Let's Encrypt, the nonprofit certificate authority that provides free SSL/TLS certificates, has quietly updated its subscriber agreement to prohibit the use of its certificates in any US-sanctioned territory. The change, which took effect without public announcement, restricts access to HTTPS encryption for websites and services operating in countries subject to US trade embargoes.

What Changed

The updated subscriber agreement now explicitly states that certificates cannot be used in or for the benefit of any region subject to US sanctions, including Iran, Syria, North Korea and Cuba. Previously, Let's Encrypt did not enforce such geographic restrictions on certificate usage. The move aligns the organization with broader US export control laws that govern encryption technology.

Let's Encrypt is operated by the Internet Security Research Group, a California-based nonprofit. As a US entity, it must comply with federal regulations. However, the new language goes beyond standard compliance by actively banning usage rather than merely requiring users to follow applicable laws.

Why This Matters

This policy directly impacts website operators and internet users in sanctioned territories who rely on free certificates to secure their sites with HTTPS. Without valid certificates, those sites become vulnerable to interception and tampering. Browsers may display security warnings or block access entirely.

The change also affects humanitarian organizations, journalists and activists operating in those regions who depend on encrypted connections for safe communication. By cutting off access to free certificates, Let's Encrypt may inadvertently weaken security for some of the most vulnerable internet users.

Broader Implications

The decision reflects a growing trend among US-based technology providers to tighten compliance with sanctions regimes. Cloud services, domain registrars and content delivery networks have similarly restricted access from sanctioned countries in recent years.

Critics argue that such blanket bans can harm ordinary citizens more than intended targets. Encryption is a fundamental tool for privacy and security, and restricting it may increase surveillance risks rather than reduce them.

For now, users in affected territories must seek alternative certificate authorities or rely on self-signed certificates, which offer weaker security guarantees and trigger browser warnings. The long-term effect could be a fragmented internet where access to basic security tools depends on geography and political boundaries.