Hasty Briefsbeta

Bilingual

Harica: Issuance and refusal to revoke TLS certificates for sanctioned entities

6 hours ago
  • #EU Sanctions
  • #CA Compliance
  • #TLS Certificates
  • HARICA, a Greek CA, is issuing TLS certificates to EU-sanctioned Russian entities such as Sberbank, VTB, and KAMAZ, despite reported violations.
  • HARICA refused to revoke these certificates, arguing that DV certificates require no identity verification and thus no sanctions screening.
  • Researchers identified over 170 active HARICA certificates for sanctioned entities, including state banks, defense contractors, and cyber-related organizations.
  • HARICA's stance contrasts with other CAs like Let's Encrypt and GlobalSign, which revoked similar certificates upon notification.
  • Escalations have been made to HARICA's auditor (QMSCERT) and Greek regulatory bodies (EETT) for non-compliance with EU sanctions.
  • HARICA maintains that legal or regulatory direction is needed for action, while critics argue willful blindness and policy choices enable sanctions evasion.
  • The issue highlights a systemic compliance failure, with HARICA becoming a 'sanctions-busting fallback' for blocked entities migrating from other CAs.