or territory that is the target of comprehensive U.S. sanctions; (b) a prohibited or restricted party under U.S. or other applicable sanctions and export control laws and regulations; or (c) owned or controlled by or acting on behalf of anyone described in (a) or (b). You agree to use Let’s Encrypt Certificates and any services provided by or on behalf of ISRG in compliance with applicable U.S. export control and sanctions laws and regulations.

It took me a minute to understand the original post because the verb sanction means both itself and basically the opposite of itself. It would be better to say "any territory that the US has levied sanctions against". I thought LetsEncrypt had banned its usage in the US! The word for words like sanction is contronym.