Let's Encrypt continues to be available to almost every vulnerable population in the world, including those that need it most. I say almost as I'm hesitant to speak in absolutes regarding a topic as complex as this.

Most of our sanctions-related blocks apply only to the governments of certain sanctioned countries, not their general population.

This subscriber agreement update was intended to better reflect our legal requirements. It does not reflect a major change in the service we provide. Our compliance program does evolve over time, and part of that is communicating about it better in our terms of service. It's clear from some of the comments here that we have more work to do to make that text more understandable, we'll work on that.

> That said, pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries. I'm sure some of y'all are old enough to remember when web browsers came in "international friendly" versions that supported 40 bit encryption, or "fancy secure" versions with 128 bit encryption.

It doesn't.

I’m actually old enough to remember how PGP code was exported as a book printout because exporting computer code for cryptography with strong keys in digital form was disallowed but a book was fine (protected by first amendment rights). The printout was scanned abroad to reconstitute the source and build pgp legally.

> pretty sure this is stems from the insane US legal requirement to not export SSL technology to enemy countries

This is most likely OFAC. Lets Encrypt could apply for a license to do business with sanctioned entities, and given their use case it would most likely be approved.

https://ofac.treasury.gov/ofac-license-application-page

Seems in all thing tech at the moment the US legal system is accelearting a great split and erectinga digital iron curtain, from AI models to the more mundane like TLS certs. Its been standard for a while for many Linux distros based in the US to toe the party line - like RedHat having notices pretty similar to this one by LE. Seems any meaningful Open Projects will have to choose what path they want to take, be like RISC-V and relocate or LE and others and enforce the divide.

Some (well, at least one) of us are old enough to have owned one of these:

http://www.cypherspace.org/adam/uk-shirt.html

A t-shirt with a Perl script that implemented RSA encryption strong enough to be technically illegal to export from the US.

(I must sadly admit to being too cowardly/sensible to have taken that shirt to the US in the late 90s...)

> Let's Encrypt’s mission is to create a more secure and privacy-respecting web, except for people residing in countries with the most need for a more secure and privacy-respecting web. Sure, that's great.

If complying with the law gets in the way of the mission I’m not sure that counts as a change to the mission.

This is why, as someone who works in security and encryption and has implemented web server TLS stacks and such, I still oppose the "always-https" idea.

TLS is awesome, one of the most valuable developments in Internet history. But, it is important to undewrstand that it is a double edged sword. Requiring a CA, which in practical terms means requiring a publicly known CA, is a choke point of freedom.

http://www.geekytattoos.com/illegal-tattoos-rsa-tattoos

tattoo yourself with crypto code to become munitions

  to not export SSL technology to enemy countries

It could also be an easy way to not have to implement backdoors for the government/military.

If you truly need a secure and private web you should be using tor.

I mean, noone is stopping someone to clone letsencrypt - it shouldn't be very hard.

Google had a similar dilemma - do they want to offer a (censored) service in China, and have a hope of keeping some marketshare, or not (and be kicked out immediately).

In this case though, it seems to be an unforced move by letsencrypt ? Or was it compelled by LEAs?