How I do if an active terrorist group has an letsencrypt certificate?
I emailed to abuse@letsencrypt.org about it, but im not sure thats the right way to do, is even abuse@letsencrypt.org monitored?
I would want the certificate revoked AND also domain blacklisted. What I know Letsencrypt are prohibited to issue certificate to terrorist organisations.
The only people that Let's Encrypt can't/won't issue to are for those on the "SDN List".
I have no idea how they manage to match up real-world identities with the domain names they might control. But if you think Let's Encrypt has issued a cert in error, per their CP/CPS I think one should email cert-prob-reports@letsencrypt.org, though it wouldn't shock me if abuse@ gets monitored as well.
But in general, unless it's for an entity on that list that they're legally prohibited from dealing with, Let's Encrypt won't revoke a certificate due to a domain's content. And even if they did revoke certs, it doesn't actually do much in practice. Generally reporting people you think are doing bad things to their registrar or ISP is more effective.
The organisation is active on the SDN list.
So I wonder, where to report it, but ill try with the cert-prob-reports aswell. Thanks for that email.
YEAH that email even got me a response from their ticket system, so seems this report will be acted upon.
They refused to cancel the certificate. They basically said, since i don't have "authority" they can't act on the report, even if its materially correct.
So I lodged a report with the OFAC now. Hopefully they will fine the ISRG and then they will be forced to act on SDN reports even if the reporting entity is not a "authority", as long as they can themselves verify the occurence on the SDN list.
Also ineffective. Both their registrar (NORID) and ISP (Loopia NORWAY) are p00f in their brain. They say they need a court order or valid court decision from a norweigan court to act on the report.
They don't seem to care about a US state order, OFAC or SDN list, or terrorist designation. It seems to MUST come from a local court.
Seems kinda impossible to get them shut down.
However, the swedish site I reported, I seem to have slightly better off with getting shut down at the ISP. The registrar completely refuses all abuse reports however.
But the norway terrorist site, I can only see the option of getting their certificate revoked. Neither the ISP or the registrar won't do anything unless a local court says so.
At best case (in cert side) end result would be they get a cert from local CA (or one from china like litessl.com or something else) and notrhing else happen.
they can chooes freely from 150ish root CAs worldwide to choose from.
If you believe a certification authority has issued a certificate they should not have, contact iana@iana.org.
They manage the webroots. I especially encourage you to report this if they are doing so for those on the SDN list.
You might also consider contacting the OFAC directly. They have a reporting service here: OFAC Reporting System | Office of Foreign Assets Control
That reporting site is only for those that are subject to the OFAC regulations - ergo "self-reporting" system.
The site is not for a unrelated third party to report.
But I sent a report to the email OFACDisclosures@treasury.gov which a AI said I could use for third-party reports.
I got a auto response that the adress is only intended for those that are subject to the OFAC regulations to "self-report".
Don't even know if my case will be looked upon.
Should report to IANA about this, might be a good idea.
Iana responded it was a incorrect advice to contact them. They just referred me to the webhost or the registry (NORID) which, as I said, is p00f in the head.
Its becoming kinda irritating that terrorist groups (that do not post any terrorist content) is so hard to get shut down, because many people seem to require a local authority to give the decision to shut down, and won't respect the US SDN List.
Could any staff respond to this question:
Why are Lets Encrypt refusing to shut down a certificate, issued to a site which is present on the SDN list, with the reason that I as a reporter don't have the authority to make such a request? It feels kind of like, you see someone breaking in to a house, and then you call 911, and they then say "ooh, you are not the homeowner or said house, so you aren't authorized to make the request, the homeowner has to call".
Its kind of problematic IMHO.
Well, if no one wants to follow the law, the next call is to law enforcement.
And here is the problem: Im not a citizen of the country where the terrorists are (norway). So I dont have a norway eID and can't file a police report. My local police station wont take police reports for cross-border crimes unless you are a victim (and the local country have investigative powers) which they don't have for "victimless crimes" (which terrorism without a specific terrorist attack is).
Kind of weird situation yes. This is why I wonder why Lets encrypt won't do anything about it... It becomes kind of problematic when its about online crime but investigation and law enforcement are hindered by borders.
For an American company acting in concert with hostile foreign entities, I'd suggest:
https://tips.fbi.gov/
Thank you for raising this here, and I want to clarify what appears to be a misunderstanding of our earlier response.
We did not say that you lack authority to report this to us. Anyone can report concerns to us, and we appreciate when people do. What our response explained is that OFAC (the U.S. Office of Foreign Assets Control) is the only authority that can direct us to terminate services to an entity on the SDN list.
To use your analogy: if you see someone breaking into a house and call 911, the dispatcher won't refuse to take your report. But the dispatcher also can't authorize the use of force to stop the break-in on their own. That decision rests with specific authorities operating under specific legal frameworks. Similarly, we can receive your report (and we did), but we cannot act on it without direction from OFAC, which is the federal agency that administers and enforces U.S. sanctions.
This may seem counterintuitive, but U.S. sanctions law is complex. Terminating a service can itself be a "transaction" with a sanctioned party that requires authorization. We have sought guidance from OFAC on how to handle these situations and must follow the regulatory framework as it applies to us.
If you believe a sanctioned entity is violating U.S. law, you are welcome to report that directly to OFAC as well. Their contact information is available at https://ofac.treasury.gov.
We understand this is frustrating. We are committed to operating within the law, and that includes following the direction of the federal agencies that enforce it.
Now I understand it much more.
That what you should have said in the response, that terminating the service, is in itself an "transaction" and is the same as entering in agreement with the sanctioned entity.
I tought all actions that reduce the business relationship with the sanctioned entity, would always be OK without authorization. It just feels so counterintuitive that you could be "forced" to serve a sanctioned entity because they are sanctioned, which would be against the spirit of sanctions.
(I know however that terminating a contract that would require a refund for example, would in itself be a transaction obviously, since sending money to a terrorist entity is way worse than letting a terrorist have, lets say netflix for 14 days more, but terminating a free service should IMHO not count as a transaction)
When you wrote that response email, it sounded more like "No, you cannot report OFAC violations to us, only OFAC can report violations to us". that was what I readed your response as.
I don't envy the work that Let's Encrypt's staff have to do to navigate the regulations around these sorts of things. It wasn't that long ago that offering meaningful encryption at all to those outside the US was considered selling weapons to enemies of the state. We may have gotten past that, but I'm guessing a lot of the laws and expectations are assuming that there would be money involved in an international agreement, so even like here where that isn't the case many of the same rules may apply.
Well, there is different level off "terminating", and we must first see what they are providing : A certificate. This transaction already has ended. Now, what could happen:
Thats the difficult thing - providing an authentication - like an ID card, certificate or similiar, means you "vouch" for the organisation in question. Its an ongoing transaction in my opinion that stays for the whole time the document is valid, unless you revoke the document.
Like, providing a course certificate after completed course about, lets say CCNA. While the certificate is valid, the organization is continually "vouching" for the organisation in question - which is more clear when the organization actively answers phone calls from relying parties to verify if the document is genuine. In LE's case, it can instead be compared to downloading the revocation list.
Revoking the certificate means the relationship ends in such a question so the document is no longer usable, which means the organization in question no longer actively "vouches" for the organization in question. If the document would still be attempted to be used, any "phone calls" would mean the organization say they don't accept the document as genuine.
(or in case with LE, the document is marked as revoked).
So providing an active ID document (an certificate, regardless of its an code certificate, SSL certificate, course certificate after completing CCNA, grades from a high school, ID card to use in the transit system, badge access card to open a toilet door whatever), they are providing a continuing service, an "perpetual" transaction, that is active for as long as the ID document is active.
And thats where I think its problematic, even if the actual "issue" transation has ended.
Also note that people on the internet can lie, nothing prevents a random non-sanctioned John Doe from registering terrorist.org
Correct, but here in this case, its completely 100% clear that the sites in question is owned by the sanctioned entity.
The sanctioned entity have owned the site since long before they even became sanctioned, and its clear belongning to the organization in question. The two sites have relationship aswell.
I could understand if the site was a parody site, or a "honeypot site" to collect terrorist data, but in this case, the site is the REAL DEAL and its really an terrorist organization, using the site for planning their activities, blogging, and also using the site to recruit new terrorists to the organization.
Sadly, the site dosen't contain terrorist material per se, because they know that if they would put up such material, the site would quickly be shut down. They only of course publish "filtered" information they know they can "safely publish" without being able to use TCO legalisation to take down the terrorists.
They are also accepting applications to membership in the terrorist organization, have an adress where cash can be sent and are also accepting BTC transactions to bc1qyn7vwej8rzjpksla8vz03j5ya4jtk6k420spfe which is a terrorist addr.
Have reported the address to chainabuse aswell. So they can't exchange money. Seems OFAC is just ignoring my reports.
Just because im not "in the loop" (im not a exchange or similiar).
Don't know how to go forward... but these terrorists are extremely filthy.
The SDN is not an 'opt in" thing and you are expected not to do business with those entities if you are USA org. Going to be honest, this mostly seems like dodging the issue to me.
Suppose I will find an alternative provider. It's disappointing that they would try to avoid responsibility for being complicit in these activities.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.