back to article Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections

Lawmakers in Europe are expected to adopt digital identity rules that civil society groups say will make the internet less secure and open up citizens to online surveillance. The legislation, referred to as eIDAS (electronic IDentification, Authentication and trust Services) 2.0, has been described as an attempt to modernize …

  1. b0llchit Silver badge
    Headmaster

    Article 45 forbids browsers from enforcing modern security requirements on certain CAs without the approval of an EU member government...

    That amounts to telling EU citizens that surveillance cameras must be installed in their house, are mandatory, may not be disabled and you may not get any information on their use. Such rule is a clear violation of the human rights declaration of the European Union. The courts will be having a say here.

    And then, I'll compile my own FF without their crap if I damn well please. Let them prosecute me for enabling my own privacy.

    1. The Mole

      Not just limited to the EU

      Government agencies have a history of skirting round the rules of not spying on their own population by asking a friendly foreign agency to do it for them. I'm certain that if this came to pass the NSA/CIA would have a fast track route to getting these certificates, whilst China would quickly compromise all these government run CAs.

      The browsers on the other hand I'm sure will strictly follow the rules and not ban the CAs, they will just provide straight forward integrations to third party open source databases which may cause the CA to be banned completely independently of the browser manufacturer.

    2. AMBxx Silver badge

      I'm pretty sure the German privacy laws will prevent this ever being approved. Given their history, the germans are very touchy about government spying.

      1. Anonymous Coward
        Anonymous Coward

        Given that the German govt is busy trying to ban political parties I would not put it past them to sneakily allow this.

        1. Ian Johnston Silver badge

          Given that the German govt is busy trying to ban political parties

          One CDU MP (Marco Wanderwitz) has suggested banning one party (AfD). Bearing in mind that the CDU isn't even in power (an SPD/FPD/Green coalition is running things at the moment) and that there is no sign of any significant political or legal support for him, your statement is worthy of the Daily Mail.

          1. Anonymous Coward
            Anonymous Coward

            Lars Klingbeil, co-leader of the SPD has also called for the banning of AfD. As have other members of the SPD.

            How dare people vote for something we don't like!

            1. Ian Johnston Silver badge

              Lars Klingbeil, co-leader of the SPD has also called for the banning of AfD.

              [Citation needed]

          2. CrazyOldCatMan Silver badge

            your statement is worthy of the Daily Mail

            Ohh - harsh!

            But fair.

            (SiL is forever reading the Daily Fail and/or the Torygraph and posting clickbait to the family WhatsApp - the one that I'm fortunately not a member of - at my request)

            1. Arthur the cat Silver badge

              SiL is forever reading the Daily Fail and/or the Torygraph and posting clickbait to the family WhatsApp

              It could be worse (just). She might be posting stuff from the Express.

          3. Justthefacts Silver badge

            Not really the issue, is it?

            The issue is that a nakedly fascist party, the AfD, currently polls 21% in Germany. And that’s averaged over the whole of Germany; in its heartland Thuringia, it polls 34%. The AfD is in *second* place nationally, *easily* beating all of SPD, Greens, FPD, individually. The coalition is a figleaf to prevent embarrassment. The condemnation is just flag-waving wiffle, jockeying for position within the ruling coalition. But outside that coalition, the Reichstag is on fire.

            https://www.politico.eu/europe-poll-of-polls/germany/

            1. Lurko

              Re: Not really the issue, is it?

              "The issue is that a nakedly fascist party, the AfD, currently polls 21% in Germany. "

              Perhaps the other parties need to get off their lazy backsides, find out what issues are so concerning citizens, and offer policies that address those concerns?

              To be fair that not just a German issue and seems as applicable to most other Western nations at the moment, where there's a disconnect between what concerns the population, and what the political elite do. I'd reluctantly accept the graft and poor behaviours of politicians if they at least had some very basic level of competence, but that is clearly hoping for too much.

              1. Jaybus

                Re: Not really the issue, is it?

                Well, they already know what the issue is, they just oppose it. A great many people are against the new lax immigration laws.

            2. Anonymous Coward
              Anonymous Coward

              Re: Not really the issue, is it?

              Maybe, just maybe, the other parties should start listening to what the voter want, then. Like when it comes to migration and islam.

              Or alternatively, it's not a "nakedly fascist" party but perhaps less authoritarian than the SPD, Greens and CDU.

          4. Wayland

            To be fair, we talking about banning a Far Right party so that does not count as a ban, just common sense really.

            1. Anonymous Coward
              Anonymous Coward

              Mr Putin, is that you? By the way, how's your special denazification operation going?

      2. Tron Silver badge

        Germany may be spied on again by the US.

        This would give the US access to EU-wide data courtesy of any single nation, on the sly. As happened here:

        U.S. spied on Merkel and other Europeans through Danish cables.

        https://www.reuters.com/world/europe/us-security-agency-spied-merkel-other-top-european-officials-through-danish-2021-05-30/

        1. Anonymous Coward
          Anonymous Coward

          Re: Germany may be spied on again by the US.

          I forgot about that!

        2. Justthefacts Silver badge

          Re: Germany may be spied on again by the US.

          Headline “EU Commission writes a law, allowing it to oppress its citizens in a panopticon un-paralleled since the start of history…..USA to blame!”

    3. Alumoi Silver badge

      telling EU citizens that surveillance cameras must be installed in their house, are mandatory, may not be disabled and you may not get any information on their use.

      So, Alexa, Siri and their ilk will be mandatory?

      1. b0llchit Silver badge
        Boffin

        Not the same. Idiots will sell their soul for candy any time.

        But government(s) mandating to sell your soul would be rather problematic. Especially for the group of people who do not think a soul exists and therefore cannot be sold in the first place. Are you then suggesting that the non-soul-believers are to be isolated, marked and eliminated because they have a different view? Oops...

        1. Alumoi Silver badge

          It's been done before. Remember the Inquisition?

          1. b0llchit Silver badge
            Facepalm

            And you know how that ended? We're still living through it. Dogmatic zealots have always caused quite a bit of violence and significant collateral damage in the process.

            That said, we do NOT need to repeat the same mistakes again and again (Read and Sapere aude!).

            1. Adair Silver badge

              'That said, we do NOT need to repeat the same mistakes again and again...' - but generally we do.

              Being intelligent is not the same as having wisdom, much less actually applying it.

          2. a pressbutton

            I do not.

            And that is why it is a surprise.

          3. This post has been deleted by its author

          4. Toni the terrible Bronze badge

            I don't rembaer the Inquisition not being alive when it was active. I like the comfy chairs tho

      2. Toni the terrible Bronze badge

        aah, don't say anything badf about Alexa it might be sub-opimal to your finances....

    4. Paul Crawford Silver badge
      Facepalm

      I'm guessing if it came to it, most browser companies will produce an EU version that meets this law, and a World version that has trusted/vetted CA certificates. Perhaps just a configuration setting apart (assuming web browser designers grasp there is more than a google search box needed)?

      No sir, not identifying any secret certificates. But sure, if you are outside the EU only use these ones that we trust...oh what is that Skippy? Those EU CA companies are being dropped world-wide due to a lack of trust? Oh dear, how sad, never mind!

      1. John Robson Silver badge

        Or they'll just make the CA an exterior library which is user configured.

        1. Arthur the cat Silver badge

          Or they'll just make the CA an exterior library which is user configured.

          AIUI any code using the NSS library(*) already gets its CA roots from a file (/usr/local/share/certs/ca-root-nss.crt on my machine). That's a bunch of plain text certificates, easily editable by your favourite editor. Quite how the EU expects to police that is beyond me. Yes, they could insist on their Stasi 2.0 certs being compiled in but that's easily circumvented for an OSS browser.

          (*) Mozilla products, Evolution, Pidgin, OpenOffice + others according to Wikipedia.

          1. Anonymous Coward
            Anonymous Coward

            Quite how the EU expects to police that is beyond me

            If I understand this correctly, they can't, as certificates are managed at an O/S level (certainly for windows, and as far as I know for Linux etc. as well), so all you or a privacy app/extension need to do is remove the dodgy CA certificate from your trusted root certificate store, and your browser will not be able to verify a website's certificate's trust hierarchy so won't connect. Websites seeing their visitor numbers plummet will just use another CA to obtain their certificates if their owners have any sense.

            All they can do is mandate that the browser itself will not remove the CA certificate from your trusted root store, as it currently does for other dodgy CA certificates when it is updated.

            1. Anonymous Coward
              Anonymous Coward

              I guess government websites might use these dodgy CAs but other sites are unlikely to.

              The reason for these government controlled CAs to exist is to issue fake certs for legitimate businesses to allow MITM snooping/attacks.

    5. T. F. M. Reader
      Big Brother

      Documentary

      That amounts to telling EU citizens that surveillance cameras must be installed in their house, are mandatory, may not be disabled and you may not get any information on their use.

      I always thought 1984 would become a documentary one day.

    6. Someone Else Silver badge

      And then, I'll compile my own FF without their crap if I damn well please. Let them prosecute me for enabling my own privacy.

      Of course that's an option (for the literati, at least). But, so what happens if a browser developer decides to raise a middle finger to the spooks, and continues to protect the integrity of the 'net (such as is possible)? Are they going to get hauled into court in Brussels and fined the typical wrist slap tech companies typically get assessed? Is even that going to happen? And how is it that Brussels can demand browsers work the way they want when the browsers in question are being run in Topeka, Kansas? (I've heard lots of grumbling -- and rightly so -- from Right Pondians about USAians trying to enforce their laws Over There. Seems like this is the Pot calling the Kettle black, so to speak.)

      Don't know the weight of the stones browser makers have, but perhaps some good ol' (tech) civil disobedience is called for here.

    7. Geoff Campbell Silver badge
      Facepalm

      "I'll compile my own FF without their crap"

      Yup. I think it's quite sweet that the bureaucrats think they can stop techies encrypting stuff. Weirdly mistaken, but quite sweet, a bit like watching a three-year-old with a toy drill playing alongside the builders.

      GJC

      1. Mockup1974 Bronze badge

        Re: "I'll compile my own FF without their crap"

        The problems only begins when the three-year old has the power to give you billion euro fines, close your bank accounts, arrest you, zersetz you, and run a smear campaign against you in the TV channels he controls.

        1. Geoff Campbell Silver badge
          Pirate

          Re: "I'll compile my own FF without their crap"

          First they have to identify me. That's trivially easy to prevent.

          GJC

    8. bombastic bob Silver badge
      Thumb Up

      And then, I'll compile my own FF without their crap if I damn well please

      * EXACTLY * !!!

    9. rg287 Silver badge

      Would you even need to compile it yourself? Mozilla, Google & Microsoft are all US-based. They could issue an EU-build and a RoW build with different CA trust lists.

      Preventing EU users from accessing the RoW build would of course be approximately as effective as US munitions controls were at stopping PGP escaping into the world.

    10. martinusher Silver badge

      "Human Rights" is a Cold War era concept that was used to differentiate "us" from "them". It relies on "us" believing that we have inherent rights.

      I live in the US and our rights as citizens are enshrined in the "Bill of Rights", a set of amendments to the Constitution. Its pretty explicit about what governments can and can't do but that doesn't stop 'government' from working every and any angle to subvert it. They've been doing it literally from Day One of the Republic. The result is endless litigation but its, unfortunately, the price you pay for even attempting to have any form of right that contradicts what power wants to do. Just blithely asserting that "I have rights" gets you absolutely nowhere.

      (The Europeans seem to be more pragmatic. They've learned from our mistakes to find mechanisms that give the fig-leaf of rights but actually give absolute power to government -- preferably unaccountable government.)

      1. Anonymous Coward
        Anonymous Coward

        The difference between the current US & EU situations might have more to do with how the judges are appointed. The US seems to have completely politicised judges whereas that seems to be be less so in Europe/UK.

        When it comes to the constitution the reverse might be true, the US constitution is aimed at limiting the power of the state whereas when the EU had a go at drafting itself a constitution IIRC they set about giving themselves powers.

  2. alain williams Silver badge

    At last! A Brexit bonus!

    The UK having left the EU will not be subject to these rules.

    However: I am confident that Suella Braverman will decide that this is a great idea and ask GCHQ to come up with something that is better (or worse depending on your point of view).

    1. Mike 137 Silver badge

      "GCHQ to come up with something that is better"

      Not necessarily better, just 'harmonised'.

      1. ITMA Silver badge
        Devil

        Re: "GCHQ to come up with something that is better"

        Put any new proposals in a tent, I'm sure she'll ban them without even looking at them.

        1. phuzz Silver badge
          Devil

          Re: "GCHQ to come up with something that is better"

          You're undermining British values, therefore you are an extremist. Off to the tower with you!

          1. ITMA Silver badge
            Devil

            Re: "GCHQ to come up with something that is better"

            For free!?!?!

            Thanks! That saves me the £33.60 entrance fee.

            As that link is for a Scottish paper, shouldn't that be Endinburgh Castle?

            That's cheaper at £19.50 - not including the eye watering train fare to get there.

    2. Steve Kerr

      Re: At last! A Brexit bonus!

      I somewhat think that what the UK government will want to do is somewhat more draconian than what the EU are proposing.

      I would even hazard that they will ask their friend, pooh bear to help - or at least the government mandarins that drive a lot of policy (regardless of the party in power) will.

      Waiting for the UK government to make using VPNs illegal with a life sentence if/when caught!

      1. Anonymous Coward
        Anonymous Coward

        Re: At last! A Brexit bonus!

        Any success will encourage up and coming dictatorships to follow suit: China and North Korea (no more ugly firewall, just “corrected” content) soon after which others like India, the Democratic Peoplee's Republic of Trumpistan and the UK of Sunakia and Northern Ireland will follow suit.

    3. Tim 11

      Re: At last! A Brexit bonus!

      I'd like to think that in a better world it would be possible for a government to be sufficiently IT literate as to realise the impossibility of what they are trying to achieve - there is no simple way to distinguish between the good guys and the bad guys, which is basically what this comes down to.

      Unfortunately, considering the twitter "blue tick" fisco it seems that even very IT-savvy organisations aren't immune from the same fallacy.

    4. Dan 55 Silver badge

      Re: At last! A Brexit bonus!

      I guess everyone can be thankful digital services never got off the ground in the UK so there's no government CA?

    5. Justthefacts Silver badge

      Re: At last! A Brexit bonus!

      Nothing has been tabled for debate in Parliament. Which means not in the next parliamentary session. Which means Suella Braverman isn’t going to be in charge. Starmer doesn’t seem the type.

      1. Anonymous Coward
        Anonymous Coward

        Re: At last! A Brexit bonus!

        As a former DPP, he'll lap this stuff up.

      2. This post has been deleted by its author

    6. EvaQ

      Re: At last! A Brexit bonus!

      Well, the article says "Lawmakers in Europe", and the UK is in Europe.

      If the EU was meant, the write should say ... "Lawmakers in the EU".

      1. Dan 55 Silver badge

        Re: At last! A Brexit bonus!

        And I'm not exactly clear what a lawmaker is either when it applies to this side of the pond. A government minister, a member of parliament, a civil servant...?

  3. Aleph0
    Devil

    "The dark ages of 2011"

    From the users' point of view maybe, but I'd wager that government snoops consider 2011 "the good old days"...

    1. Anonymous Coward
      Anonymous Coward

      Re: "The dark ages of 2011"

      Anyone remember the clipper chip? All your encryption backdoors are belong to us!

  4. Tubz Silver badge
    Big Brother

    Upvote if you don't trust the faceless EU muppets to lick a window, never mind Article 45 and downvote if you do.

    1. vogon00

      I do 'trust the faceless EU muppets to lick a window',

      I do not trust the faceless EU muppets to know when to stop !.

      Shouldn't be too much of a problem, as it'd be billed as a cost reduction to the window cleaning bill, and in any case their tongues are busy elsewhere!

    2. Potemkine! Silver badge

      In that face, we don't talk about "faceless EU muppets" but about lawmakers who are elected by people. Problem is the bigger number of voters won't give a damn about this subject as they will believe the same old lie it's about protecting them from terrorists, not about spying them.

      I wonder if the European Court of Justice would agree with such a European regulation to be put in place. I hope not.

      1. Lurko

        Not sure how that earned a downvote!

        Whether (and for how long) the ECJ will resist such ideas we can wait and see, but the reality is that the European journey has always been about the slow but steady creation of a super-state, on a progressive top-down basis, with design by the bureaucrats themselves. I'll accept that the idea of a single European state is quite popular with a good many federalist EU citizens, but the inevitability is that by building top down, the unaccountable actors building this state will award themselves powers that they would never get with either a bottom up build, or a more open design where citizens made or influenced those choices. By the time the federalists have had their way, the individual states may well find they've ceded power that they'll never get back.

        Obviously, as the UK demonstrates, having the independence to control your own destiny is pointless if the political classes are a bunch on incompetent, venal, lazy, poorly educated thieves.

        1. Anonymous Coward
          Anonymous Coward

          Sadly politicians are generally well educated. It just seems a lot of that education either fails to sink in or just reenforces their general feeling of entitlement.

      2. Wayland

        The EU muppets are not elected.

        1. Anonymous Coward
          Anonymous Coward

          Farage? Is that you?

          I can't believe someone is still trotting this tired debunked line in 2023.

  5. Zippy´s Sausage Factory
    Unhappy

    Have they considered that anything the "good guys" get on Monday, the "bad guys" get hold of by Friday?

    Surely this is opening the doors to <insert-favourite-adversarial-foreign-power-here> hackers - not just for citizens' information, social media and bank accounts, but also for secure government information.

    1. This post has been deleted by its author

    2. Jusme

      > Have they considered that anything the "good guys" get on Monday, the "bad guys" get hold of by Friday?

      The Friday before, that is...

      1. CrazyOldCatMan Silver badge

        The Friday before, that is...

        “Get 'em out by Friday!

        I've told you before, is good money gone if we let them stay

        And if it isn't easy

        You can squeeze a little grease and our troubles will soon run away.”

        Whatever is next?

        "This is an announcement from Genetic Control:

        “It is my sad duty to inform you of a four-foot restriction on

        Humanoid height.”

        1. Peter Gathercole Silver badge

          Not in sequence, but...

          Oh, Dear. This I can't believe

          Folks, hey, they're asking us to leave.

        2. Fr. Ted Crilly Silver badge

          You can fit twice as many in the same building size, they'll say it's alright... beginning with the tenants of the town of Harlow

  6. hoodedgeometry

    “if a website is issued a certificate from one of those aforementioned Euro-mandated government-backed CAs, that government can ask its friendly CA for a copy of that certificate so that the government can impersonate the website.”

    Not quite - the government can ask its friendly CA to issue a new certificate, but a copy of the old certificate will be of little use without the private key stored on the requesting organisation’s web server etc.

    It can do this even if the original certificate wasn’t issued by one of the Euro-mandated government-backed CAs, as presumably organisations wanting to reduce the risk of government tampering would use a CA outside this government programme.

    Existing countermeasures like Certification Authority Authorization (CAA) would presumably remain effective against this EU-mandated vulnerability, or at least require DNS to also be compromised to perform the MITM attack.

    Enterprising browser extension developers can hopefully code for removing these CAs from the trust chain to restore security on the endpoint - perhaps rolled up into existing popular extensions like ad blockers.

    1. Michael Wojcik Silver badge

      Indeed. The whole point of X.509 certificates is that they're public. You don't have to ask the CA for a copy. You receive entity certificates, and if the server is properly configured intermediate certificates, just by connecting to it and sending a ClientHello; and you either already have the root certificate, or you won't trust the chain anyway.

      It would really be nice if the tech press could get this right. Even once.

    2. HighTension

      If the friendly CA is under their control, what is there to stop them getting a cert for ANY domain with a new private key and impersonating another way, eg mandated DNS hijacking (for anti-piracy, or "protecting kids", MITMs forcibly installed at ISPs/peering points, etc? Even typojacking would get them something.

      1. tip pc Silver badge

        Bingo

        In addition, once the keys leak they don’t admit it and the whole lot is then worthless and we may as well save some electricity and use http instead of https.

  7. Zack Mollusc

    Never understood certs

    I am connecting to an HTTP web site run by some unknown jerk. OMG, my privacy and security are at risk!

    Solution: connect to an HTTPS web site run by some unknown jerk and trust that the cert issued by a different unknown jerk is kosher.

    1. Fonant

      Re: Never understood certs

      Yes, but in the first situation your connection to the website is plain text. Including the sending of your password, and login cookies. Anyone can listen in, without you knowing.

      In the second situation your connection is encrypted, and only readable by that specific website. No way for anyone else to listen in. There's a different certificate for each hostname, and if the certificate chain leads to a trusted root certificate, you can trust the certificate is genuine, and not one served by a man-in-the-middle listening in to your communications.

      1. Anonymous Coward
        Anonymous Coward

        Re: Never understood certs

        your connection to the website is plain text. Including the sending of your password, and login cookies.

        I'll bet than less than 10% of existing sites really need passwords and cookies.

        1. doublelayer Silver badge

          Re: Never understood certs

          In a plaintext connection, any listener can also modify without detection. Any data you send or that the site sends back can be replaced with any other data that is chosen. Your browser would not know that. This is one reason that an encrypted connection is better; even if it was an unverified self-signed certificate, only one server has a chance to mess with the data going to your machine. It's not just about cookies and passwords, though those are important as well.

      2. Jusme

        Re: Never understood certs

        > In the second situation your connection is encrypted, and only readable by that specific website. No way for anyone else to listen in.

        Except that isn't true. It only needs *one* of the many CAs to have leaked, or allow, their root cert or an intermediary to be used by a person with interest and they can m-i-t-m *any* site by issuing their own cert for it, on the fly. Heck, that process is standard practice in corporate environments (the certificate for every site I visit on our corporate kit is signed bt Forcepoint). At this point https is pure security theatre.

        (Sorry, that's not an elephant, really...)

        1. Sora2566 Bronze badge

          Re: Never understood certs

          Certificate Transparency is designed specifically to defeat this kind of attack. "Good thing" then that Article 45 forbids it then! (It's not one of the defenses mentioned as being allowed, and browsers aren't allowed to add any not on the list.)

        2. Nifty

          Re: Never understood certs

          "the certificate for every site I visit on our corporate kit is signed bt Forcepoint"

          I'd thought that when a certificate is injected like this, the browser throws a pop up and you have to click something to proceed. Like when you're using Witeshark.

        3. gratou

          Re: Never understood certs

          Oh wow. How does that work? Surely forcepoint doesn't have the root certs for all certs? How can it replace all certs in one swoop so all https connections from a company PC are compromised?

          1. Jusme

            Re: Never understood certs

            > Oh wow. How does that work? Surely forcepoint doesn't have the root certs for all certs? How can it replace all certs in one swoop so all https connections from a company PC are compromised?

            They (my employer, the company that owns the kit) installs their own CA by group policy (these devices are locked down tighter than a gnats chuff). All https connections are intercepted by the Forcepoint proxy, which generates and presents a server certificate for the site being accessed. The client (browser) sees this as valid, as it's signed by an installed CA, and makes the HTTP request. The Forcepoint proxy checks the request against its naughty list, and if ok, makes the request out to the real site. The response passes back through the Forcepoint proxy, which scans it for naughty words and naked aardvarks, and if you're lucky, passes it back to the client (browser).

            I think they bypass this for some know sites like the big banks, presumably to avoid liability if anyting goes wrong, but I wouldn't use the work kit for anything like that anyway (which is fine by them).

            1. gratou

              Re: Never understood certs

              Thank you for the clear détails.

      3. Nifty

        Re: Never understood certs

        "if the certificate chain leads to a trusted root certificate"

        https://arstechnica.com/information-technology/2022/11/state-sponsored-hackers-in-china-compromise-certificate-authority/

    2. T. F. M. Reader

      Re: Never understood certs

      You are not alone. You simply can't understand certs in terms of security or privacy. They are not about either. They are about (scalable) trust. Before you even consider the question whether amazon.co.uk are jerks or you can really trust them to deliver the goods after you paid them you want to know that they are, in fact AMZN. If you don't believe that you shouldn't give them any money even over a secure channel.

      Your bank might be run by some jerks whom you don't even know. The cert of the bank's site does not make them righteous or trustworthy. The only thing it does - or, rather, tries to do - is assure you that it is your bank you are talking to. You need to trust every single jerk in the certificate chain to believe it. In practice you trust the browser maker to do the checking for you, automatically. If you don't trust one of those jerks it is possible to revoke the corresponding certificate and your browser will warn you about anyone who presents that jerk as a character or identity reference.

      As far as I understand the proposed law will break that trust completely. The cert can be used to make you believe that a jerk you are really talking to is the righteous and trustworthy person you think you are talking to. And you can't revoke the (trust in the) cert. From this point on you can't trust any communication whatsoever: you no longer can trust your browser maker to do the checking because they would be breaking the law by doing that. So you can't trust anyone's identity. The trustworthy guy you want to talk to is still trustworthy, you just don't know it's him on the other end of the line.

      Security - including password security - is derivative. You can encrypt everything you send, but if you don't know whose key you are using you don't know who the man in the middle might be.

      Your only solution in such a situation is to meet the guy you trust in person, verify that it's him (knowing him personally will help, checking his ID card or driver's license or whatever will help only if you are sure that the security services - or another resourceful organization - didn't send someone with a fake document), and exchange keys. Then you will be able to communicate securely and privately without any certs. I remember the times when it was done routinely, in F2F meetings. Not scalable, either for AMZN or your bank, and extremely difficult, bordering on impossible, even after the key exchange if either of you has resourceful adversaries (it's a great intellectual exercise to figure out how difficult assuming you have to deal with MI5/MI6/GCHQ or CIA/FBI/NSA or some other alphabet soup).

      1. DJV Silver badge

        Re: trust them to deliver the goods after you paid them

        I trust them* to deliver the goods somewhere - but, given the stories about them over the years, I don't necessarily trust them to actually deliver the goods to the designated address.

        * them being Amazon, or any company that uses Evri/Hermes (or whatever they're called this week) or any similar so-called delivery service whose drivers have difficulty knowing how to find their own arses upon far too many occasions.

        1. druck Silver badge

          Re: trust them to deliver the goods after you paid them

          These days they seem to be very adept at throwing the package at a random front door and photographing it before it has even hit the floor.

    3. jezza99

      Re: Never understood certs

      Digital certificates and TLS/HTTPS offer two benefits.

      1. Traffic is encrypted between yourself and the web server. Only the web server can read your input and only your browser can read the result.

      2. Both the client and server are authenticated to each other. This means that if you connect to "https://example.com" then you can be certain that you are in fact connecting to the web server owned by the owner of "example.com" and not some random interloper (a banking site impersonator?) which is intercepting your traffic. This matters, especially for financial sites which lets face it is almost everything nowadays.

      For this trust to work, you must be able to trust the "root certificate authority (CA) server". Provided the root CA server is trusted, then all other CAs and certificates down the chain are trustworthy by design.

      This is why it is so important that internet software companies, and end users, are able to remove trust from ANY CA server if it is found to be compromised.

      The proposed EU law prevents this, making it impossible to trust certificates, and therefore impossible to trust anything on the internet.

      Last time I looked, at least one EU member was not a true democracy, and another EU member has only just had democracy restored. You cannot trust a state just because it is a member of the EU.

  8. abend0c4 Silver badge

    How is this to be managed?

    Currently, browsers ship with a bunch of root certificates with long expiry dates that users can in principle amend themselves, though there are now so many that in practice they have to be taken on trust.

    Presumably if there is a new "approved" CA, browser makers will incorporate in their next release. But is there an obligation on the user also to install it? Will browsers have to stop working if the user refuses to update. Or if the user finds a way to delete the CA or otherwise compromise the CA certificate? What happens if a CA certificate has to be revoked?

    The chain of trust is pretty much on its last legs already given its principal guarantee is little more than that each party has paid the required fee to the next party in the chain, but this does seem to be the point at which it gets taken behind the barn, never to be seen again.

    1. phuzz Silver badge

      Re: How is this to be managed?

      In Firefox, go to about:preferences#privacy and scroll down to "View Certificates", and you'll find that Firefox already has a bunch of governmental certificates that it trusts.

      1. Dan 55 Silver badge

        Re: How is this to be managed?

        And presumably even if this does get through...

        - There'll be nothing to stop anyone disabling gov certs, like now.

        - There'll be nothing to stop someone writing an add-on that makes it obvious when a gov cert is being used (e.g. red address bar or click-through screen or something), like now.

        1. TonyHoyle

          Re: How is this to be managed?

          It will be illegal for the browser to offer the ability to disable the government cert. Mozilla aren't going to risk billions in fines.

          1. phuzz Silver badge

            Re: How is this to be managed?

            This is where the law runs into implementation problems. All the Firefox certs are stored on disk, so there's nothing to stop the dedicated user from editing the file directly. Mozilla would have to shift to a different model, perhaps where the browser downloads the 'approved' certs at startup, but being an open source program, people would just fork it and keep the old cert code.

            It's a classic example of a law which makes it difficult for the average person to get around it, but puts no real obstacles in the path of any actual criminals/terrorists.

  9. Ball boy Silver badge

    Worrying - esp. in the UK

    Given governments aren't generally in the business of running IT systems, the UK will doubtless put the management of root certificates in the hands of their favourite outsourcing partner. Now if the idea of the gubberment having access to your TLS handshake is worrying, consider the additional risk of an outsourcer's misconfiguration accidentally allowing world+dog to lift and copy certificates. Yes, the same could happen now - but I'd argue there's a fundamentally approach between supplying a core service directly to the industry and simply satisfying the (usually rather poorly defined) terms of an outsourcing contract for a government body.

    1. Blue Pumpkin

      Re: Worrying - esp. in the UK

      Give us a "C"

      Give us an "R"

      Give us an "A"

      You can guess the rest .....

      1. Toni the terrible Bronze badge

        Re: Worrying - esp. in the UK

        CISCO!

  10. Eclectic Man Silver badge
    Big Brother

    Democratic or Judicial oversight?

    Surely this should be subject to the same regulations concerning tapping phone lines, opening physical post* etc?

    I would hope that this could only be done with the formal approval of a senior Police Officer, Magistrate / Judge, or the Home Secretary (in the UK). But suspect I may be being a trifle naïve.

    *To the youngsters here, that is when a piece of paper with writing on it is used as a physical medium to convey a message from one person to another via a national or international network of couriers also known as 'posties'. (you're welcome)

  11. Lee D Silver badge

    There was me wondering why my browser comes with any CAs by default anyway.

    Just give me the option to wipe them clean when I start and then I approve/deny root CAs as and when I need to (in a similar style to approving SSH keys).

    1. doublelayer Silver badge

      Sure, you can do that. Follow these steps:

      1. Go to your certificates list.

      2. Select all.

      3. Click disable or delete as you choose.

      4. Slowly put them back after every annoying warning screen.

      The reason that is not normally done is that you don't want to train users that accepting new CAs is a good idea, because then it's much easier to sneak more untrustworthy ones in. So it will never be the default, but you're welcome and easily able to do it if you think you have the knowledge to make that useful.

      1. Lee D Silver badge

        I was thinking more that a CAA record can be definitive, so if the presented root CA is as pre CAA, it gets accepted for THAT SITE ONLY.

        And therefore sites are automatically filling in their CA and root CA and browsers ship with nothing trusted by default.

        Why should I be accepting a root CA to browse My Bank and then automatically accept everything that it claims to secure including Random 3rd Party Website forever more?

        And if the governments want to get into CAA and DNSSEC tampering, there are alternates and measures in those already.

        1. Toni the terrible Bronze badge

          My bank is rejected everytime by my browser/AVS pair - does the bank do anything well of course not, I'm only a customer after all

  12. tip pc Silver badge

    Even Google are complaining

    Google has also raised concerns about how Article 45 might be interpreted

    Must be really really bad

    1. talk_is_cheap

      Re: Even Google are complaining

      No, just getting in the way of their own plans.

    2. Someone Else Silver badge

      Re: Even Google are complaining

      Google has also raised concerns about how Article 45 might be interpreted

      Must be really really bad

      Must be really really bad for business you mean, Shirley.

  13. Tubz Silver badge

    Would also think if this implemented, it would break any data sharing agreements the EU have with whoever, unless they do some dodgy spying for them. Maximilian Schrems must be sleeping over his keyboard in anticipation of submitting a lawsuit.

  14. may_i

    If this does become reality, there's a simple solution...

    Refuse to comply!

    I will simply make sure that my update repositories for Debian are located outside the EU and install the version of Firefox that does not have its hands tied.

    It's my computer and I alone will decide what software it runs and whether I will accept any technical limitations imposed by those who would seek to compromise my privacy and safety.

    1. whitepines
      Black Helicopters

      Re: If this does become reality, there's a simple solution...

      > It's my computer and I alone will decide what software it runs and whether I will accept any technical limitations imposed by those who would seek to compromise my privacy and safety.

      Intel and AMD would like a word with you, as would Samsung and some others. It hasn't been your computer for a long time, see IME / ASP/ Trustzone.

  15. Alan W. Rateliff, II

    Google commenting on security...

    Perhaps Google could also be interested in properly handling certificate revocation across the board rather than just what it deems important to monitor.

  16. Pete Sdev Bronze badge
    Mushroom

    Sacre bleue

    I suspect the French government behind this endeavour, they've always hated consumer-level crypto.

    Perhaps browsers could implement CA pinning. A warning along "hey the CA for this site's certificate is different from when you last visited and its now Nosy Gov CA".

    1. TonyHoyle

      Re: Sacre bleue

      If it's not in the approved list of verification it would be unlwaful for them to do that.

      They're specifically not allowed to warn the user when the government CA is in use.

      1. Pete Sdev Bronze badge

        Re: Sacre bleue

        IANAL, but I thought this may be a grey area. The browser wouldn't be performing a security check on the certificate itself per se, just comparing a name.

        If anyone's got better ideas (very likely) please share them or post to the relevant lists.

      2. Alan W. Rateliff, II

        Re: Sacre bleue

        I see an emerging market for browser add-ons which will check CAs.

        The privacy issues aside, it seems these legislators do not understand the Internet at all.

  17. AustinTX
    Trollface

    Browser makers maybe don't have to just accept holy poison gov certs silently

    They could display prominent click-through messages announcing that the user is now "enjoying" the benefit of a non-negotiable government encryption certificate.

    Add a few links about which legislators they can reach out to "thank" for this, links to organizations working to take this awful burden off the shoulders of our dear, overburdened government, etc. Just do things you're still allowed to do in excess of just accepting the holy poison certs silently.

    They could have the browser shut down immediately upon getting one of these holy goverment certs. Might not be a great solution when the gov starts employing in "ads" that use their holy certs.

    Add your clever solution below:

  18. DS999 Silver badge

    How exactly could they prevent Mozilla from doing this?

    Mozilla does not have any operations in the EU, or derive any revenue from the EU, so the EU has exactly ZERO leverage over them.

    Maybe I should root for the EU to pass such a law, as it would really help Firefox gain back some of that lost market share which is good for browser competition!

  19. Boris the Cockroach Silver badge
    Big Brother

    They're all at

    it now.

    I thought the bunch of idiots in charge here were bad enough.

    Just what is it about our communications that the governments (of various flavours/types) just want to listen in on

    Its hardly liable that we're all plotting mass revolution to overthrow the end game capitalism we seem to be stuck in.

    Unless a lot of us are... and the knobs and aristos dont want to end up in front of the national razor again........

  20. ritmo2k

    Our chosen leaders...

    The insane part of this is that we vote these self-serving treasonous criminals in.

    The really insane part of this is that we continuously fail to hold any of them accountable for their malice and self-serving politics.

    1. Mike Pellatt

      Re: Our chosen leaders...

      The results of a few recent by-elections would suggest otherwise.

      What is insane is how quickly it all gets forgotten. 1997 only achieved the result expected in 1992 thanks to the "expenses scandal". Anyone remembering that should be entirely unsurprised by the "VIP lane", rules on , external "consultancy", 2nd jobs, employing family members as Parliamentary assistants, etc., etc., being ignored.

    2. Toni the terrible Bronze badge

      Re: Our chosen leaders...

      and apart from the guillotine how do we take them to account as they will be replaced by sef-serving tratious criminals

  21. Kevin McMurtrie Silver badge

    The number 45 just can't catch a break.

  22. Anonymous Coward
    Anonymous Coward

    Probably the correct reaction is to refuse to accept this and let their browsers be banned, at which point they provide one with no encryption at all. (If practical separating the encryption to a separate module that they can supply the browser without)

  23. nonoj
    Meh

    question from a layperson...

    As a layperson with little expertise in this area, my question is what I can do about it. Does it help to use Little Snitch? NoScript? TOR browser? If I keep a list of the critical url (banking, bill pays, etc, entities only in my country) and only use them, am I still at risk for those? Or is my exposure limited to entities based outside my home country, like The Register?

    Hopefully there is some direction I can take that doesn’t require a crash course in a topic I have little understanding of. One commenter mentioned changing certificates in Firefox… I wouldn’t even know where to start.

    I gather from the comments I’ve read so far that there is no out-of-the-box solution. Also, I live in the US, so I know very well there is little I can do if the government decides look at my internet usage. But maybe there are things I can do now that will reduce exposure to man-in-the-middle attacks by smaller bad actors wanting to do bad things.

    Thanks for any serious replies… even if they are, “Sorry, you’re out of luck."

    1. This post has been deleted by its author

  24. This post has been deleted by its author

  25. tip pc Silver badge

    now bragging about digital id’s & cbdc

    https://ec.europa.eu/commission/presscorner/detail/en/ip_23_5651

    https://ec.europa.eu/commission/presscorner/detail/en/ip_23_5651

  26. Rangjut

    Make iIDAS Voluntary?

    Since eIDAS is promoted as improving web users' security,

    and these countries are democracies,

    how about making the eIDAS compliance selectable

    on an individual basis?

    Each person can decide for him/herself whether they want

    this extra security. Just another checkbox in our browser settings.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like