EU Article 45 requires that browsers trust certificate authorities appointed by governments::The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from…
What the fuck is EU doing? Why are they trying so hard to participate in the enshitification effort?
Personal ID cards have certificates on them issued by the government. These certificates can be used for anything from digitally signing documents to logging in to government web sites without having yet another user/pass. So far situations was a nightmare.
Government provided tools and plugins for browsers to support logging in and signing, but it’s been a shitshow when it comes to support. Pretty much only Windows and only certain versions of it and even then it worked half of the time. You had to install certificate manually and trust, etc. Am assuming this is to make sure these services work but also so they can issue certificates for their own web sites.
Personal digital certificate sounds like an awesome concept. Too bad the implementation seems so narrow-minded. Typical beaureaucrats.
They want to make all the decisions but are also mad that the IT guy presentation is taking to long and isn’t using simpler language
My country has half-assed implementation but in general it has been great. For any signing I can just shove my personal id, enter pin and document is cryptographically signed. No alteration possible. And since government is the issuer of the certificate, no one can fake it. We have our e-government thing also, where you can do a lot of things, from checking your kids grades in school to theoretically handling all of the documentation you might need. Personal id is used to login into that service. Shove a card, enter pin and you are there. No sign up, remember password, etc. I have even set up, at one point, login into my computer using my personal id, out of curiosity as it held no other benefit. Had to add that root certificate to my machine though.
Sadly it all sounds great on paper, but execution is lacking. Some things still require pen and paper and it’s annoying, but we’ll get there. That’s why my assumption is governments wanting to push for easier integration. Then all you’d need was card reader and a browser. Which also the reason why I don’t think they are trying to push this idea for nefarious purposes. People download and install government software without thinking or double-checking all the time. Adding certificate through any installation wouldn’t be much of a challenge.
“No one can fake it” Oh boy. This is going to be an utterly horrible future.
We have them in Spain. Really useful as my accountant has a copy of mine for my tax filing on their windows machines and I have it installed on my Linux laptop for interfacing with gov sites
Your accountant has your private key???
Yeah. It’s pretty common here
Lol such a bad idea. In Portugal your accountant could sign almost any document with it.
Same in Germany. You can grant access to the accountant to that data, but never ever with your private key… Giving away your private key is a horrible idea…
I did a different thing. I ordered a separate certificate, gave it to my assistant who handles tax things with my accountant, but am the only one with password. They don’t really remember or write down password because it gives them fewer things to worry about and we have sufficient security this way.
And they don’t even use custom crypto!
What a fucking nightmare. And I thought the US was bad about trying to encroach more on privacy.
Am thinking this looks like a nightmare but their intentions are actually different. However giving any kind of power to government is almost universally bad idea since it’s guaranteed to be abused, no matter the initial reason it was added.
There’s literally zero reason for this that isn’t shady.
I can actually think of more reasons that it’s a legitimate request than a shady one.
Such as?
Security from psyops. Duh …
Well, like I wrote in other comment of mine. Governments here issue personal certificates signed by government ones. These personal certificates can then be used to digitally sign documents and tax reports. It can be used to log into government web sites and many similar uses. These certificates that EU says browsers have to accept are the same ones everyone already uses for biometric passports. If browser accepted these root certificates, then things would be significantly easier to support. No software installation required.
People seem to think this will be used for nefarious cases, but in reality people just install government issued software without thinking. Well, any software without thinking. During that installation you can already add certificate to browser and whole OS. It’s just easier and better supported if they go through public way instead of having to support multiple OS installations and similar issues.
Yeah that argument holds zero water. Forcing browsers to trust these roots means not only pre-trusting them, but disallowing removal of trust. This is completely intended for surveillance purposes.
Where and how do we complain? This is really bad…
Oh HELL NO
That means cryptographic keys under one government’s control could be used to intercept HTTPS communication
Could someone smarter than me explain how this would be possible? Wouldn’t the browser still be able to enforce privacy between the client and origin? Or is it the case that certificates issued by these CAs could in theory only support weaker cyphers?
Edit: Some really useful explanations. Thank you!
The government CA could just issue a new certificate for let’s say Google, force your ISP to return a wrong IP when you ask your ISPs dns server what the address of Google is and then return a fake Google page instead or forward traffic to Google on your behalf and read all data. And since your browser trusts the new fake Google certificate from the government you won’t get any https error or warning.
The CA (Certification Authority) is what validates the encryption certificates that TLS uses in HTTPS. In this case it can certify a cypher that can be used in a site’s certificates and be known to a government agency (the 3rd party) and used to decrypt the HTTPS stream. This basically an Man-In-The-Middle attack.
When a website uses HTTPS they have a certificate that proves who they are. Your device uses that certificate to encrypt your data so that only that service can decrypt it. The issue is that it’s just a file and anyone can make one. So to determine whether I trust your certificate I need it to be cryptographically signed by someone I already trust. These are the certificate authorities.
If I was a certificate authority that your device trusts then I could create a certificate for any domain and your device would believe me. Meaning I could sit between you and any web service and have you encrypt things with my certificate in a way that lets me decrypt everything before forwarding it to the service and you would never know.
Can we at least admit that requiring CAs is not how ecryption in Internet should work? Just FYI there is already distributed public key infrastructure: DNS(DNSSEC).
You gotta love confident statements that don’t stand to scrutiny.
DNSSEC keys are signed in the same recursive manner SSL certificates are. If I, as a government, block your access to root servers and provide you my own servers, I can spoof anything I want. It’s literally the same bloody problem.
Chain of trust doesn’t disappear just because you use a new acronym.
That’s some bullshit.
Seems great, if they achieve the same security standards as a private company I don’t see why we cannot have public CAs.
And how long will it take for intelligence agencies to start issuing fake but trusted certificates for surveillance?
They don’t already?
They do.
Yes, private companies are invulnerable to this ploy
They already do it.
Surely they can’t force say US browser companies to do this to browsers downloaded from the USA?
Just a heads up: new wording has killed this.
Fuck the EU. Fuck ruining my built in phone batteries too.
Nice clickbait title, man…
It’s still a proposal for now.
