Harica: Issuance and refusal to revoke TLS certificates for sanctioned entities

keydown1 pts0 comments

2049237 - HARICA: Continued issuance and refusal to revoke TLS certificates for EU-sanctioned blocked entities (Sberbank, VTB, KAMAZ, ANO Dialog)

Log In

Log In with GitHub

or

Remember me

Create an Account<br>&middot;<br>Forgot Password

Browse

Advanced Search

New Bug

Reports

Documentation

Please enable JavaScript in your browser to use all the features on this site.

Copy Summary▾

Markdown

Markdown (bug number)

Plain Text

HTML

View ▾

Reset Sections

Expand All Sections

Collapse All Sections

History

JSON

XML

Open

Bug 2049237

Opened 15 days ago<br>Updated 1 hour ago

HARICA: Continued issuance and refusal to revoke TLS certificates for EU-sanctioned blocked entities (Sberbank, VTB, KAMAZ, ANO Dialog)

Summary:

HARICA: Continued issuance and refusal to revoke TLS certificates for EU-sanctioned blocked entities (Sberbank, VTB, KAMAZ, ANO Dialog)

Product:

CA Program

See Open Bugs in This Product

File New Bug in This Product

Watch This Product

Component:

CA Certificate Compliance

See Open Bugs in This Component

Recently Fixed Bugs in This Component

File New Bug in This Component

Watch This Component

Version:

unspecified

Platform:

Unspecified

Unspecified

Type:

task

Priority:

Not set

Severity:

Status:

ASSIGNED

Status:

ASSIGNED

Mark as Assigned

Milestone:

Project Flags:

Accessibility Severity

Tracking Flags:

Tracking<br>Status

relnote-firefox

firefox-esr115

firefox-esr140

firefox-esr153

firefox152

firefox153

firefox154

Assignee:

public-incident-reports

Assignee:

Reset Assignee to default

Mentors:

QA Contact:

Reset QA Contact to default

Reporter:

g6h6m238929

Triage Owner:

bwilson

NeedInfo From:

public-incident-reports

4 days ago

NeedInfo:

Update

CC:

8 people

Depends on:

Blocks:

Regressions:

Regressed by:

URL:

See Also:

Alias:

Keywords:

Whiteboard:

[ca-compliance]

QA Whiteboard:

Change Request:

Bug Flags:

behind-pref

sec-bounty

sec-bounty-hof

in-qa-testsuite

in-testsuite

qe-verify

Signature:

None

This bug is publicly visible.

Сертификат для vtb.com.pdf

15 days ago<br>Iakov

137.10 KB,<br>application/pdf

Details

Сертификат для sberbank.com.pdf

15 days ago<br>Iakov

142.48 KB,<br>application/pdf

Details

Сертификат для _.vk.com.pdf

15 days ago<br>Iakov

187.25 KB,<br>application/pdf

Details

Сертификат для _.dialog.info.pdf

15 days ago<br>Iakov

157.44 KB,<br>application/pdf

Details

Сертификат для _.alrosa.ru.pdf

15 days ago<br>Iakov

137.72 KB,<br>application/pdf

Details

Сертификат для _.rosneft.ru.pdf

15 days ago<br>Iakov

138.09 KB,<br>application/pdf

Details

Сертификат для _.veb.ru.pdf

15 days ago<br>Iakov

140.86 KB,<br>application/pdf

Details

Сертификат для _.kamaz.ru.pdf

15 days ago<br>Iakov

141.96 KB,<br>application/pdf

Details

Full dataset of HARICA certificates related to sanctioned Russian / Belarusian entities.

2 days ago<br>caldris

32.97 KB,<br>text/plain

Details

hellenic_academic_and_research_institutions_ca_certs.csv

2 days ago<br>caldris

69.40 KB,<br>text/csv

Details

HARICA.jsonl

2 days ago<br>Iakov

373.45 KB,<br>application/octet-stream

Details

Re_ [Ticket#2026060610000063] High-priority escalation_ no preliminary findings and new max.ru certificates issued after CPR notic [...] 2026-06-17T09_35_39+03_00.eml

2 hours ago<br>caldris

15.94 KB,<br>message/rfc822

Details

Re_ [Ticket#2026060610000063] Certificate Problem Report_ additional HARICA certificates for sanctions-linked Russian banks and en [...] 2026-06-18T11_17_35+03_00-3.eml

2 hours ago<br>caldris

17.74 KB,<br>message/rfc822

Details

Bottom &darr;

Tags ▾

Reset

Timeline ▾

Reset

Collapse All

Expand All

Comments Only

Iakov

Reporter

Description

&bull;<br>15 days ago

Attached file

Сертификат для vtb.com.pdf<br>— Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0

Steps to reproduce:

I audited active public TLS certificates issued by HARICA (Greece) and found several certificates issued to heavily sanctioned Russian entities under EU Council Regulation (EU) No 269/2014.

I filed official Certificate Problem Reports (CPRs) with HARICA's compliance/support team, providing all the certificate details and legal grounds for revocation.

Actual results:

HARICA formally refused to revoke the certificates, closing all my reports with the following copy-paste statement:

"[...] Following a thorough internal review, we have determined that all reported certificates are DV (Domain Validated) Server TLS certificates. As such, they contain exclusively information relating to the domain in question, with no reference to any natural or legal person operating behind the website. This type of certificate does not require any additional vetting on our part as a Certification Authority. [...] Domain control confirmation is the sole object of verification. All submissions received through our CPR channel regarding the same certificate types are now considered closed. We wish to clarify that should any further action be warranted, we remain committed to...

details days certificates harica iakov application

Related Articles