link
Full article behind the link. It's long because it endeavors to explain how browser security works, so this effort can be understood in full context.
The European Commission is an EU legislative body with regulatory authority over digital technology. The EC’s eIDAS Article 45, a proposed regulation, would deliberately weaken areas of internet security that the industry has carefully evolved and hardened for over 25 years. The Article would effectively grant the 27 EU governments vastly expanded surveillance powers over internet use.
The rule would require all internet browsers to trust an additional root certificate from an agency (or a regulated entity) from each of the national governments of each one of the EU member states. For the non-technical readers, I will explain what a root certificate is, how internet trust has evolved, and what Article 45 does to this. And then I will highlight some of the commentary from the tech community on this matter.
...
Digital certificates are a form of ID – the internet version of a drivers’ license. When a browser connects to a site, the site presents a certificate to the browser. The certificate contains a cryptographic key. The browser and the website work together with a series of cryptographic calculations to set up secure communication.
Together, the browser and the website provide the three security guarantees:
In the online world, governments have, for the most part, not involved themselves in identity verification. Certificates are issued by private sector firms known as certificate authorities (CAs). While certificates used to be quite expensive, fees have come down considerably to the point where some are free. The best known CAs are Verisign, DigiCert and GoDaddy. Ryan Hurst shows the seven major CAs (ISRG, DigiCert, Sectigo, Google, GoDaddy, Microsoft, and IdenTrust) issue 99% of all certificates.
...
Fraudulent certificate issuance can happen. A rogue CA can issue one, but they won’t get far. The bad certificate will be detected. The bad CA will fail compliance programs and be removed from trust stores. Without acceptance, the CA will go out of business. Certificate Transparency, a more recent standard, enables more rapid detection of fraudulent certificates.
Why would a CA go rogue? What advantage can the bad guy gain from an unauthorized certificate? With the certificate alone, not much, even when signed by a trusted CA. But if the bad guy can team up with an ISP, or otherwise access the network that the browser uses, the certificate gives the bad actor the ability to break all of PKI’s security guarantees.
The hacker could mount a man-in-the-middle attack (MITM) on the conversation. The attacker could insert himself in between the browser and the real website. In this scenario, the user would be talking directly to the attacker, and the attacker would relay the contents back and forth with the real website. The attacker would present the fraudulent certificate to the browser. Because it was signed by a trusted CA, the browser would accept it. The attacker could view and even modify what either party sent before the other side received it.
Now we come to the EU’s sinister eIDAS, Article 45. This proposed regulation requires all browsers to trust a basket of certificates from CAs designated by the EU. Twenty-seven to be exact: one for each member nation. These certificates are to be called Qualified Website Authentication Certificates. The acronym “QWAC” has an unfortunate homophone to quackery – or perhaps the EC is trolling us.
The QWACs would be issued either by either government agencies, or what Michael Rectenwald calls governmentalities: “corporations and companies and other adjuncts of the state who are otherwise called ‘private,’ but really are operating as state apparatuses, in that they’re enforcing state narratives and dictates.”
This scheme would bring EU member governments one step closer to the point where they could man-in-the-middle attack against their own citizens. They would also need to access the networks. Governments are in a position to do that. If the ISP is run as a state-owned enterprise, then they would already have it. If ISPs are private firms, then local authorities could use police powers to gain access.
One point which has not been emphasized in the public conversation is that a browser in any of the 27 EU member nations would be required to accept every single QWAC, one from each EU member. This means that a browser in, for example, Spain, would have to trust a QWAC from entities in Croatia, Finland, and Austria. The Spanish user visiting an Austrian website would have to transit over Austrian portions of the internet. The issues raised above would all apply across countries within the EU.
The Register, in a piece titled Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections explains one way this might work:
[T]hat government can ask its friendly CA for a copy of [the QWAC] certificate so that the government can impersonate the website – or ask for some other certificate browsers will trust and accept for the site. Thus, using a man-in-the-middle attack, that government can intercept and decrypt the encrypted HTTPS traffic between the website and its users, allowing the regime to monitor exactly what people are doing with that site at any time.
Having penetrated the shield of encryption, monitoring could include saving users’ passwords, and then using them at another time to access citizens’ email accounts. In addition to monitoring, governments could modify content inline. For example, they could remove the narratives they want to censor. They could attach annoying nanny state fact checks and content warnings to dissenting opinions.
As things currently stand, CAs must maintain the trust of the browser community. Browsers currently warn the user if a site presents an expired or otherwise untrusted certificate. Under Article 45, warnings or the ejection of trust abusers would be forbidden. Not only are browsers mandated to trust the QWACs, but Article 45 prohibits browsers from showing a warning that a certificate signed by a QWAC.
Last Chance for eIDAS (a website displaying the Mozilla logo) advocates against Article 45:
Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are forbidden from revoking trust in these keys without government permission.
…There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to. This is particularly troubling given that adherence to the rule of law has not been uniform across all member states, with documented instances of coercion by secret police for political purposes.
In an open letter signed by several hundred security researchers and computer scientists:
Article 45 also bans security checks on EU web certificates unless expressly permitted by regulation when establishing encrypted web traffic connections. Instead of specifying a set of minimum security measures which must be enforced as a baseline, it effectively specifies an upper bound on the security measures which cannot be improved upon without the permission of ETSI. This runs counter to well established global norms where new cybersecurity technologies are developed and deployed in response to fast moving developments in technology.
Most of us rely on our vendors to curate the list of trusted CAs. However, as a user, you may add or remove certificates as you please on your own devices. Microsoft Windows has a tool to do this. On Linux, the root certificates are files located in a single directory. A CA may be untrusted simply by deleting the file. Will this also be forbidden? Steve Gibson, noted security pundit, columnist, and host of the long-running Security Now podcast asks:
But the EU is stating that browsers will be required to honor these new, unproven and untested certificate authorities and thus any certificates they issue, without exception and without recourse. Does that mean that my instance of Firefox will be legally bound to refuse my attempt to remove those certificates?
Gibson notes that some corporations implement similar surveillance of their employees within their own private network. Whatever your opinion about those working conditions, some industries have legitimate audit and compliance reasons to track and record what their employees are doing with company resources. But, as Gibson continues,
The trouble is that the EU and its member nations are very different from the employees of a private organization. Any time an employee doesn’t want to be spied upon, they can use their own smartphone to circumvent their employer’s network. And of course an employer’s private network is just that, a private network. The EU wants to do this for the entire public Internet from which there would be no escape.
Full article behind the link. It's long because it endeavors to explain how browser security works, so this effort can be understood in full context.
The European Commission is an EU legislative body with regulatory authority over digital technology. The EC’s eIDAS Article 45, a proposed regulation, would deliberately weaken areas of internet security that the industry has carefully evolved and hardened for over 25 years. The Article would effectively grant the 27 EU governments vastly expanded surveillance powers over internet use.
The rule would require all internet browsers to trust an additional root certificate from an agency (or a regulated entity) from each of the national governments of each one of the EU member states. For the non-technical readers, I will explain what a root certificate is, how internet trust has evolved, and what Article 45 does to this. And then I will highlight some of the commentary from the tech community on this matter.
...
Digital certificates are a form of ID – the internet version of a drivers’ license. When a browser connects to a site, the site presents a certificate to the browser. The certificate contains a cryptographic key. The browser and the website work together with a series of cryptographic calculations to set up secure communication.
Together, the browser and the website provide the three security guarantees:
- privacy: by encrypting the conversation.
- cryptographic digital signatures: to ensure that the content is not modified in flight.
- verification of the publisher: through the chain of trust provided by PKI, that I will explain in more detail below.
In the online world, governments have, for the most part, not involved themselves in identity verification. Certificates are issued by private sector firms known as certificate authorities (CAs). While certificates used to be quite expensive, fees have come down considerably to the point where some are free. The best known CAs are Verisign, DigiCert and GoDaddy. Ryan Hurst shows the seven major CAs (ISRG, DigiCert, Sectigo, Google, GoDaddy, Microsoft, and IdenTrust) issue 99% of all certificates.
...
Fraudulent certificate issuance can happen. A rogue CA can issue one, but they won’t get far. The bad certificate will be detected. The bad CA will fail compliance programs and be removed from trust stores. Without acceptance, the CA will go out of business. Certificate Transparency, a more recent standard, enables more rapid detection of fraudulent certificates.
Why would a CA go rogue? What advantage can the bad guy gain from an unauthorized certificate? With the certificate alone, not much, even when signed by a trusted CA. But if the bad guy can team up with an ISP, or otherwise access the network that the browser uses, the certificate gives the bad actor the ability to break all of PKI’s security guarantees.
The hacker could mount a man-in-the-middle attack (MITM) on the conversation. The attacker could insert himself in between the browser and the real website. In this scenario, the user would be talking directly to the attacker, and the attacker would relay the contents back and forth with the real website. The attacker would present the fraudulent certificate to the browser. Because it was signed by a trusted CA, the browser would accept it. The attacker could view and even modify what either party sent before the other side received it.
Now we come to the EU’s sinister eIDAS, Article 45. This proposed regulation requires all browsers to trust a basket of certificates from CAs designated by the EU. Twenty-seven to be exact: one for each member nation. These certificates are to be called Qualified Website Authentication Certificates. The acronym “QWAC” has an unfortunate homophone to quackery – or perhaps the EC is trolling us.
The QWACs would be issued either by either government agencies, or what Michael Rectenwald calls governmentalities: “corporations and companies and other adjuncts of the state who are otherwise called ‘private,’ but really are operating as state apparatuses, in that they’re enforcing state narratives and dictates.”
This scheme would bring EU member governments one step closer to the point where they could man-in-the-middle attack against their own citizens. They would also need to access the networks. Governments are in a position to do that. If the ISP is run as a state-owned enterprise, then they would already have it. If ISPs are private firms, then local authorities could use police powers to gain access.
One point which has not been emphasized in the public conversation is that a browser in any of the 27 EU member nations would be required to accept every single QWAC, one from each EU member. This means that a browser in, for example, Spain, would have to trust a QWAC from entities in Croatia, Finland, and Austria. The Spanish user visiting an Austrian website would have to transit over Austrian portions of the internet. The issues raised above would all apply across countries within the EU.
The Register, in a piece titled Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections explains one way this might work:
[T]hat government can ask its friendly CA for a copy of [the QWAC] certificate so that the government can impersonate the website – or ask for some other certificate browsers will trust and accept for the site. Thus, using a man-in-the-middle attack, that government can intercept and decrypt the encrypted HTTPS traffic between the website and its users, allowing the regime to monitor exactly what people are doing with that site at any time.
Having penetrated the shield of encryption, monitoring could include saving users’ passwords, and then using them at another time to access citizens’ email accounts. In addition to monitoring, governments could modify content inline. For example, they could remove the narratives they want to censor. They could attach annoying nanny state fact checks and content warnings to dissenting opinions.
As things currently stand, CAs must maintain the trust of the browser community. Browsers currently warn the user if a site presents an expired or otherwise untrusted certificate. Under Article 45, warnings or the ejection of trust abusers would be forbidden. Not only are browsers mandated to trust the QWACs, but Article 45 prohibits browsers from showing a warning that a certificate signed by a QWAC.
Last Chance for eIDAS (a website displaying the Mozilla logo) advocates against Article 45:
Any EU member state has the ability to designate cryptographic keys for distribution in web browsers and browsers are forbidden from revoking trust in these keys without government permission.
…There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to. This is particularly troubling given that adherence to the rule of law has not been uniform across all member states, with documented instances of coercion by secret police for political purposes.
In an open letter signed by several hundred security researchers and computer scientists:
Article 45 also bans security checks on EU web certificates unless expressly permitted by regulation when establishing encrypted web traffic connections. Instead of specifying a set of minimum security measures which must be enforced as a baseline, it effectively specifies an upper bound on the security measures which cannot be improved upon without the permission of ETSI. This runs counter to well established global norms where new cybersecurity technologies are developed and deployed in response to fast moving developments in technology.
Most of us rely on our vendors to curate the list of trusted CAs. However, as a user, you may add or remove certificates as you please on your own devices. Microsoft Windows has a tool to do this. On Linux, the root certificates are files located in a single directory. A CA may be untrusted simply by deleting the file. Will this also be forbidden? Steve Gibson, noted security pundit, columnist, and host of the long-running Security Now podcast asks:
But the EU is stating that browsers will be required to honor these new, unproven and untested certificate authorities and thus any certificates they issue, without exception and without recourse. Does that mean that my instance of Firefox will be legally bound to refuse my attempt to remove those certificates?
Gibson notes that some corporations implement similar surveillance of their employees within their own private network. Whatever your opinion about those working conditions, some industries have legitimate audit and compliance reasons to track and record what their employees are doing with company resources. But, as Gibson continues,
The trouble is that the EU and its member nations are very different from the employees of a private organization. Any time an employee doesn’t want to be spied upon, they can use their own smartphone to circumvent their employer’s network. And of course an employer’s private network is just that, a private network. The EU wants to do this for the entire public Internet from which there would be no escape.
