February 9, 2026

Browser barons vs chat nerds

Article URL →HN comments →

Upcoming changes to Let's Encrypt and how they affect XMPP server operators

Google’s rules push Let’s Encrypt change; chat admins split between chill and chaos

TLDR: Let’s Encrypt will default to “server‑only” certificates in 2026, which could confuse some server‑to‑server chat links, though Prosody says it’s ready. The community’s split: some accuse browser policies—especially Google’s—of steering the whole internet, while others just want a simple toggle to avoid headaches.

Let’s Encrypt, the free “ID card” issuer of the internet, is switching to server‑only certificates by default on February 11, 2026 — and the XMPP (open, federated chat) crowd is loud about it. Prosody, a popular XMPP server, says don’t panic: they already accept these certificates for server‑to‑server links. But the comments? That’s where the fireworks are.

One camp is fuming that this looks like a power move by the browser world. A user called it a “deliberate attack on the decentralized web,” while another pointed straight at Google: the change is “prompted by Google Chrome’s root program requirements.” Translation: browser policies change, the rest of the internet scrambles. Others vented that everything is becoming web‑ and Google‑centric, with jokes about “browser barons” deciding the fate of chat servers.

On the calmer side, some folks applauded the clear explainer and noted that most admins may not need to do anything right now. Still, there’s a spicy middle ground: users wish Let’s Encrypt offered a simple toggle for “client” or “client+server” use to avoid breakage in edge cases.

Drama score: high. Impact today: moderate. But the vibe is unmistakable — the browser tail is wagging the internet dog, and the fediverse of chat geeks is not amused.

Key Points

  • From February 11, 2026, Let’s Encrypt will issue server-only authentication certificates by default.
  • XMPP s2s connections may fail if TLS libraries enforce EKU requiring client authentication.
  • Prosody supports accepting server-only certificates for s2s, minimizing impact for Prosody operators.
  • EKU controls permitted certificate usage; TLS treats the initiating server in s2s as a TLS client.
  • The approach of accepting server-only certificates for s2s is not standardized; browser vendors influence CA policies.

Hottest takes

“deliberate attack on the decentralised web” — RobotToaster
“prompted by Google Chrome’s root program requirements” — everfrustrated
“Shame LE didn’t give people option to generate… client+server” — PunchyHamster

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.