Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections Lawmakers in Europe are expected to adopt digital identity rules that civil society groups say will make the internet less secure and open up citizens to online surveillance. The legislation, referred to as eIDAS (electronic IDentification, Authentication and trust Services) 2.0, has been described as an attempt to modernize …
Article 45 forbids browsers from enforcing modern security requirements on certain CAs without the approval of an EU member government...
That amounts to telling EU citizens that surveillance cameras must be installed in their house, are mandatory, may not be disabled and you may not get any information on their use. Such rule is a clear violation of the human rights declaration of the European Union. The courts will be having a say here.
And then, I'll compile my own FF without their crap if I damn well please. Let them prosecute me for enabling my own privacy.
Government agencies have a history of skirting round the rules of not spying on their own population by asking a friendly foreign agency to do it for them. I'm certain that if this came to pass the NSA/CIA would have a fast track route to getting these certificates, whilst China would quickly compromise all these government run CAs.
The browsers on the other hand I'm sure will strictly follow the rules and not ban the CAs, they will just provide straight forward integrations to third party open source databases which may cause the CA to be banned completely independently of the browser manufacturer.
Given that the German govt is busy trying to ban political parties
One CDU MP (Marco Wanderwitz) has suggested banning one party (AfD). Bearing in mind that the CDU isn't even in power (an SPD/FPD/Green coalition is running things at the moment) and that there is no sign of any significant political or legal support for him, your statement is worthy of the Daily Mail.
The issue is that a nakedly fascist party, the AfD, currently polls 21% in Germany. And that’s averaged over the whole of Germany; in its heartland Thuringia, it polls 34%. The AfD is in *second* place nationally, *easily* beating all of SPD, Greens, FPD, individually. The coalition is a figleaf to prevent embarrassment. The condemnation is just flag-waving wiffle, jockeying for position within the ruling coalition. But outside that coalition, the Reichstag is on fire.
https://www.politico.eu/europe-poll-of-polls/germany/
"The issue is that a nakedly fascist party, the AfD, currently polls 21% in Germany. "
Perhaps the other parties need to get off their lazy backsides, find out what issues are so concerning citizens, and offer policies that address those concerns?
To be fair that not just a German issue and seems as applicable to most other Western nations at the moment, where there's a disconnect between what concerns the population, and what the political elite do. I'd reluctantly accept the graft and poor behaviours of politicians if they at least had some very basic level of competence, but that is clearly hoping for too much.
This would give the US access to EU-wide data courtesy of any single nation, on the sly. As happened here:
U.S. spied on Merkel and other Europeans through Danish cables.
https://www.reuters.com/world/europe/us-security-agency-spied-merkel-other-top-european-officials-through-danish-2021-05-30/
Not the same. Idiots will sell their soul for candy any time.
But government(s) mandating to sell your soul would be rather problematic. Especially for the group of people who do not think a soul exists and therefore cannot be sold in the first place. Are you then suggesting that the non-soul-believers are to be isolated, marked and eliminated because they have a different view? Oops...
I'm guessing if it came to it, most browser companies will produce an EU version that meets this law, and a World version that has trusted/vetted CA certificates. Perhaps just a configuration setting apart (assuming web browser designers grasp there is more than a google search box needed)?
No sir, not identifying any secret certificates. But sure, if you are outside the EU only use these ones that we trust...oh what is that Skippy? Those EU CA companies are being dropped world-wide due to a lack of trust? Oh dear, how sad, never mind!
Or they'll just make the CA an exterior library which is user configured.
AIUI any code using the NSS library(*) already gets its CA roots from a file (/usr/local/share/certs/ca-root-nss.crt on my machine). That's a bunch of plain text certificates, easily editable by your favourite editor. Quite how the EU expects to police that is beyond me. Yes, they could insist on their Stasi 2.0 certs being compiled in but that's easily circumvented for an OSS browser.
(*) Mozilla products, Evolution, Pidgin, OpenOffice + others according to Wikipedia.
Quite how the EU expects to police that is beyond me
If I understand this correctly, they can't, as certificates are managed at an O/S level (certainly for windows, and as far as I know for Linux etc. as well), so all you or a privacy app/extension need to do is remove the dodgy CA certificate from your trusted root certificate store, and your browser will not be able to verify a website's certificate's trust hierarchy so won't connect. Websites seeing their visitor numbers plummet will just use another CA to obtain their certificates if their owners have any sense.
All they can do is mandate that the browser itself will not remove the CA certificate from your trusted root store, as it currently does for other dodgy CA certificates when it is updated.
And then, I'll compile my own FF without their crap if I damn well please. Let them prosecute me for enabling my own privacy.
Of course that's an option (for the literati, at least). But, so what happens if a browser developer decides to raise a middle finger to the spooks, and continues to protect the integrity of the 'net (such as is possible)? Are they going to get hauled into court in Brussels and fined the typical wrist slap tech companies typically get assessed? Is even that going to happen? And how is it that Brussels can demand browsers work the way they want when the browsers in question are being run in Topeka, Kansas? (I've heard lots of grumbling -- and rightly so -- from Right Pondians about USAians trying to enforce their laws Over There. Seems like this is the Pot calling the Kettle black, so to speak.)
Don't know the weight of the stones browser makers have, but perhaps some good ol' (tech) civil disobedience is called for here.
Would you even need to compile it yourself? Mozilla, Google & Microsoft are all US-based. They could issue an EU-build and a RoW build with different CA trust lists.
Preventing EU users from accessing the RoW build would of course be approximately as effective as US munitions controls were at stopping PGP escaping into the world.
"Human Rights" is a Cold War era concept that was used to differentiate "us" from "them". It relies on "us" believing that we have inherent rights.
I live in the US and our rights as citizens are enshrined in the "Bill of Rights", a set of amendments to the Constitution. Its pretty explicit about what governments can and can't do but that doesn't stop 'government' from working every and any angle to subvert it. They've been doing it literally from Day One of the Republic. The result is endless litigation but its, unfortunately, the price you pay for even attempting to have any form of right that contradicts what power wants to do. Just blithely asserting that "I have rights" gets you absolutely nowhere.
(The Europeans seem to be more pragmatic. They've learned from our mistakes to find mechanisms that give the fig-leaf of rights but actually give absolute power to government -- preferably unaccountable government.)
The difference between the current US & EU situations might have more to do with how the judges are appointed. The US seems to have completely politicised judges whereas that seems to be be less so in Europe/UK.
When it comes to the constitution the reverse might be true, the US constitution is aimed at limiting the power of the state whereas when the EU had a go at drafting itself a constitution IIRC they set about giving themselves powers.
You're undermining British values, therefore you are an extremist. Off to the tower with you!
I somewhat think that what the UK government will want to do is somewhat more draconian than what the EU are proposing.
I would even hazard that they will ask their friend, pooh bear to help - or at least the government mandarins that drive a lot of policy (regardless of the party in power) will.
Waiting for the UK government to make using VPNs illegal with a life sentence if/when caught!
Any success will encourage up and coming dictatorships to follow suit: China and North Korea (no more ugly firewall, just “corrected” content) soon after which others like India, the Democratic Peoplee's Republic of Trumpistan and the UK of Sunakia and Northern Ireland will follow suit.
I'd like to think that in a better world it would be possible for a government to be sufficiently IT literate as to realise the impossibility of what they are trying to achieve - there is no simple way to distinguish between the good guys and the bad guys, which is basically what this comes down to.
Unfortunately, considering the twitter "blue tick" fisco it seems that even very IT-savvy organisations aren't immune from the same fallacy.
This post has been deleted by its author
In that face, we don't talk about "faceless EU muppets" but about lawmakers who are elected by people. Problem is the bigger number of voters won't give a damn about this subject as they will believe the same old lie it's about protecting them from terrorists, not about spying them.
I wonder if the European Court of Justice would agree with such a European regulation to be put in place. I hope not.
Not sure how that earned a downvote!
Whether (and for how long) the ECJ will resist such ideas we can wait and see, but the reality is that the European journey has always been about the slow but steady creation of a super-state, on a progressive top-down basis, with design by the bureaucrats themselves. I'll accept that the idea of a single European state is quite popular with a good many federalist EU citizens, but the inevitability is that by building top down, the unaccountable actors building this state will award themselves powers that they would never get with either a bottom up build, or a more open design where citizens made or influenced those choices. By the time the federalists have had their way, the individual states may well find they've ceded power that they'll never get back.
Obviously, as the UK demonstrates, having the independence to control your own destiny is pointless if the political classes are a bunch on incompetent, venal, lazy, poorly educated thieves.
Have they considered that anything the "good guys" get on Monday, the "bad guys" get hold of by Friday?
Surely this is opening the doors to <insert-favourite-adversarial-foreign-power-here> hackers - not just for citizens' information, social media and bank accounts, but also for secure government information.
This post has been deleted by its author
The Friday before, that is...
“Get 'em out by Friday!
I've told you before, is good money gone if we let them stay
And if it isn't easy
You can squeeze a little grease and our troubles will soon run away.”
Whatever is next?
"This is an announcement from Genetic Control:
“It is my sad duty to inform you of a four-foot restriction on
Humanoid height.”
“if a website is issued a certificate from one of those aforementioned Euro-mandated government-backed CAs, that government can ask its friendly CA for a copy of that certificate so that the government can impersonate the website.”
Not quite - the government can ask its friendly CA to issue a new certificate, but a copy of the old certificate will be of little use without the private key stored on the requesting organisation’s web server etc.
It can do this even if the original certificate wasn’t issued by one of the Euro-mandated government-backed CAs, as presumably organisations wanting to reduce the risk of government tampering would use a CA outside this government programme.
Existing countermeasures like Certification Authority Authorization (CAA) would presumably remain effective against this EU-mandated vulnerability, or at least require DNS to also be compromised to perform the MITM attack.
Enterprising browser extension developers can hopefully code for removing these CAs from the trust chain to restore security on the endpoint - perhaps rolled up into existing popular extensions like ad blockers.
Indeed. The whole point of X.509 certificates is that they're public. You don't have to ask the CA for a copy. You receive entity certificates, and if the server is properly configured intermediate certificates, just by connecting to it and sending a ClientHello; and you either already have the root certificate, or you won't trust the chain anyway.
It would really be nice if the tech press could get this right. Even once.
If the friendly CA is under their control, what is there to stop them getting a cert for ANY domain with a new private key and impersonating another way, eg mandated DNS hijacking (for anti-piracy, or "protecting kids", MITMs forcibly installed at ISPs/peering points, etc? Even typojacking would get them something.
Yes, but in the first situation your connection to the website is plain text. Including the sending of your password, and login cookies. Anyone can listen in, without you knowing.
In the second situation your connection is encrypted, and only readable by that specific website. No way for anyone else to listen in. There's a different certificate for each hostname, and if the certificate chain leads to a trusted root certificate, you can trust the certificate is genuine, and not one served by a man-in-the-middle listening in to your communications.
In a plaintext connection, any listener can also modify without detection. Any data you send or that the site sends back can be replaced with any other data that is chosen. Your browser would not know that. This is one reason that an encrypted connection is better; even if it was an unverified self-signed certificate, only one server has a chance to mess with the data going to your machine. It's not just about cookies and passwords, though those are important as well.
> In the second situation your connection is encrypted, and only readable by that specific website. No way for anyone else to listen in.
Except that isn't true. It only needs *one* of the many CAs to have leaked, or allow, their root cert or an intermediary to be used by a person with interest and they can m-i-t-m *any* site by issuing their own cert for it, on the fly. Heck, that process is standard practice in corporate environments (the certificate for every site I visit on our corporate kit is signed bt Forcepoint). At this point https is pure security theatre.
(Sorry, that's not an elephant, really...)
> Oh wow. How does that work? Surely forcepoint doesn't have the root certs for all certs? How can it replace all certs in one swoop so all https connections from a company PC are compromised?
They (my employer, the company that owns the kit) installs their own CA by group policy (these devices are locked down tighter than a gnats chuff). All https connections are intercepted by the Forcepoint proxy, which generates and presents a server certificate for the site being accessed. The client (browser) sees this as valid, as it's signed by an installed CA, and makes the HTTP request. The Forcepoint proxy checks the request against its naughty list, and if ok, makes the request out to the real site. The response passes back through the Forcepoint proxy, which scans it for naughty words and naked aardvarks, and if you're lucky, passes it back to the client (browser).
I think they bypass this for some know sites like the big banks, presumably to avoid liability if anyting goes wrong, but I wouldn't use the work kit for anything like that anyway (which is fine by them).
You are not alone. You simply can't understand certs in terms of security or privacy. They are not about either. They are about (scalable) trust. Before you even consider the question whether amazon.co.uk are jerks or you can really trust them to deliver the goods after you paid them you want to know that they are, in fact AMZN. If you don't believe that you shouldn't give them any money even over a secure channel.
Your bank might be run by some jerks whom you don't even know. The cert of the bank's site does not make them righteous or trustworthy. The only thing it does - or, rather, tries to do - is assure you that it is your bank you are talking to. You need to trust every single jerk in the certificate chain to believe it. In practice you trust the browser maker to do the checking for you, automatically. If you don't trust one of those jerks it is possible to revoke the corresponding certificate and your browser will warn you about anyone who presents that jerk as a character or identity reference.
As far as I understand the proposed law will break that trust completely. The cert can be used to make you believe that a jerk you are really talking to is the righteous and trustworthy person you think you are talking to. And you can't revoke the (trust in the) cert. From this point on you can't trust any communication whatsoever: you no longer can trust your browser maker to do the checking because they would be breaking the law by doing that. So you can't trust anyone's identity. The trustworthy guy you want to talk to is still trustworthy, you just don't know it's him on the other end of the line.
Security - including password security - is derivative. You can encrypt everything you send, but if you don't know whose key you are using you don't know who the man in the middle might be.
Your only solution in such a situation is to meet the guy you trust in person, verify that it's him (knowing him personally will help, checking his ID card or driver's license or whatever will help only if you are sure that the security services - or another resourceful organization - didn't send someone with a fake document), and exchange keys. Then you will be able to communicate securely and privately without any certs. I remember the times when it was done routinely, in F2F meetings. Not scalable, either for AMZN or your bank, and extremely difficult, bordering on impossible, even after the key exchange if either of you has resourceful adversaries (it's a great intellectual exercise to figure out how difficult assuming you have to deal with MI5/MI6/GCHQ or CIA/FBI/NSA or some other alphabet soup).
I trust them* to deliver the goods somewhere - but, given the stories about them over the years, I don't necessarily trust them to actually deliver the goods to the designated address.
* them being Amazon, or any company that uses Evri/Hermes (or whatever they're called this week) or any similar so-called delivery service whose drivers have difficulty knowing how to find their own arses upon far too many occasions.
Digital certificates and TLS/HTTPS offer two benefits.
1. Traffic is encrypted between yourself and the web server. Only the web server can read your input and only your browser can read the result.
2. Both the client and server are authenticated to each other. This means that if you connect to "https://example.com" then you can be certain that you are in fact connecting to the web server owned by the owner of "example.com" and not some random interloper (a banking site impersonator?) which is intercepting your traffic. This matters, especially for financial sites which lets face it is almost everything nowadays.
For this trust to work, you must be able to trust the "root certificate authority (CA) server". Provided the root CA server is trusted, then all other CAs and certificates down the chain are trustworthy by design.
This is why it is so important that internet software companies, and end users, are able to remove trust from ANY CA server if it is found to be compromised.
The proposed EU law prevents this, making it impossible to trust certificates, and therefore impossible to trust anything on the internet.
Last time I looked, at least one EU member was not a true democracy, and another EU member has only just had democracy restored. You cannot trust a state just because it is a member of the EU.
Currently, browsers ship with a bunch of root certificates with long expiry dates that users can in principle amend themselves, though there are now so many that in practice they have to be taken on trust.
Presumably if there is a new "approved" CA, browser makers will incorporate in their next release. But is there an obligation on the user also to install it? Will browsers have to stop working if the user refuses to update. Or if the user finds a way to delete the CA or otherwise compromise the CA certificate? What happens if a CA certificate has to be revoked?
The chain of trust is pretty much on its last legs already given its principal guarantee is little more than that each party has paid the required fee to the next party in the chain, but this does seem to be the point at which it gets taken behind the barn, never to be seen again.
And presumably even if this does get through...
- There'll be nothing to stop anyone disabling gov certs, like now.
- There'll be nothing to stop someone writing an add-on that makes it obvious when a gov cert is being used (e.g. red address bar or click-through screen or something), like now.
This is where the law runs into implementation problems. All the Firefox certs are stored on disk, so there's nothing to stop the dedicated user from editing the file directly. Mozilla would have to shift to a different model, perhaps where the browser downloads the 'approved' certs at startup, but being an open source program, people would just fork it and keep the old cert code.
It's a classic example of a law which makes it difficult for the average person to get around it, but puts no real obstacles in the path of any actual criminals/terrorists.
Given governments aren't generally in the business of running IT systems, the UK will doubtless put the management of root certificates in the hands of their favourite outsourcing partner. Now if the idea of the gubberment having access to your TLS handshake is worrying, consider the additional risk of an outsourcer's misconfiguration accidentally allowing world+dog to lift and copy certificates. Yes, the same could happen now - but I'd argue there's a fundamentally approach between supplying a core service directly to the industry and simply satisfying the (usually rather poorly defined) terms of an outsourcing contract for a government body.
Surely this should be subject to the same regulations concerning tapping phone lines, opening physical post* etc?
I would hope that this could only be done with the formal approval of a senior Police Officer, Magistrate / Judge, or the Home Secretary (in the UK). But suspect I may be being a trifle naïve.
*To the youngsters here, that is when a piece of paper with writing on it is used as a physical medium to convey a message from one person to another via a national or international network of couriers also known as 'posties'. (you're welcome)
Sure, you can do that. Follow these steps:
1. Go to your certificates list.
2. Select all.
3. Click disable or delete as you choose.
4. Slowly put them back after every annoying warning screen.
The reason that is not normally done is that you don't want to train users that accepting new CAs is a good idea, because then it's much easier to sneak more untrustworthy ones in. So it will never be the default, but you're welcome and easily able to do it if you think you have the knowledge to make that useful.
I was thinking more that a CAA record can be definitive, so if the presented root CA is as pre CAA, it gets accepted for THAT SITE ONLY.
And therefore sites are automatically filling in their CA and root CA and browsers ship with nothing trusted by default.
Why should I be accepting a root CA to browse My Bank and then automatically accept everything that it claims to secure including Random 3rd Party Website forever more?
And if the governments want to get into CAA and DNSSEC tampering, there are alternates and measures in those already.
Refuse to comply!
I will simply make sure that my update repositories for Debian are located outside the EU and install the version of Firefox that does not have its hands tied.
It's my computer and I alone will decide what software it runs and whether I will accept any technical limitations imposed by those who would seek to compromise my privacy and safety.
> It's my computer and I alone will decide what software it runs and whether I will accept any technical limitations imposed by those who would seek to compromise my privacy and safety.
Intel and AMD would like a word with you, as would Samsung and some others. It hasn't been your computer for a long time, see IME / ASP/ Trustzone.
They could display prominent click-through messages announcing that the user is now "enjoying" the benefit of a non-negotiable government encryption certificate.
Add a few links about which legislators they can reach out to "thank" for this, links to organizations working to take this awful burden off the shoulders of our dear, overburdened government, etc. Just do things you're still allowed to do in excess of just accepting the holy poison certs silently.
They could have the browser shut down immediately upon getting one of these holy goverment certs. Might not be a great solution when the gov starts employing in "ads" that use their holy certs.
Add your clever solution below:
Mozilla does not have any operations in the EU, or derive any revenue from the EU, so the EU has exactly ZERO leverage over them.
Maybe I should root for the EU to pass such a law, as it would really help Firefox gain back some of that lost market share which is good for browser competition!
it now.
I thought the bunch of idiots in charge here were bad enough.
Just what is it about our communications that the governments (of various flavours/types) just want to listen in on
Its hardly liable that we're all plotting mass revolution to overthrow the end game capitalism we seem to be stuck in.
Unless a lot of us are... and the knobs and aristos dont want to end up in front of the national razor again........
The results of a few recent by-elections would suggest otherwise.
What is insane is how quickly it all gets forgotten. 1997 only achieved the result expected in 1992 thanks to the "expenses scandal". Anyone remembering that should be entirely unsurprised by the "VIP lane", rules on , external "consultancy", 2nd jobs, employing family members as Parliamentary assistants, etc., etc., being ignored.
As a layperson with little expertise in this area, my question is what I can do about it. Does it help to use Little Snitch? NoScript? TOR browser? If I keep a list of the critical url (banking, bill pays, etc, entities only in my country) and only use them, am I still at risk for those? Or is my exposure limited to entities based outside my home country, like The Register?
Hopefully there is some direction I can take that doesn’t require a crash course in a topic I have little understanding of. One commenter mentioned changing certificates in Firefox… I wouldn’t even know where to start.
I gather from the comments I’ve read so far that there is no out-of-the-box solution. Also, I live in the US, so I know very well there is little I can do if the government decides look at my internet usage. But maybe there are things I can do now that will reduce exposure to man-in-the-middle attacks by smaller bad actors wanting to do bad things.
Thanks for any serious replies… even if they are, “Sorry, you’re out of luck."
This post has been deleted by its author
This post has been deleted by its author
Since eIDAS is promoted as improving web users' security,
and these countries are democracies,
how about making the eIDAS compliance selectable
on an individual basis?
Each person can decide for him/herself whether they want
this extra security. Just another checkbox in our browser settings.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
