Let's Encrypt has updated its subscriber agreement to prohibit certificate issuance and usage in US-sanctioned territories, effective immediately. The change aligns the free certificate authority with American export control regulations.
The updated policy, detailed in version 1.7 of Let's Encrypt's Subscriber Agreement, bars the use of its certificates in any region subject to US sanctions. This includes territories under OFAC (Office of Foreign Assets Control) restrictions.
Let's Encrypt, operated by the Internet Security Research Group, must comply with US law to maintain its operations. The restriction applies to both new certificate issuance and continued use of existing certificates in sanctioned areas.
The move affects websites and services operating in designated sanctioned territories. Organizations in these regions will need to source certificates through alternative providers.
The policy update generated significant discussion in the developer community, with 86 comments on Hacker News reflecting concerns about internet accessibility in restricted regions and the practical implications for affected services.
Let's Encrypt previously faced similar compliance requirements and has adjusted policies accordingly. The organization continues to provide free SSL/TLS certificates globally outside sanctioned zones.
A vulnerability in SimpleHelp remote management software allows unauthenticated attackers to create privileged technician accounts on vulnerable servers. The flaw exploits the OpenID Connect (OIDC) authentication protocol.
The Council of Europe is investigating data breach claims made by the ShinyHunters extortion group over the weekend. The breach, if confirmed, would affect Europe's oldest intergovernmental body.
Cisco released security updates for a critical vulnerability in Catalyst SD-WAN Manager (CVE-2026-20262) that attackers exploited to gain root-level access to affected systems.
Three WordPress plugins owned by Awesome Motive were hacked through a content delivery network breach. OptinMonster, TrustPulse, and PushEngage were all affected in the supply-chain attack.