The best way to deal with this is non-compliance and there need to be technical solutions to deny such attempts.
One major factor that works against users is central authentication. Schemes like oauth2 might bring convenience and security in many cases, but will endanger net freedom overall.
Google just added age restriction on blogger. Result is that you need to provide Google with ID information to access some content. If more an more users elect to ID with their Google account you can see where it can lead. Naturally the EU wants to increase such schemes as well.
It just released a law (DSA) that allegedly to restrict the influence of tech giants. That their proposals will drive people into ID schemes of said tech companies is either an oversight or something worse. I would think it is the latter and giant tech companies are very glad about the behavior of the commission. Because they too tried get people to use their ID solutions.
Digital tech doesn't really prosper in the EU but certainly surveillance leveraging services of others.
The only defense against such laws is to make them technologically not feasible. While Google did many good things for net security, their compliance on topics that serve its self-interest is a danger. Same goes for other large tech companies.
That there is close collaboration between certain political elites and tech companies is pretty much a given. It was decried as a conspiracy theory until it was proven. Although it should be no surprise that there are such connections. Perhaps the influence of the EU commission is smaller, but I would not bet on it. Access to the market is on the hand they can play. Easily a strong enough hand to subject users to surveillance.
> The best way to deal with this is non-compliance and there need to be technical solutions to deny such attempts.
I disagree.
While these are good to have, they are not enough.
The reason is always the same: if you are found to be using the circumventing tech., you'll likely be in breach of the law, which will give the goons a legitimate reason to come and harass you.
In a civilized country, that can translate into a fine, community service, etc...
In the borderlands, it'll land you in jail or worse.
The goons will come and harass you if you are inconvenient or a threat to the ruling class, even if you are complying with all existing regulations. This happens in every country and region.
For the common man non-compliance is the only non-violent way to preserve his rights or exercise freedom. You can do it successfully if you are smart and agile.
No it doesn't happen in every country and region. In many places there's no such thing as a "ruling class". Politicians are just another type of public sector worker and certainly not the best paid or wealthiest.
As European living in country with highest inflation rate I must agree. What annoys me a lot is a trending narration about blaming Putin for everything. Ministry of interior has leaked manuals where is writen guide for public relations about it. Basically it says that media need to blame Putin for hungry and problems with food supply chain.
Sometimes I think we have romanticized civil disobedience a little too much. Not because having authoritarian laws is good, but because it seems like some people would rather be heroic resistance fighters than engage dry policy work and advocacy. It would be better to never live under bad laws at all.
>some people would rather be heroic resistance fighters than engage dry policy work and advocacy
This is a nice take, that would be the right one if you operated in a fair system.
But if you have ever engaged in the very dirty game of trying to change or remove a bad law (bad for whatever reason), you soon learn how very dirty the game is.
Extremely few people who play that game are in it for the betterment of society as a whole rather than the betterment of their own destiny and that of their friends.
And even if they started out that way, it never lasts. Human nature.
Want to change policy? Quid pro quo. Read all about it, and be ready to do nothing but.
> people would rather be heroic resistance fighters than engage dry policy work and advocacy
Isn't it tiring? I mean you can raise hell and get some picture but you know one or 4 years from now they will try the same bullshit with a different name until it works.
You are wasting your time and energy on activism while there are crooks literally getting paid (by your money) to degrade your life. I think that time and energy should be best spent building things which are immune to power abuse.
It's much easier for people to resist by using "forbidden" systems in private, than to affect political change. In the context of the EU, other rights afforded to citizens make things like this hard to enforce.
The reason is always the same: if you are found to be using the circumventing tech., you'll likely be in breach of the law, which will give the goons a legitimate reason to come and harass you.
Similarly, open resolvers, e.g., "public DNS service" from Google, Cloudflare, Cisco (OpenDNS), Quad9, etc. or DNS provided by an ISP. A remote DNS cache is, IMO, a "MiTM". It can censor among other things. Quad9, for example, is doing this right now.
Even so-called "encrypted DNS" such as DNSCrypt or more recently DoH only applies to the path between the client and the cache, not the cache and the authoritative server. In the same way that the path between a client and Cloudflare and the path between Cloudflare and the origin server are separated by CF as a "MiTM".
NB. It's possible to exclude the remote DNS cache and have encrypted DNS between client and authoritative server, the software exists, even for DNSCrypt, but it never caught on. I have often thought about starting a registry that requires registrants to offer encrypted authoritative DNS.
I’m guessing they mean “man in the middle as a service,” referring to the fact that Cloudflare (by design) is a trusted party in your TLS traffic if you use them.
let's encrypt made a huge improvement on the status quo, but now that 95% of the web depends on them, they're an obvious central point of vulnerability for censors and spy agencies
...you're not concerned about all of the other Trusted Root CAs that ship in OS/browser updates? Why would the NSA/GCHQ/etc need to compromise a high-profile target like LetsEncrypt when they could bribe any of the dozens of companies names listed in my own local certmgr.msc that I don't recognize at all[1].
1: I'm seeing names like "Actalis", "Baltimore CyberTrust", "Cetrum" - some of these sound more like pharmaceuticals than tech companies...
I'm more concerned about why I can't see a list of sites that CA has authenticated, or put my own restrictions on them.
Taking the first one: AC Camerfirma S. A.
I suspect I've never authenticated anything against that CA. I'd love to know what sites it has authenticated, and maybe I'd be happy with a lot of .es sites
Wouldn't surprise me if I rarely if ever encounter 80% of the CAs that I trust. Looking through I'd be happy if some of the signed .ae, or .cn, but not .de.
If I did visit an unusual CA, I'd like to make a judgement call on that access. Sure, the big ones (letsencrypt, globalsign, etc) woul dneed to just trust completely, but having a "you are visiting youremail.com, last time you visited this was signed by Globalsign with a certificate expiry of 5 months time, today it's signed by Odd Looking CA, continue?
Sure for 90% of users would click though, and it shouldn't be an option for 90% of users, but I'm not 90% of users.
Same with importing. If I make my own certificates for my own stuff, I want to import my CA and trust if for .mydevdomain.com, but not for mybank.com, because I don't trust my own security enough to have anyone, including me, have a skeleton key to my entire communication chain for key sites.
That's all available from Certificate Transparency. Chrome refuses certificates that haven't been submitted to CT.
AC Camerfirma seems to operate multiple CA certificates (e.g. some labeled by year). Here's a search that finds certificates issued by one of them: https://crt.sh/?Identity=%25&iCAID=51020
a compromised root ca allows an attacker who already has dns or ip control (via bgp, arp spoofing, a captive portal, etc.) to leverage it into a working mitm attack on a tls site, but it can't revoke certs it didn't sign, and the attack is over as soon as the attacker loses dns or ip control
by contrast, the ca you chose to sign your cert can revoke it, or refuse to renew it, taking your website permanently offline with zero effort on their part, unless you can find another ca to sign a new cert for you
but if you could, let's encrypt wouldn't have had to exist in the first place
the dozens of companies you mentioned make that less of a threat, not more of one, though they do of course increase of mitm attacks as i described in the first paragraph of this comment
> a compromised root ca allows an attacker who already has dns or ip control
DNS or host/IP control is not a requirement at all: a Trusted CA is already trusted to sign a certificate for any hostname (with exceptions): that's what Trust means, and it also means that we trust them not to issue certificates for domains/hostnames without doing at-least Domain Validation - and we have schemes like Certificate Transparency to help bolster that trust, but it still doesn't prevent an already-trusted CA from issuing its own certificate for, say, google.com or microsoft.com. This is why techniques like Certificate Pinning and co/counter-signing, and others exist - but they're only useful when the client isn't a human-operated web-browser ("smart clients", "IoT", etc). EV certificates were (amongst other things...) meant to help protect against small-time crooks but again, don't help when the CA itself is compromised.
if i type https://gmail.com/ into my browser, it usually doesn't matter if you have successfully gotten comodo or actalis to issue you a fake certificate for gmail.com, because my browser doesn't try to connect to your malicious server; it tries to connect to google's actual gmail server, and so you don't receive my packets, and your fake certificate does you no good
but, as i said, if you can feed me fake dns results so i connect to the wrong ip, or if you can arrange so that packets to gmail's legitimate ip go to your server instead (for example by having me connect to your wifi), then you can leverage the fake certificate into a successful mitm attack
but your explanation of the part of the basics of tls you understand, incomplete though it is, is irrelevant to the attack i was actually discussing, where someone doesn't like what you're saying (or the communication service you're providing) and gets your cert revoked to shut you up
If the browser enforced that the certificate had been issued in line with the domain's CAA record, such an attack might be less tractable without DNS control...
Let’s Encrypt, like other major CAs, participates in Certificate Transparency for this reason. “Central point of vulnerability” means very little without actual evidence of compromise, which CT would give us. And we haven’t seen any such evidence.
As far as I know. LE does not get access to the sites private key so they can not intercept traffic using their certificates. And if LE tried to replace certificates with fake ones, it would be spotted through certificate transparency like normal.
> The best way to deal with this is non-compliance and there need to be technical solutions to deny such attempts.
You cannot solve human issues by technical solutions
> One major factor that works against users is central authentication. Schemes like oauth2 might bring convenience and security in many cases, but will endanger net freedom overall.
And what is your solution for that? Any authentication solution will inevitable converge to having trusted actors authenticating you. There's no technical solution for that.
> It just released a law (DSA) that allegedly to restrict the influence of tech giants. That their proposals will drive people into ID schemes
So what is your technical solution to this human law?
> The only defense against such laws is to make them technologically not feasible.
I also want to wish for moon and the stars. But we're not dealing with the realms of fantasy.
One major factor that works against users is central authentication. Schemes like oauth2 might bring convenience and security in many cases, but will endanger net freedom overall.
Google just added age restriction on blogger. Result is that you need to provide Google with ID information to access some content. If more an more users elect to ID with their Google account you can see where it can lead. Naturally the EU wants to increase such schemes as well.
It just released a law (DSA) that allegedly to restrict the influence of tech giants. That their proposals will drive people into ID schemes of said tech companies is either an oversight or something worse. I would think it is the latter and giant tech companies are very glad about the behavior of the commission. Because they too tried get people to use their ID solutions.
Digital tech doesn't really prosper in the EU but certainly surveillance leveraging services of others.
The only defense against such laws is to make them technologically not feasible. While Google did many good things for net security, their compliance on topics that serve its self-interest is a danger. Same goes for other large tech companies.
That there is close collaboration between certain political elites and tech companies is pretty much a given. It was decried as a conspiracy theory until it was proven. Although it should be no surprise that there are such connections. Perhaps the influence of the EU commission is smaller, but I would not bet on it. Access to the market is on the hand they can play. Easily a strong enough hand to subject users to surveillance.