According to Let's Encrypt revoqued and banned

“We have revoked all outstanding certificates for that site and banned it from getting certificates from us in the future,” the executive director of the Internet Security Research Group, Josh Aas, said in an email.

The certificate is indeed revoked: | 943569098

  • Is that article true?
  • Was it the first time Let's Encrypt revoked a certificate in such manner and/or banned a user?
  • What was the basis of that action?

Related: Redirecting to Google Groups

The non-expired certificate have been revoked indeed:

It would be helpful to at least publish the reason for revocation, e.g. was the reasons for it technical or caused by a breach of Let’s Encrypt or CAB Forum policies, and if possible, do that for every revoked certificate, possibly making this information available through Certificate Transparency or a similar mechanism.

To clarify, the issue isn’t the revocation, but the fact it was done silently, against the concept of Certificate Transparency Let’s Encrypt pioneered.

This is the most important part of the article:

The revocation comes two weeks after the Treasury Department slapped sanctions on the founder and editor of USA Really, Alexander Malkevich, making it a crime to conduct financial transactions with him.

It is simply illegal for ISRG (organization behind Let's Encrypt) to provide any services to individuals on Specially Designated Nationals (SDN) And Blocked Persons List:

It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called "Specially Designated Nationals" or "SDNs." Their assets are blocked and U.S. persons are generally prohibited from dealing with them.

It's not the first time Let's Encrypt had to do so - see case.

1 Like

Yes, sorry, I should have been more explicit when I asked

What I meant was:

  • Was that certificate revoked because the US government (and not for issuance reason of because the owner asked it)
  • Was the quotes for Josh Aas correct (did he said that, and was it true)

Thanks! Now, the issue is that there was no way to know from OCSP or CT logs that the revocation was to comply with US law. The Donetsk case was pretty obvious, unlike this one.

I don’t believe the owner requested revocation since no replacement certificate was requested by them.

Ping @josh as he is the best one to answer...

(And my apologies, I probably should have ping earlier, and, just to be clear, I was not implying that he may be lying, nor that Let's Encrypt staff did something "wrong"!)

I just felt it was important that the community gets all the fact about that event, in particular regarding Let's Encrypt and U.S. laws and Is Let's Encrypt going from savior to single point of failure (SPOF)? , and If Let's Encrypt did it of they own initiative or because they were contacted by the US government.

1 Like

As a U.S.-based organization we are required to comply with U.S. law. As such, we cannot provides services to people, organizations, or websites listed on the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) Specially Designated Nationals (SDN) list.

When it is brought to our attention that we are serving an entity on the SDN list, and if we can confirm the report, we will respond by revoking outstanding certs and banning future issuance to the entity.

That is what happened here - it was brought to our attention (not by a government agency or official) that we served and that it was now on the SDN list so we revoked and banned.

This happens to maybe one domain per month, to give you some idea of the frequency.


Thank you @josh for that clear and detailed answer!

1 Like

May this be included on transparency reports in the future?


I find such reaction rather disturbing. Couldn’t have let’s encrypt just confirm that no financial transactions are taking place and be done with it?

How are such sanctions handled by other US-based organization, such as Mozilla, Google or Microsoft or Apple and others?
Do they also actively block downloads, create special builds or add some code to general releases to prevent them from working, or actively censor search results or revoke legally purchased license keys?

I can currently browse that site on Google’s Android using Google Chrome and can find that site in Google’s search results.

I can use it on MacOS using Safari, Chrome and Firefox.

I could also use it in Firefox on Android if they wouldn’t be lacking the intermediate certificate (oh, look another US-based organisation Qualys, Inc providing them free services)

Most importantly: they just migrated to GlobalSign, another US-based CA.

1 Like

You probably misunderstand the law. ANY assistance to these persons is a criminal offense. By companies or individuals, it doesn’t matter.

re; GlobalSign: It would be extremely unwise for them to switch to another US-based CA. Now the moment GlobalSign finds out that they issued a certificate for a prohibited person, they have to revoke it in a reasonable time span.

Also, isn’t GlobalSign owned by GMO Group, a Japanese corporation?

1 Like

Please avoid that kind of comments. FAQ - Let's Encrypt Community Support


Thanks. Excuse me for not being professional. Feel free to delete the offending revision.


Just to be clear, I am not advocating the website in question, but am questioning the integrity of LE that actively bent over at a first sign (from what is known) of possibly legal in-compliance.

ANY assistance to these persons is a criminal offense

Should we also delete all open source repositories and prosecute developers just in case they use any open source software on their servers? They use Russian nginx web server so the US could also prosecute whoever supports that project (financially or with code).

I would have no problem agreeing with:
"Any ACTIVE assistance to these persons is a criminal offense"

"Active" as in actively doing something to help them specifically. They just used a publicly available tool, one of many. They still use Google fonts, JQuery, webpack...
If a bank robber takes a regular bus after a heist to get away the driver and the bus company are in the clear.


We’re talking criminal charges to ISRG’s owners here. Also how is issuing a certificate not an act of active assistance? Issuance of certificate is not the same thing as hosting a library that just happens to also be used by this particular website.

1 Like

For a library, their webserver answer automatically for request coming from the Russian website
For a certificate, the ACME server answer automatically for request coming from the Russian website

I feed it's not that different. In both case they were no human interaction and no specific assistance.

But I understand that the people behind Let's Encrypt prefers to be on the safe side legally speaking.


However I guess if ISRG becomes aware of such certificate, the law may require “ceasing and desisting” from such activity, e.g. revoking it and disabling this domain.

Overall if it could be proven that ISRG was or should have been aware of them serving this domain, and yet they did not cease serving it as soon as practically possible, criminal charges may happen.