2049237 - HARICA: Continued issuance and refusal to revoke TLS certificates for EU-sanctioned blocked entities (Sberbank, VTB, KAMAZ, ANO Dialog)
Log In
Log In with GitHub
or
Remember me
Create an Account<br>·<br>Forgot Password
Browse
Advanced Search
New Bug
Reports
Documentation
Please enable JavaScript in your browser to use all the features on this site.
Copy Summary▾
Markdown
Markdown (bug number)
Plain Text
HTML
View ▾
Reset Sections
Expand All Sections
Collapse All Sections
History
JSON
XML
Open
Bug 2049237
Opened 15 days ago<br>Updated 1 hour ago
HARICA: Continued issuance and refusal to revoke TLS certificates for EU-sanctioned blocked entities (Sberbank, VTB, KAMAZ, ANO Dialog)
Summary:
HARICA: Continued issuance and refusal to revoke TLS certificates for EU-sanctioned blocked entities (Sberbank, VTB, KAMAZ, ANO Dialog)
Product:
CA Program
See Open Bugs in This Product
File New Bug in This Product
Watch This Product
Component:
CA Certificate Compliance
See Open Bugs in This Component
Recently Fixed Bugs in This Component
File New Bug in This Component
Watch This Component
Version:
unspecified
Platform:
Unspecified
Unspecified
Type:
task
Priority:
Not set
Severity:
Status:
ASSIGNED
Status:
ASSIGNED
Mark as Assigned
Milestone:
Project Flags:
Accessibility Severity
Tracking Flags:
Tracking<br>Status
relnote-firefox
firefox-esr115
firefox-esr140
firefox-esr153
firefox152
firefox153
firefox154
Assignee:
public-incident-reports
Assignee:
Reset Assignee to default
Mentors:
QA Contact:
Reset QA Contact to default
Reporter:
g6h6m238929
Triage Owner:
bwilson
NeedInfo From:
public-incident-reports
4 days ago
NeedInfo:
Update
CC:
8 people
Depends on:
Blocks:
Regressions:
Regressed by:
URL:
See Also:
Alias:
Keywords:
Whiteboard:
[ca-compliance]
QA Whiteboard:
Change Request:
Bug Flags:
behind-pref
sec-bounty
sec-bounty-hof
in-qa-testsuite
in-testsuite
qe-verify
Signature:
None
This bug is publicly visible.
Сертификат для vtb.com.pdf
15 days ago<br>Iakov
137.10 KB,<br>application/pdf
Details
Сертификат для sberbank.com.pdf
15 days ago<br>Iakov
142.48 KB,<br>application/pdf
Details
Сертификат для _.vk.com.pdf
15 days ago<br>Iakov
187.25 KB,<br>application/pdf
Details
Сертификат для _.dialog.info.pdf
15 days ago<br>Iakov
157.44 KB,<br>application/pdf
Details
Сертификат для _.alrosa.ru.pdf
15 days ago<br>Iakov
137.72 KB,<br>application/pdf
Details
Сертификат для _.rosneft.ru.pdf
15 days ago<br>Iakov
138.09 KB,<br>application/pdf
Details
Сертификат для _.veb.ru.pdf
15 days ago<br>Iakov
140.86 KB,<br>application/pdf
Details
Сертификат для _.kamaz.ru.pdf
15 days ago<br>Iakov
141.96 KB,<br>application/pdf
Details
Full dataset of HARICA certificates related to sanctioned Russian / Belarusian entities.
2 days ago<br>caldris
32.97 KB,<br>text/plain
Details
hellenic_academic_and_research_institutions_ca_certs.csv
2 days ago<br>caldris
69.40 KB,<br>text/csv
Details
HARICA.jsonl
2 days ago<br>Iakov
373.45 KB,<br>application/octet-stream
Details
Re_ [Ticket#2026060610000063] High-priority escalation_ no preliminary findings and new max.ru certificates issued after CPR notic [...] 2026-06-17T09_35_39+03_00.eml
2 hours ago<br>caldris
15.94 KB,<br>message/rfc822
Details
Re_ [Ticket#2026060610000063] Certificate Problem Report_ additional HARICA certificates for sanctions-linked Russian banks and en [...] 2026-06-18T11_17_35+03_00-3.eml
2 hours ago<br>caldris
17.74 KB,<br>message/rfc822
Details
Bottom ↓
Tags ▾
Reset
Timeline ▾
Reset
Collapse All
Expand All
Comments Only
Iakov
Reporter
Description
•<br>15 days ago
Attached file
Сертификат для vtb.com.pdf<br>— Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0
Steps to reproduce:
I audited active public TLS certificates issued by HARICA (Greece) and found several certificates issued to heavily sanctioned Russian entities under EU Council Regulation (EU) No 269/2014.
I filed official Certificate Problem Reports (CPRs) with HARICA's compliance/support team, providing all the certificate details and legal grounds for revocation.
Actual results:
HARICA formally refused to revoke the certificates, closing all my reports with the following copy-paste statement:
"[...] Following a thorough internal review, we have determined that all reported certificates are DV (Domain Validated) Server TLS certificates. As such, they contain exclusively information relating to the domain in question, with no reference to any natural or legal person operating behind the website. This type of certificate does not require any additional vetting on our part as a Certification Authority. [...] Domain control confirmation is the sole object of verification. All submissions received through our CPR channel regarding the same certificate types are now considered closed. We wish to clarify that should any further action be warranted, we remain committed to...