The comments too are less helpful than usual. A lot FUD and anti-EU sentiment (which may or may not be warranted, but there's very little objective reasoning going on).
Addendum: yes, people could look it up, but given the strong call to action ("last chance to fix eIDAS!"), I would suggest that the onus to provide clear information is on the authors. You can barely get people to care about privacy at all, let alone when so little information is provided.
Consider that last thing. We have this thing called bodily integrity [1], which guarantees everybody has self-ownership regarding their body and thus what can be done with it.
However, in the COVID period, it was clear as day that those who govern us dont give a rats ass about something like bodily integrity and going as far as taking away freedom of movement in order to make people comply with injecting themselves with a - until this very day - experimental vaccine.
Now consider what TPTB could do with a powerful toy like eIDAS.
So no, it is not "just" about internet security. Its about slowly and surely stripping away every human right you have as a EU citizen.
As for vaccines being "experimental", they have saved many lives, and now that the dust has settled, they seem to have done very little harm.
This all sounds rather like conspiracy nonsense, which isn't to say that eIDAS isn't stupid, but silly conspiracy nonsense like this undermines potential real concerns with eIDAS.
Like, put the eIDAS keys in a special "signed under protest" trust root, and throw up a bunch of scary warnings about how the EU is forcing Mozilla to trust those keys whenever they are used. Phrase it so that people who think "SSL warning" means "click advanced and 'i know the risks'" understand that this is equivalent to letting the CIA read your text messages.
If it's mandated, it isn't trust. It's something else. By mandating that browsers "trust" certain CAs, they're breaking the entire trust model of the internet.
My only question is whether they truly don't understand this, do understand it but don't care, or are actively interested in destroying that trust.
At that point you’ve got to wonder what happens to democracy, when people are afraid to exchange ideas
I’m increasingly convinced that this type of legislation will continue to proliferate until legislation banning it is not pushed for and put in place.
Terrifying times we live in where we may not even be able to keep our medical or financial information private anymore because of a handful of people voting on something they don't understand.
For example, CAs present in Firefox, that might give you pause: Beijing Certificate Authority, China Financial CA, Guang Dong CA
The CA system in browsers is inherently broken and it allows state actors to MITM you and see all your traffic if they: 1. have ability to capture IP traffic (requires cooperation with ISP) 2. have ability to generate rogue certificate via cooperation with CA
For someone living in the West, what are the consequences of deleting or distrusting those CAs?
It's your own government that can actually do something bad to you.
(unless you're doing some really really nasty stuff, and china wants to eliminate you for those reasons, and is willing to create a large international incident because of that).
An example of what China can do is they can have their workers put pressure on you. Often this pressure is soft, nothing as direct as 'do X or we hurt you with Y'. And often the request, at least at the start, is for something legal and only a bit unethical if even that. A little information to help win a contract, maybe a way to advertise to you why you should go with their vendor for a product, maybe just asking you if a specific coworker seems to have any interest in some odd topic or passing you a resume of someone who seems a good fit for the job. If they can they'll push for more with increasing levels of silver and lead, and if not, they use what they did get to pressure elsewhere.
If you run into some websites which use them the browser will tell you that the certificate is invalid; you can always reinstall them if you prefer.
An interesting experiment would be to log all certificates used by the sites you normally use, say for a month, and then look at the list for anything shady. I have no ideia if an extension exists that would allow such and experiment, but the resulting list would be much more useful.
With certificate logs there is a chance, I don’t know how high, to catch 1).
Now, there are CAA DNS records, which serve the purpose of restricting the CAs that can sign a particular domain, which would of course be ignored by the malicious actor, but _could_ be checked by the end user's browser. But to the best of my knowledge, no browser does that.
But if your own government tells your own isp to reroute just your traffic over some MITM proxy, it's only you there to notice, and most probably, you won't.
And you're certainly right about government-mandated traffic hijacking.
1. Major browsers (Chrome, Safari, Edge) only accept certificates which are published in Certificate Transparency logs.
2. If a CA is discovered to have issued MitM certificates, they are swiftly distrusted by browsers.
So it's not really viable to use the existing CA system for MitM attacks.
The eIDAS proposal would:
1. Prevent browsers from distrusting CAs which are used in MitM attacks.
2. Ban mandatory checks (such as Certificate Transparency) on certificates unless the EU agrees to them.
That creates a system that is very viable for government MitM attacks.
Thats reassuring but, not knowing much about this, I have a couple of questions:
1. Is this proactively monitored for? And how? And by whom?
2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?
Pretty much every browser distrusted the root certificate from Spain's FNMT-RCM for a decade, so I think the answer's yes.
Yes, security researchers like myself are constantly looking in CT logs for suspicious certificates, and I've found many, most notably Symantec issuing certs for example.com (https://groups.google.com/g/mozilla.dev.security.policy/c/fy...) and Certinomis issuing for test.com (https://bugzilla.mozilla.org/show_bug.cgi?id=1496088). Both CAs were eventually distrusted. (But Certinomis will be back once eIDAS is adopted!)
Domain owners can use Certificate Transparency Monitors to learn about suspicious certificates for their own domains. Here are some monitors:
https://crt.sh/ - allows you to search for certificates for a domain
https://github.com/SSLMate/certspotter/ - open source tool which notifies you when a certificate is issued for one of your domains
https://sslmate.com/certspotter/ - commercial service that does the same, operated by my company
> 2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?
In 2017, Chrome and Firefox distrusted Symantec, which was at the time the world's largest certificate authority: https://security.googleblog.com/2017/09/chromes-plan-to-dist...
Symantec hadn't even issued MitM certs - they were just grossly incompetent. Distrusting them was very painful, but necessary to uphold the integrity of the CA system, and demonstrated conclusively that there is no such thing as a too-big-to-fail CA.
Care to point out where I said that?
example.com and test.com are real domains, and their owners did not authorize those certificates to be issued, so issuing them was a serious breach of the trust which CAs are expected to uphold. Furthermore, the discovery of these certificates led to investigations which turned up additional issues which are documented in detail here:
If you're a security researcher monitoring other people's domains, you have to rely on heuristics - e.g. if a domain has a long history of getting certs from a major US CA, and then suddenly a tiny European CA issues them a certificate, that's pretty suspicious. When I found the example.com certificate misissued by Symantec, I though it was suspicious because it was also valid for subdomains like products.example.com and support.example.com, which don't make sense for a domain that's reserved for documentation purposes. ICANN operates example.com, so I emailed their security team to confirm that they did not authorize the certificate.
The system works best if domain owners are monitoring their own domains, because only they know for sure if a certificate is authorized or not.
Follow-up question: presumably, a state actor with dominion or leverage over a CA can coerce said CA into issuing a certificate, right?
The threat of distrust means CAs have a very strong incentive to contest any government orders, since if they comply their business is destroyed.
https://mullvad.net/en/blog/2023/11/2/eu-digital-identity-fr...
https://alecmuffett.com/article/108139
(via https://news.ycombinator.com/item?id=38109581 and https://news.ycombinator.com/item?id=38109731 respectively, but we merged the comments hither)
The digital administration in my country has made my life so much easier. We all have mandatory ID cards since decades ago, but now they have a chip with some certs for auth, signing, etc. I can check my taxes, fill government forms, see any traffic tickets, sign official documents from my home thanks to this. However, as far as I understand, this relies on my user agent accepting some particular CAs. This is critical, to the point of my browser preventing me access to some parts of the administration if the CA is not up to date or recognised or whatever.
What this legislation proposes, if I understand it correctly, is putting in the hands of the government the power to administer (part of) this CA infrastructure. As with many EU-related legislation, this forcefully transfers power from private (often American) entities to EU governments. I guess when trust in your government is higher or equal to trust on private firms, this doesn't sound so bad.
Not saying this is right or wrong, but maybe this helps understand why many people in the EU may not be so against this type of legislation.
If some government sites want to use their CA that's one thing but what matters to identify you is the key stored in your ID card
- for a CA that is business (or a non-profit), trust is their product, and if Let's Encrypt fails at it's job then clients can go elsewhere
- not sure but in EU I would assume they are going to install all member states' CA certificates into all browsers, so then EU member state government A can MITM a connection for a citizen of member state B
- even if a website has a certificate from any current provider, any EU government can still MITM a user without the company knowing
Also, as it's technically possible to combat the legislation then how much would it actually help, wouldn't any "criminal" pay attention to it too, e.g by using an appropriate browser?
I'm with you. I think most of the fuzz is about forcefully involving government into the CA infrastructure and the fact that this affects rest of the world.
As to the latter, I've always found it weird that by default all root stores contain hundreds of CAs from over the world. By default, anyone is assumed to trust large companies (Google, Amazon) equally as nation states (Staat der Nerderlanden) shady entities (Hongkong Post office). So it's not surprising to have everyone up in arms if the EU adds yet another chair to this table.
Wouldn't it make much more sense if users took more control and responsibility of the certs in their root store? Wouldn't it make more sense to restrict CAs to certain domains? I would be okay with a EU sanctioned CA if it could only assert authenticity of EU services, but not shops or whitehouse.gov. I've always felt that it would make much more sense if CAs were much more restricted to specific "trust use cases".
They could have reduced scope, but looking at effects perhaps that's not what they actual want.
That part I understood
along with providing a means of tracking your activity. Essentially, it's like giving your least trusted eu country access to your browsing history and some of your decrypted traffic.
This one though, not quite. Can you explain in layman terms, maybe by means of a practical example, how this would work exactly and what is needed for it?
You know your government delivers your letters and they could open them and read them, but you trust your government to keep your info private and use this power well.
The current regulation would mean any government can peek at your letters, and even if they got caught peeking or letting their friends read your letters, your mail carrier can't do anything. They aren't even allowed to ban the other governments friend from reading your mail.
If you had a friend who tried to help you write in secret code to avoid these other governments or strangers from reading your mail, they would be risking jail time.
Not only do you have to trust your government, but you must trust every government in the EU and if they get caught misbehaving, nobody can do anything about it.
(Practically, any government can MITM any ssl connection and read or alter things at will.)
Of course there is still HSTS, but that's not supported by all tech using TLS.
Prediction: If this passes, users having to bypass cert errors will be the new cookie popup.
Maybe it wasn’t the original intention, but right now, even ignoring the surveillance angle, I feel that it would be a major downgrade to the post-Symantec state of the Web PKI. In particular, the process for getting a CA disqualified or inconvenienced in any other way seems to be so onerous as to be basically intractable, especially if you, the relying party, are not in the EU. As far as I can tell (but here I can be wrong), as a relying party you don’t even have standing to do anything about it—it’s considered to be solely the business of your country’s government, and if the government body doesn’t care (see: Facebook and the Irish DPA), tough, guess you’re a single-issue voter now.
eIDAS was introduced in 2016. Now 7 years later there still isn't a API specification for interoperability (there are drawings though https://blog.eid.as/new-apis-for-the-eidas-ecosystem/ )
In the meantime, any digital signature done in EU must be done with a certificate issued only by the "select" CA to be considered "valid".
article 25 of EIDAS 1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.
The standard existed 2016, I did a short stint for a company that was implemented eIDAS back then.
They even have a test suite you can use to check how well you comply with the standard: https://ec.europa.eu/digital-building-blocks/wikis/display/D...
It is very archaic to work with though, but at least they try to have a standard.
The real value in eIDAS would be "unlocked" if they would release a proper API specification with which a digital signatures application would integrate with any EIDAS CA to emit/sign certificates. And then enforce that any eIDAS compliant CA would implement this API.
In practice that means any company/digital signatures product could do a integration with this API once and then be able to use ANY certification authority they want/need/offer best prices for certificates.
Without this API, eIDAS is just a marketing moniker because the power belongs to the selected Certification Authorities. They set the prices, they choose WHOM can integrate with them to isse certificates and there is NO interoperability between them. This doesnt allow for a open market and makes the top players control everything while shouting "standards" and "eIDAS".....
So these pervs now want to do the same. For what?
The bigger issue is that for this in order to work at all, the regulation must have provisions for issuing fake assertions of existing identities to law enforcement and other security services. The predecessor didn't seem to have that. This is different from providing fake identification documents for undercover operations because as far as I understand it, those use are usually mostly made-up and do not impersonate another person.
We would have to read the actual text of the proposed regulation to know the details, but both sides (legislators and those fueling the outrage machine) do not really want us to form our own opinion and hide the draft text from us.
Changes to server certificates happen all the time -- every 60 days or so, if you're getting certs from Let's Encrypt. Browsers can't tell their users every time a certificate changes because the users will just get notification-blindness and be trained to click past the warnings.
Let's Encrypt doesn't help server operators see this; I really not sure what you mean by that. Certificate Transparency would help server operators see this, but the new law text forbids browsers from requiring CT for these certs!
The law doesn't have to solve the problem of how security services will assert fake identities. Each member state can solve that internally. Allegedly, given the recent report of a hijack against jabber.ru and xmpp.ru, they already have. The problem is that, when they do, no one else has any recourse. No other member state can say "hey, don't hijack my websites!", no citizen can say "hey, don't hijack my traffic!", and no browser can say "hey, you issued a false certificate, we don't trust you anymore!".
Fundamentally, the whole issue with eIDAS comes down to one thing: you cannot mandate trust. By definition. If it's mandated, it isn't trust, it's something else. By mandating that browsers "trust" certain CAs, they're breaking the entire trust model of the internet.
Browsers should get their shit together and add proper support of domain-limited CAs and add optional whitelisting of CAs for given websites.
They do in fact support this - e.g. Mozilla trusts KamuSM only for .tr [1], Chrome limited ANSSI to French TLDs [2].
However, there is no indication that the EU would be willing to accept such constraints on their national CAs. If you look at several of the current national European CAs, they routinely issue for generic TLDs like .com.
[1] https://groups.google.com/a/mozilla.org/g/dev-security-polic...
[2] https://security.googleblog.com/2013/12/further-improving-di...
For example banking, signing official documents like grades from school etc, all of those usecases are a part of eIDAS. That is the core of the standard and there you really want to see all the certificate information to be sure it is the right origin, since unlike browsers there is no list of trusted CAs, you just see that some organization accepted it.
Edit: Browsers already had their own standard that they think is better than eIDAS, so they don't want this to apply to them. But Occam's razor says that EU just added "and browsers should also do this" instead of there being some conspiracy behind it, it was simple to just add everything instead of leaving just browsers out.
I have no Earthly idea why a) this needs to be done digitally, or b) for the EU to be involved (at EU level) with this.
Unfortunately if you pitch mission creep vs the principle of subsidiarity, the former wins every time.
This is just one use case for eIDAS, then you have things like interacting with different government institutions, banks, et cetera, et cetera.
There are a lot of people who live in/work/visit other EU countries as is their near absolute right. We should therefore standardise technology on the EU level to make their lives easier.
... for some value of "standardised"?
UK[0]: First, 2:1, 2:2, Third
Germany[1]: 1 to 5
France[2]: "on a scale from 0-20"
<chuckle>
[0] https://www.imperial.ac.uk/students/success-guide/ug/assessm... [1] https://www.uni-passau.de/en/international/coming-to-passau/... [2] https://u-paris.fr/en/higher-education-in-france/
But with that out of the way, no I don't have any other complaints, I think the regulation is generally a move in the right direction.
Did we need laws to "unify" all the standards we successfully use today, like IP, UDP, TCP, HTTP, TLS, Certificate Transparency, HTML, ECMAScript, CSS, DNS, DMARC, DKIM, SSH, etc.? Laws are not the right tool for this. And law makers don't have the necessary expertise.
Open any law on produce, construction, cars, industrial equipment (and a million others), and you'll find thousands of specs and standards mandated by law, and for a reason.
While eIDAS seems like a great idea to coerce member states into adopting a common standard, it just also happens to sneak EU-centralist ideology in, and total digital surveillance is the 0th application of that ideology.
The big catch with EU is: once you opt in, opting out is very difficult.
Unlike the Browser/CA forum rules which are security focused, EIDAS comes from a government mandate first and foremost, so the concern isn’t entirely subjective as you suggest.
> "and browsers should also do this" instead of there being some conspiracy behind it
The law isn’t RFC 2119 where there is a distinction between SHOULD and MUST: the law is all about what an entity MUST do, so bringing up “should” in this context isn’t helping the point you’re typing to make.
> Unlike the Browser/CA forum rules which are security focused, EIDAS comes from a government mandate first and foremost, so the concern isn’t entirely subjective as you suggest.
I didn't say this was subjective. My argument was that it is easy to see why EU would do this without having surveillance in mind. They just wanted all certificates to follow the same standard, the main part of these standards were document signing and they thought web sites are documents so we add them as well to the standard.
> so bringing up “should” in this context isn’t helping the point you’re typing to make.
I didn't make a distinction between should and must there, that wasn't my point at all. What was hard to understand there? This bill is first and foremost about document signing, and then they added a clause that it also applies to browsers. That is the main part of my argument.
A bill that first and foremost targets document signing doesn't seem like it was obviously made to add spying on browsers, if that is what they wanted they would have labeled it "web protection bill" or something like they did with the chat one, they aren't afraid of saying it is about spying when that is what they want.
- Make sure there is an open standard (is there?)
- Fund and promote its open source development
- Have an industry lobbyist non-profit to onboard individual businesses
If the goal is to ”promote standards” the way this is being done does not seem to be aligned the 50 years of software industry standard development, with the examples like TCP/IP, PNG, AV1 and so on.
They should tone down this kind of sensationalist clickbait that I would expect to find in UK tabloids. They probably think it helps them impress the urgency of the matter on the public but frankly it just makes me doubt the veracity of the claims made in the article (though in this case I trust Mozilla and would hope that they are not misrepresenting the content of the law itself).
> and will be presented to the public and parliament for a rubber stamp before the end of the year
That's not how the EU parliament works, they're not just a rubber stamp. The topic is sufficiently grave without the need for clickbait and painfully obvious exaggerations.
I’ve watched many of their YouTube presentations.. all with less than 100 views when I watched them, despite them being uploaded for some time.
But it won't get to that point. I don't really think the US government would be ok with a regulation like this, either, and they have even more bargaining power than tech companies.
The open letter signed by 300+ researchers, professors and experts.
"We decide on something, leave it lying around and wait and see what happens. If no one kicks up a fuss, because most people don't understand what has been decided, we continue step by step until there is no turning back."[0]
- Jean-Claude Juncker But the plans were on display…”
“On display? I eventually had to go down to the cellar to find them.”
“That’s the display department.”
“With a flashlight.”
“Ah, well, the lights had probably gone.”
“So had the stairs.”
“But look, you found the notice, didn’t you?”
“Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.
There was an episode of the Mark Thomas Comedy Product where he describes how they were trying to find the spending habits of EU MPs, but they were in a basement with no electronic devices allowed, so they hired an army of students to run up and down with notebooks and pens and relay all the information to more students upstairs who had to type it all up and put it online.
I know because my ex did European Studies and knew how to navigate those websites. I for the life of me cannot figure out how she did it if I try now.
Obviously it should be said that such a project shouldn't be needed in the first place in an ideal world, but it does sound like something I might be interested in chipping in regardless (and a great learning opportunity).
I know in the US we have orgs like Code for America and events like National Day of Civic Hacking. Does the EU have similar groups and events? I wonder if this could be presented to something like that.
Another issue is basically the legal analogy of how certain difficult programming languages impose a selection bias on who actually is willing to learn it, which then leads to an echo-chamber culture where most people underestimate the issues with the programming language.
I thought he did a good work, but I was a student too so maybe I was just impressed with basic stuff (highly likely).
Also, keep in mind that this is in the context of getting all member states of the EU to agree on something. People kicking up a fuss is the default situation because of conflicting interests between different states.
Make no mistake about how I feel about this though: it's still pretty horrible even with that context in mind. And as graemep pointed out the rest of the quotes on that page will tell you all you need to know about Juncker too.
In some cases less between the states and more between gonvernment and people. The european parliament is elected by the people. But many important matters are defined by the comission consisting of representatives of the member states governments.
Of course the different governments are also elected. But as part of the comission they can act against the will of the people and later blame the EU.
I mean, I certainly did not vote for Ursula von der Leyen either.
The council is made up of the prime ministers of the EU member countries, which also were not voted for seats in the EC.
Likewise there was no vote on the Lisboa treaty which effectively put the EC above the parliament and outside its jurisdiction.
This is fundamentally different from how a PM is voted in a traditional parliamentary system where an MP leads the party during the election process and elected as PM after a clear victory or negotiations between MPs.
We're a people with a wide spectrum of beliefs - we should be represented by a wide spectrum of MPs... never by a single voice.
1. My first being whenever a single party actually wins a majority.
This is a fair statement. I'm not from the EU but I think it's true for basically any society. Also a lot of the dysfunction in the EU is obviously by design and it's supposed to instill cooperation and deliberation between different stakeholders.
Still, in politics "getting things done" is very important, imo much more important than representation because the main job of a government is to govern and a fairly balanced government that fails to govern will lose support very quickly and become unrepresentative/useless. Also if someone can't get things done, others will do it and force their hand, like the case of the election of the EU commission president. Or practically everything the UN does.
The good thing about a government by a single party or a well defined coalition is that you know what they roughly stand for, what they don't stand for, who is for them and who is against. You can support them or vote against them. In an election one side wins. Being an incumbent is difficult so in the next the other side wins, they are supposed to balance each other that way.
What is the alternative of a de facto coalition between the right, center-left and liberals? Which of these is really in power? Who are you going to vote for if you don't like where the things are headed?
Looking at the EU parliament (or the parliaments of many EU countries) the main alternatives are fascism-lite and actual fascism. That's the risk of plethoric supranational governing bodies like the EU or very large coalition governments, they rob people of viable democratic alternatives.
- Jean-Claude Juncker ...Prime minister of ....LuxembourgI mean, I'm not saying Juncker is great, just that reading the random collection of quotes on wikiquotes might not be the best way to judge his work.
Really can't wait for more of this! I <3 the EU! /s
Your bank account is now frozen.
Please report at your local police station tomorrow at 10am.
Most of the commenters here miss the point, because they concentrate on confidentiality and integrity (cf. any post about MITM). They are of course correct that this creates capability to intercept TLS connections. They still miss the point that EU bureaucrats see it as reasonable tradeoff (which I don't think it is, but that's their POV).
In the past, CAs sold EV certificates which gave you a nice green look in the browser bar and no security advantage (arguably security downsides, because you cannot automate it). That was good business, until browsers decided that this makes no sense and scraped any special treatment for EV certificates.
The "qualified certificates" by the EU are essentially EV with a new name.
True, basically eIDAS is a cartel. With the help of EU legislation, some Certification Authorities banded together and are now saying that certificates emited by anyone but them are not good. And obviously they fully controll the pricing for the "good" certificates.
For very specific needs like electronic signatures, "seals" and an interesting one I hadn't heard before, timestamping (proving that an electronic document has existed at that timestamp), not for general computing.
Also, considering Bulgaria has 5 CAs on the official list, with 2 others as potential, the claims of a shady cartel of "big Cert" being behind this is laughable.
[1] https://scotthelme.co.uk/looks-like-a-duck-swims-like-a-duck...
With certificates from a government CA containing your name, address and maybe other data like tax ID, the certificate becomes that imprint, digitally signed and hard to fake. So I guess the next step after this directive is in place will be to require such government certificates for all European websites instead of the usual domain-validated WebCA ones. For a modest fee going into the pockets of some government cronies, of course.
Something better than typing your name and trusting a third party to do email verification for a digital signature certainly sounds like it could have advantages for doing business though.
I believe the issues identified here seem to stem from a (very) over-enthusiastic desire to have certificate acceptance everywhere (i.e. prevent discriminating against one country's citizens by excluding their ID card CA), without understanding the different types of trust chains and certificate chains. Presumably scattered with a bit of technical naivety as well. The concept itself is (probably?) fine, as long as it doesn't try to force browsers or SSL verifiers to accept or trust certificates they don't want to.
Technically that is also digital signing. The regulators probably thought that all kinds of digital signing should be included in this bill and just slapped something down for browsers while they were at it.
Which, if you don't understand web trust and PKI, means a bit of searching online will tell you that you need your browser to trust the CAs you use for digital signatures.
Which is of course not true - you can (and should) present an "untrusted" (i.e. not a server authentication) certificate as your client certificate or for signatures, as there's different trust bits and use-cases for different kinds of certificates.
"We need to be able to break security so we can see all your data, to keep you safe! Terrorists! Child abuse!"
"hmm yeah, but who's going to keep me safe from you?"
If Debian patches this out, you won't be able to access those sites. That's a living edge case for them.
Again, this is not going to catch anyone with half a braincell that is trying to do something. This is just going to catch everyone else.
I wonder if this will tie into the BS that Google was trying to implement that would make it impossible to modify the webpage using adblockers etc. making it so you can't navigate the web if you are using a uncertified browser.
Very likely, yes. Also note that a similar client-side CSAM scanning feature was rolled out by Apple with a similar anticipation, and shortly after we saw the proposal of Chatcontrol and the like.
> So what happens to open source browsers?
See my other comment on the same thread[1].
To mitigate the MitM risk I believe that CT and limiting CA to specific top-level domains (so a hypothetical RU CA would not be able to issue certificates for .eu or .com) should be sufficient enough.
The "false premise" was that GlobalSign has refused to issue new certificates for Sberbank and there were several cases of CAs revoking existing certificates. They eventually have found a CA (Harica DV) which was willing to issue new certificates, but it was not clear at the time that such CA will be found and the new certificates can be revoked at any moment after a new wave of sanctions or simply after a strongly worded warning from Washington or Brussels. Relying on a relatively minor Greek CA for bank operations is clearly not a good strategy in their situation.
For example, if you use private "e2echat.com" it can still use safe certs and be safe, the risk is only that "governmentchat.com" will use bad certs, which was already a risk.
In the general case, any CA can sign any website certificate. So all those new government CAs can sign all the man-in-the-middle certificates they like, and browsers are obliged to accept them. Nothing the website can do about that.
There are ways to pin certain CAs via DNSSEC and TLSA resource records in DNS. But browsers ignore those, and even if they didn't, the same EU proposal also specifies government DNS manipulation.
So the gist is: EIDAS must die.
And if the site can see your data assume the government can see it as well, they can get it with a warrant.
A warrant will maybe warn the site and the user that something is going on.
A man-in-the-middle attack without a warrant delivered to either party is more likely to go undetected.
Updating others javascript as a proxy isn't "easily".
Also if the government goes all this way to tell each internet provider to spy on people, why do you think they couldn't tell certificate authorities to spy on people? It is the same level. I wouldn't be surprised if many CA's in USA already does this.
And the way to spy on people via a certificate authority is exactly as described, you get a CA that signs your man-in-the-middle certificate for a website you do not own. Then you MitM that traffic using that certificate, while still getting a green "lock" icon.
With current WebCA certificates, certificate transparency does help a little to detect such MitM certificates, and some CAs have actually been caught red-handed. There are processes to punish or remove such CAs. However, this law would also prevent such actions, thus making it impossible to prevent any future malfeasant CAs.
About an example MitM certificate case and removal, see the DigiNotar case: https://blog.mozilla.org/security/2011/08/29/fraudulent-goog...
For more about how certificate transparency works see http://nil.lcs.mit.edu/6.824/2020/papers/ct-faq.txt
If this means users gets more power over what CAs to trust then that is a good thing.
Do you really think your average user is going to go into the browser and manually distrust root CAs? We have learned again and again that good security is "secure by default", not "secure after arcane configuration".
And depending on how that law will be interpreted by courts, manually distrusting might be considered illegal.
It is just a display change, all the law says is:
"For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner."
I don't see how adding a warning icon or block icon instead of the lock hurts would be banned. To me it seems like so much here is based on baseless assumptions.
I would also urge you to refrain from using terminology such as "baseless assumptions" when your own assumptions are so easily refuted by directly reading the text of the proposal.
The weakness is only if someone controls your internet connection and can use a compromised certification process to trick you into thinking you are at "e2e.com" when you are on another site, and in those cases the only difference from now is that your browser will display "secure" instead of "invalid cert". There is no other difference.
So to orchestrate an attack they would need to build an webbapp that is sufficient similar for you not to notice, take over your internet connection and break the certification process.
Oh that's SUCH as an insignificant difference!!!
> So to orchestrate an attack they would need to build an webbapp that is sufficient similar for you not to notice, take over your internet connection and break the certification process.
You can simply relay the requests to the original site/"webapp", no need to build one similar
Doesn't work if the app encrypts messages locally, so end to end encryption is still valid with this.
The only way around this would be a "real" app.
That will be (or already is) done at ISP level. It will probably be fully automated, where they just put a court order number into a form, and it automatically just catches all your traffic in gear that's installed at the ISP.
The moment people learn that the US government could control a CA and your internet provider to spy on you maybe that will change. But as is people think it is too much work for governments to bother with it.
I'd call that bs, CA level attacks are very unlikely to be detected, so we know little about their prevalence.
(you edited your comment to add... that it requires you to control the targets internet connection?? And "the moment people learn that thenUS government could control (a CA) and your internet provider to spy on you maybe that will change With tls becoming ubiquitous they're now indispensable
It originally was
* I'd call that bs, CA level attacks are very unlikely to be detected, so we know little about their prevalence.
With tls becoming ubiquitous they're now indispensable*
Also, MITMs are a thing and getting the EIDAS certs in the root store will show that the certs in question are trusted, which is all that really matters because there is no way for users to know what certificates were actually installed by the website owner.
TLDR: If you are worried about security you can always install a plugin to get back the old behavior. This just says that browsers should be able to trust them, not that you have to configure your browser to trust them.
This is still very bad.
(Still bad but would at least protect connections from ever talking to e2echats servers)
Yes, potentially, but it isn't "another kind of chat control".
Accepting certificates from a given issuer does not give them the issuer the right to impersonate others
It is similar to how Chrome displays a warning when you visit some sites. You can visit the site anyway, but you get a warning since Google thinks it is bad.
Mozilla has proposed text[1] that would make clear that the requirement is only to display identity information, but this text has not been adopted.
[1] https://securityriskahead.eu/wp-content/uploads/2023/09/Mozi...
The EU likes passing internet related legislation because of:
1. The politics of it. It involves the raw exercise of power over people who are easily bullied and that they don't like much, namely successful American companies. The EU loves passing extra-territorial laws and seeing people jump, it makes them feel like a big power bloc which is the whole aim of the EU project to begin with.
2. The revenue from it. Tech companies either fight or they try to obey, but the laws are vague and easily reinterpreted. This yields massive fines which go straight into the EU coffers, money which is then spent on purchasing loyalty both of the elected political elites (via post-election-loss sinecures and enormous "pensions" that start being paid out long before retirement), and the population itself (via EU branded projects and grants).
3. The unaccountability of it. EU law is created by the Commission which does whatever it wants. By treaty it is accountable to nothing except itself and it is the highest power in Europe. In that situation why not spend all your time on easily achieved upper-class luxury agenda items like internet regulation, which feels futuristic and cool, instead of messy stuff that bothers the regular citizens like illegal immigration, where you don't want to do it and failure comes easy?
That's why there's a constant flood of tech-related regulation coming from the EU. Seeing this specific act in isolation is a mistake, it's just the continuation of a long term trend.
The Commission is the sole source of legislation. The Council cannot change EU law against the will of the Commission, so in practice it's a rubber stamp body that just always votes yes to everything.
This is what I'm saying in another comment: HN is flooded with incorrect claims about how the EU actually works, always in the direction of making it sound more accountable than it actually is.
And before someone says otherwise, I’ve seen this playing out hundreds of times.
If you spend time in central Europe you'll see why this occurs. Some people have incorporated the EU institutions into their personal identity. People will call themselves European Citizens although the EU doesn't grant citizenship. Businesses will be called Euro-this or Euro-that for no obvious reason. You can catch the Eurobus to go ride the rollercoasters at the Europa Park then meet their famous mascot Ed Euromouse. This stuff is everywhere.
And in some ways, it is understandable. The 20th century was wracked by wars between different European empires or countries. The assumption at the core of this movement is that if everyone has the same social identity and is ruled by the same government, then everyone will hold hands and there will be peace on Earth. Or at least that bit of it.
But you can't force unity on people. It has to develop naturally, through shared experiences and cultures. Unfortunately the vision is so enticing that the political and credentialed classes in these countries don't want to wait, and so attempt to enforce it from the top down via schemes that eliminate democracy in favor of power transfers towards the Right Sort Of People, the type who "get it" and who can then rule unchecked without needing to answer to electorates. This is deeply corrupting, but because it's an identity issue when this is pointed out people feel their personal identity and whole progress story is under attack.
If you look around you see plenty of people that gets upvoted and are critical of EU, so that isn't it.
Fair chance they'll just keep using letsencrypt.
The commission President is proposed by the council (the heads of states) and appointed by parliament.
I’m not aware of the EU arresting random US citizens for breaking laws like the gdpr, you’re thinking of America and the DMCA
So the Commissioners are in reality selected by the President.
This problem appears in every HN thread about the EU or its activities. People argue that it's a legitimate democratic structure based on how its treaties say it works, but the treaties aren't followed.
This is because that world is hidden to most people but would have just 20 years ago been covered by classical research journalism, namely the intersections between power, fiscal policy, law, the security state, foreign policy and mass media or other systems of control.
Politics and policy making is downstream from mostly non public clubs of people. Become a part of the security apparatus to gain power and draft plans for whole regions of the world and the future of society. The rest of us get to see their own self branding in Hollywood romantizations and ideological "event driven" smokescreens that cover the realpolitcal battles of power and resources that actually drive history.
That way the masses end up seeing the good fights for "Democracy", "Child safety", "Necessary financial bailouts" or "Primitive stupid people in X country need intervention" while these are all covering a big old game of Risk or Civilization ie. resource plundering, land grabs, violent exploitation of foreign markets, siphoning of wealth from the masses to the few, and panopticon-level systems of control implemented to keep dissent and enlightenment about these fact as much in the dark as possible.
Theres a reason the richest European families already took an interest in controlling the emerging postal services of several hundreds years ago just like early pamphlet media but somehow these very old facts have been so memoryholed everyone thinks we live in a somewhat meritocratic or even democratic society these days.
https://data.consilium.europa.eu/doc/document/ST-14959-2022-...
Article 45(2): "Qualified certificates for website authentication referred to in paragraph 1 shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services."
Article 45a(3): "A qualified electronic attestation of attributes issued in one Member State shall be recognised as a qualified electronic attestation of attributes in any other Member State".
Article 45a(4): "An attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source shall be recognised as an attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source in all Member States."
> The proposed legislation also prevents the introduction of security checks when verifying the certificates used for encrypted web traffic in Art 45, (2a). As written, this language requires that the EU’s website certificates not be subjected to any mandatory requirements beyond those specified in ETSI standards.
This is awful, as it would forbid browsers from requiring Certificate Transparency, or banning a weak hash algorithm (like SHA-1), or requiring post-quantum keys unless the EU agrees to it.
Fortunately, they cannot forbid a natural person from removing any given certificate. If this passes, I am sure we have blacklists and scripts for these in no time.
I suspect if this ever does play out, it could result in fewer people using "EU spec" browsers, and more people using the international overseas version, thus undermining the entire intention of the policy proposal.
It seems a pretty safe bet no browser maker would ship these CAs to users outside of the EU (and maybe EEA).
Edit: rest of world might be fine(big maybe, these things have tendency to proliferate),eu citizens... screws are tightening.
The EU is playing the long game here I believe.
Also brief info about website (for the ones who doesn't want to visit an unknown domain without knowing):
A Mozilla website for open letter by 300+ cyber security experts, researchers and NGOs.