The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from...
EU Article 45 requires that browsers trust certificate authorities appointed by governments::The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from...
Great and in 2 -3 years we find out, that someone has actively abused this security hole for years and stole whatever master key is required, to create their own fake government CA and has been spying on everyone for years. Or political opposition was imprisoned before they could act. Best is, such man in the middle attacks allow for all sorts of things, including putting fake evidence on your computer.
Oh yes, no one would ever do that every, totally never happened and won't. Nazis will also never come back. What, they soon are the biggest party in Germany, in other countries too? And will dictate rules in the EU? No one could see that happening...
Where there's honey, there will be bears.
I just hope we can create a browser plugin to deny gov CAs automatically or a browser from outside EU to block that shit. ...until your ISP is forced by law to block traffic from these.
One step closer to a great EU firewall and it sucks. Good old salami tactics. Because at some point it doesn't even matter if there are ways to mitigate this spying, if the alternative are so complicated and uncomfortable to use, that 99,999% of the people won't bother.
This is really bad. This is the EU taking a page out of the books of Russia, Iran, and the PRC by implementing website blocking and government-issued CAs. Europeans could be at real risk in the event of a democratic backslide.
Jesus, this is not about spaying. This is because browsers have history of sucking at trusting new certificate authorities.
In Spain you get private certificate on your ID. You can use this ID to sing documents and access government pages. Those certificates are signed and provided by the government institution responsible for printing money (Royal Mint). It took them like 10 years to get the root cert added to the main browsers so that people could authenticate using those certs on government pages. It still doesn't work very well and I have to manually trust certs on Linux. I think I don't have to explain why being able to identify yourself on govt pages would be great.
What's the security risk here? People really think that the Spanish spy agency would request certs signed by the Royal Mint for 3rd party domain and use those for MITM attack? When they are caught this would raise huuuuge stink, Spanish govt certs would get banned and Royal Mint would lose all credibility. I'm not saying they are definitely not stupid enough to try it but they would only be able to do it once.
That means cryptographic keys under one government’s control could be used to intercept HTTPS communication
Could someone smarter than me explain how this would be possible? Wouldn’t the browser still be able to enforce privacy between the client and origin? Or is it the case that certificates issued by these CAs could in theory only support weaker cyphers?
knowing that EU commission is full of IT "campers" waiting to reimburse their mortgage and they will probably outsource the work to india (despite being forbidden), i am not really fond of the idea.
Can we at least admit that requiring CAs is not how ecryption in Internet should work? Just FYI there is already distributed public key infrastructure: DNS(DNSSEC).