According to mcclatchydc.com Let's Encrypt revoqued and banned USAReally.com

This is the most important part of the article:

The revocation comes two weeks after the Treasury Department slapped sanctions on the founder and editor of USA Really, Alexander Malkevich, making it a crime to conduct financial transactions with him.

It is simply illegal for ISRG (organization behind Let’s Encrypt) to provide any services to individuals on Specially Designated Nationals (SDN) And Blocked Persons List:

It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called “Specially Designated Nationals” or “SDNs.” Their assets are blocked and U.S. persons are generally prohibited from dealing with them.

It’s not the first time Let’s Encrypt had to do so - see dnr-online.ru case.

1 Like

Yes, sorry, I should have been more explicit when I asked

What I meant was:

  • Was that certificate revoked because the US government (and not for issuance reason of because the owner asked it)
  • Was the quotes for Josh Aas correct (did he said that, and was it true)

Thanks! Now, the issue is that there was no way to know from OCSP or CT logs that the revocation was to comply with US law. The Donetsk case was pretty obvious, unlike this one.

I don’t believe the owner requested revocation since no replacement certificate was requested by them.

Ping @josh as he is the best one to answer…

(And my apologies, I probably should have ping earlier, and, just to be clear, I was not implying that he may be lying, nor that Let’s Encrypt staff did something “wrong”!)

I just felt it was important that the community gets all the fact about that event, in particular regarding Let's Encrypt and U.S. laws and Is Let's Encrypt going from savior to single point of failure (SPOF)? , and If Let’s Encrypt did it of they own initiative or because they were contacted by the US government.

1 Like

As a U.S.-based organization we are required to comply with U.S. law. As such, we cannot provides services to people, organizations, or websites listed on the U.S. Treasury Department’s Office of Foreign Asset Control (OFAC) Specially Designated Nationals (SDN) list.

When it is brought to our attention that we are serving an entity on the SDN list, and if we can confirm the report, we will respond by revoking outstanding certs and banning future issuance to the entity.

That is what happened here - it was brought to our attention (not by a government agency or official) that we served usareally.com and that it was now on the SDN list so we revoked and banned.

This happens to maybe one domain per month, to give you some idea of the frequency.

6 Likes

Thank you @josh for that clear and detailed answer!

May this be included on transparency reports in the future?

2 Likes

I find such reaction rather disturbing. Couldn’t have let’s encrypt just confirm that no financial transactions are taking place and be done with it?

How are such sanctions handled by other US-based organization, such as Mozilla, Google or Microsoft or Apple and others?
Do they also actively block downloads, create special builds or add some code to general releases to prevent them from working, or actively censor search results or revoke legally purchased license keys?

I can currently browse that site on Google’s Android using Google Chrome and can find that site in Google’s search results.

I can use it on MacOS using Safari, Chrome and Firefox.

I could also use it in Firefox on Android if they wouldn’t be lacking the intermediate certificate
https://www.ssllabs.com/ssltest/analyze.html?d=usareally.com (oh, look another US-based organisation Qualys, Inc providing them free services)

Most importantly: they just migrated to GlobalSign, another US-based CA.

You probably misunderstand the law. ANY assistance to these persons is a criminal offense. By companies or individuals, it doesn’t matter.

re; GlobalSign: It would be extremely unwise for them to switch to another US-based CA. Now the moment GlobalSign finds out that they issued a certificate for a prohibited person, they have to revoke it in a reasonable time span.

Also, isn’t GlobalSign owned by GMO Group, a Japanese corporation?

Please avoid that kind of comments. https://community.letsencrypt.org/guidelines

2 Likes

Thanks. Excuse me for not being professional. Feel free to delete the offending revision.

1 Like

Just to be clear, I am not advocating the website in question, but am questioning the integrity of LE that actively bent over at a first sign (from what is known) of possibly legal in-compliance.

ANY assistance to these persons is a criminal offense

Should we also delete all open source repositories and prosecute developers just in case they use any open source software on their servers? They use Russian nginx web server so the US could also prosecute whoever supports that project (financially or with code).

I would have no problem agreeing with:
“Any ACTIVE assistance to these persons is a criminal offense”

“Active” as in actively doing something to help them specifically. They just used a publicly available tool, one of many. They still use Google fonts, JQuery, webpack…
If a bank robber takes a regular bus after a heist to get away the driver and the bus company are in the clear.

1 Like

We’re talking criminal charges to ISRG’s owners here. Also how is issuing a certificate not an act of active assistance? Issuance of certificate is not the same thing as hosting a library that just happens to also be used by this particular website.

For a library, their webserver answer automatically for request coming from the Russian website
For a certificate, the ACME server answer automatically for request coming from the Russian website

I feed it’s not that different. In both case they were no human interaction and no specific assistance.

But I understand that the people behind Let’s Encrypt prefers to be on the safe side legally speaking.

2 Likes

However I guess if ISRG becomes aware of such certificate, the law may require “ceasing and desisting” from such activity, e.g. revoking it and disabling this domain.

Overall if it could be proven that ISRG was or should have been aware of them serving this domain, and yet they did not cease serving it as soon as practically possible, criminal charges may happen.

1 Like

But I understand that the people behind Let’s Encrypt prefers to be on the safe side legally speaking.

Yes, but sometimes the noble goal is worth taking some risks. This enforces a dangerous precedence for LE and other CAs. CAB and EFF should put some effort to come to a favourable decision, stick to it, and if needed defend it in court.

The site could choose to not use https or use a different domain or hostname. Migration would hurt for a short while, but not be prevented.

Also the sanctions are against entities, not domains or hostnames. I understand that sanctions might affect EV (Extended Validation) where the entity is identified but the link to entity is very weak with domain validation.

The blocked identity: https://sanctionssearch.ofac.treas.gov/Details.aspx?id=7377 mentions only the domain with www. prefix.

Google seems to not be intimidated by legal threats and has a firmer stand:

Also the sanctioned url still works in all major browsers. None of them were intimidated into actively denying them service.

US-based IANA has (to my knowledge) not acted either.

LE is a relatively new player in the field and is (it seems) easily intimidated.

@anon95262142 wrote:

However I guess if ISRG becomes aware of such certificate, the law may require “ceasing and desisting” from such activity, e.g. revoking it and disabling this domain.

“ceasing and desisting” would mean not renewing existing and issuing new certificates, not actively revoking existing ones.

I agree. But in the end they are under the US jurisdiction.

That’s why I strongly advocate for the creation of CA on the same model of Let’s Encrypt but under different jurisdictions.

2 Likes

This may help against revocation, but may make risk of misissuance worse.

Is there any difference between revocation and misissuance?
They are both logged in CT logs and both may be “legally required” by the (US or other) government.