We really need to go back to days of police actually going through the trouble of investigating and catching criminals - at least in principle.
Now every government security agency dreams of having complete access to the communications of everyone so they don't go through the trouble of doing their job. First UK, now EU.
Although I'm generally closer to the EU mentality of trusting the governments more than the corporations, this aspiration of the governments is just too much even if the European governments were perfect(they are far from it).
IMHO these are good intentioned ideas by the people who are responsible of providing security, it's just that they are too narrow minded brainchild of incompetent bureaucrats.
"How easy would my job be if I was able to access the communications between terrorists/pedos/spies etc."
Yeah right, we all exist to make your job easier and that's the top priority over everything else.
My biggest problem with the whole mentality is that most high profile shootings are still being carried out with unsecured methods, e.g. the Paris shooting from 2015 was organized via bare SMS. If law enforcement can't catch criminals using the unsecured channels how can they argue at all that the encryption is to blame?
All that is already a reality in many 3rd world countries and even is European ones like Turkey. By all that, I mean all that!
Turkey had a scandal with TurkTrust cert authority(a company owned by the Turkish military fund) where they issued a root cert by mistake(?) and a government body was caught by Google when pretending to be Google.
At the same time, Turkey has a robust online services. Signing documents, medical stuff - everything happens digitally and signed securely and Turkish citizens very rarely need to go to physical government locations and almost never need to deal with physical paperwork . There's even government controlled mail service that you can use to do official communications and if something goes sought the courts can check the communications from your government provided, cert signed inbox.
The problem with the new stuff that EU and UK are trying to do is, to remove the "being caught by Google" part by legally whenever they feel fit.
Does google have certificates in there, does china have certificates in there, does russia have certificates in there ALREADY TODAY ???? So if you worry about that, then you should OBVIOUSLY understand that it is either non issue OR it is exploited TODAY EVEN WITHOUT THIS LAW... So this law being in place changes NOTHING in either case.
The current internet is essentially so secure, it doesn't need or have a properly walled-off of underground of people who value secure communications. In the west few people outside actual criminals practice it strictly.
> EFF warns incoming rules may return web 'to the dark ages of 2011'
I don't want this law to pass, but I have fond memories of some of the communities that existed back then. If it passes, I at the very least hope like-minded people find a reason to congregate and practice fuckery again.
Obviously (for now) this law is easy to "opt out of" as a user - just download your browser from a mirror outside the EU, or remove the EU certs manually on your end. It's also a dumb law because it makes traffic interception trivially detectable by the end user - the EU is telling you that they're going to use these root certs for it! If they think nobody is going to modify their browser to POST not-safe-for-life imagery whenever such a cert is detected, they're probably wrong.
CT logs are just, well, logs. They don't do anything to protect you from having your traffic intercepted via maliciously issued certificate. You might learn later (if somebody bothers to check) that it occurred but at that point the damage is already done.
> HSTS
This just says the connection should only be established via HTTPS, nothing more.
> Cert Pinning
Cert pinning has been removed both from Chromium and Firefox.
Yes exactly the 3 elements are necessary for the protection to work.
HSTS is the official way to force HTTPS (aside 301 redirects), if you have the best certificate in the world, but the client is using HTTP, then there is no point.
If you only have CT logs you are just catching the issue (if... the CT log servers themselves are not blocked by the rogue actor), but it's still too late.
Cert Pinning is here to prevent the issue, whether browsers or not wants to follow it is another question.
Suppose they include those features anyway. Do Firefox developers in the EU get arrested? Does the EU block US websites distributing Firefox, and arrest anyone running a local mirror? Do programmers that compile and run their own, personal versions of Firefox, where they have personally removed untrustworthy CAs, get raided by the police?
They do not need to hijack this process, in a way as is said in article, or in comments, there are different methods already in use, successfully. So there is absolutely no need from anybody to be doing this in this way ( even if it works like they write in that article ). if they need it for state security then it does not need to be this OVERT, there are legal provisions to do this covertly IN US OR IN EU. They are even cooperating between jurisdictions. So UK is sending data from US citizens on uk servers to US, EU is sending data about US citizens on Eu servers to US, etc. And no GDPR does not cover this.
I remember a (now removed?) passage in Wikipedia stated that self-signed certificates where considered as default for HTTPS back in the 90ies. But the idea of signing Certificate-Authorities prevailed. Users get instantly a “lock” creating a feeling of security - and it made some people rich.
Self-Signed actually is the only trustworthy approach to use certificates. And with QR-Codes or ASCII-Art it is user friendly. Your partner (e.g. bank) would print a hash/fingerprint on the contract and the user MUST check it on first connection.
To complicated?
SSH does that always. PGP is built upon the idea of users itself trusting. No end users?
Signal and WhatsApp!
Actually you need to check the hash/fingerprint in the profile of your chat or you’ve only an encrypted connection but no security who receives the messages.
I think we should drop the entire approach of Certificates and issuing through “Authorities”. SecureBoot was flawed from the very first moment due its use of Certificates signed by an Authority named Microsoft. And a top-down security enforced from companies isn’t one.
PS: Lenovo turns off SecureBoot when you order a Laptop with Linux. A wise decision. I just miss a note that the password for hardware-disk-encryption and UEFI.
Malware actor can self sign google.com certificate..... So self sign is ... Because you still need to verify that Google is Google or that malware actor is not Google, so you came to similar situations / conclusions.
BUT current CA situation is travesty in its own right that is little bit different topic.
The problem the EU faces - or the respective national European intelligence agencies for that matter - is that they lack access to a comprehensive, global data funnel. The US, Russia and China all have their respective systems: The US has access to the data of Facebook (WhatsApp and Instagram), Apple messenger, Google's GMail. Russia has Telegram and China has I think Weibo, WeChat, TikTok and probably some more. I want to put the value of these data sources into question - as anti governmental actors increasingly learn to use other means for coordination - but still it's an attempt to get a foot into this global arms race.
Facebook app( either web or ios) does not have to be SAME app as your friend have installed / opened. Some call it A/B testing, some call it malicious update. Depends on contents.
Apple can send malicious update to any app.... Do you check hashes thru 3rd party service ? Apple is scanning ALL your photos, documents on your device, with ML AND AGAINST HASH, DO you think they do not scan your photo for face of UBL ?
Important to note is that the main thing everyone is up in arms about, the TLS/HTTPS certificate stuff, already got adjusted after browser makers complained about it; browser makers aren't mandated to trust any certificates for internet traffic and DNS resolution. The only real problem left is QWACs in general being a part of the proposed legislation from what I can tell.
The rest of the bill seems more aimed at providing an easier authentication method to safely export private data. Could (hopefully) be good for dealing with KYC laws.
Digital stores obtain so much information to complain with those laws and it's a giant risk with things like the GDPR. As I understand it, under this law they could just store the absolute minimum (the reference ID for the centralized system in question) and if KYC laws are ever needed by the government, they can supply the ID rather than having to store a lot of Personal Information (which is a big issue with data breaches and the like being what they are.)
> This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state.
This is already possible though, all a state needs to do for that is to bribe Microsoft[1] like Tunisia did ~20 years ago to include a government intelligence agency's root certificate that can then be used for MitM.
[1] and/or Apple and Google, if they want to target mobile devices as well.
Even ignoring the whole spying issue(which you shouldn't). Wouldn't problems like we had with DigiNotar(https://en.wikipedia.org/wiki/DigiNotar) take much longer to resolve if it had to go through some government revokal process each time?
> that government can ask its friendly CA for a copy of that certificate
1/ copying/reafing the certificate without the private key is something every TLS client must be able to do, this is a must. It is absolutely not a security concern.
2/ copying the certificate and the private key would be a concern, except s CA never sees the private key and hence cannot have it. The CA signs a CSR which does not contains the private key.
Overall I still agree with the article since the problem is not that the CA can copy the cert but rather that is can issue a new cert for the same URL, enabling MitM attacks.
Also, I garantee this gov CA will be breached in no time. There would be simply too many government agencies with access... Impossible to secure.
This claim that eIDAS is an attempt to intercept TLS and spy on citizens has been repeated over and over this week without any basis and I'm getting sick of it. I don't understand why everyone immediately assumes bad faith here when it's much more likely that this is just a botched article written by someone who has not had to deal with the intricacies of the web PKI.
Do you seriously think the intent here is to allow, say, Italy to issue a certificate and spying on german citizens? Or maybe it is to make sure italian citizens (regardless of browser vendor) can access the social security website without getting a scary warning message?
Intent is important if you are attacking the character of the legislator. If we are criticizing the legislation itself then it's the effect of it we should be focusing on.
As in "what's the worst outcome that can come from this piece of legislation, assuming malicious intent from the person wielding this law in the future". If the answer to that is "uh, not good" then the legislation is bad.
But that does not mean "Europe ready to intercept, spy..." or "EU Tries To Slip In New Powers To Intercept Encrypted Web..." as these articles are claiming.
It's also very much not the case; regulators adjusted that part of eIDAS earlier this week - Browsers aren't required to trust these certificates for DNS or HTTPS connections. The law is still in proposal/feedback stage and the lawmakers listened to the complaints.
TLS interception likely was never a seriously intended goal, just a side-effect due to how the law was worded.
Afaik they want a digital id card for each person and business, so europeans can legally identify themselves and enter legally valid digital contracts on the web.
The real purpose seems to be that the EU wants to regulate customer data collection for online transactions. It's an e-Identity law at its core; the EU wants member states to set up a centralized "Wallet" service that can be used to safely exchange a limited amount of PI for things such as digital transactions.
There's little direct reason for example for say, Hetzner, to have the address data of any of their customers on file - they don't send you any physical mail or anything like that. They have that info mostly because of anti-fraud laws that mandate they store a lot of information with each transaction. With the new Wallet setup, they only have to request what they need and the government can still keep those KYC laws working without you having to store a ton of personal data at a third party.
The QWAC stuff is a part of the law because the way this practically ends up working is that a EU citizen that wants to use the wallet (the process is strictly opt-in; if you don't want to use it, you don't have to) needs to give their approval kinda like how it works with OAuth. QWACs were a harebrained attempt at making it clear to the user that the site they're giving their approval on was actually a real government site.
The original law text forced QWACs to not only be displayed but prevented browser makers from doing the usual security processes to deem if the certificates are safe. The new text seems to address this issue according to the source; QWACs for government sites must still be displayed if approved by the browser (so for government sites you'd still get the green text after the security lock like how it was back in the day when EVs were a thing - this is what the EU really wants out of this law from what I can tell, normal certificates don't give them this assurance - they basically want to tell their citizens "yeah, if you see this text after the padlock, only then you can be sure this is the German government"), but browsers aren't required to forcibly bypass all their security processes to do so, giving them back the control they need against bad actors. Firefox can still choose to block a bad QWAC or restrict the list of QWACs they approve to only a small list of government domains, should they decide the certificate authority is behaving inappropriately.
I agree actually. Which data exactly will be transported over TLS connection secured by these certs? Who said it has to be the entire HTTP traffic, why not just the traffic required for authentication? It seems very vague at the moment...
The government would be able to obtain a certificate identical to the one of the a website owner (the real one), enabling the mitm attack (for example with the help of ISPs etc).
This future is just O.K. because in the age of digital weapons what else is supposed for governments to be?
The problem is that HTTPS is too government-addicted thing while a decent anti-MITM feature might/should be just a Diffie-Hellman without any identity-preserving features, I mean just E2EE. At least for sites like HN (not banks).
Duffie-Hellman can be MITMed if nothing checks that the value you get from the other party actually comes from the intended other party. I.e., an identity check.
That's still not OK. Think about this: you are encrypting your traffic to prevent some third party from seeing/modifying it. But without authentication, you don't know who you're communicating with. So it could be that you're talking with the very third party that you were trying to protect from in the first place.
I remember the good old days when everything was HTTP. Anyways, this is really only an issue for those who has an innate distrust in their government, something most EU citizens don't have.
So that is a very selfish attitude from the poor bastards who have dis-trust from their government because their government screwed them over.
For example, in 2005 I moved next door to someone that a year later was busted for growing hennep. The Dutch government used/abused the neighbour on the other side to spy and harrass him. Even after he was arrested and convicted. Then I was harrassed in serious illegal ways because I was in the way, I lived literally between these two.
Then went on for more than 10 years!!! And the government and told the police never to respond to my calls and the justice department binned all of my police reports. And this guy was stealing from me and vandalizing things!
I forced it to court and the prosecutor deliberately made the case fail by excluding enormous amounts of evidence and lying to the judge. I member of the board of directors of the court was involved behind the scenes obstructing justice from there and that person is now the president of a Dutch court!!
These people illegally facilitated crimes against a third party innocent victim and then obstructed justice to prevent their crimes coming to light.
These people in the Dutch government would have access to the power needed to intercept my mail and would have an immoral motivation to do so.
How is that capability a good thing given this context?
Eh, I'm an EU citizen and the whole NSA surveillance program cooperation shows that my government (Denmark) can't be trusted when it comes to surveillance capabilities.
Also I certainly don't trust Hungary under their current government even if I trusted my own government.
Not OP, but it's a pretty American perspective to see Europeans as very complacent with what their government does. If not a joke, this is probably where the sentiment stems from.
In reality, people don’t have the time to read up on these issues to build an opinion in the first place. The most potent media corporations that could’ve amplified this issue for the general public are effectively propaganda machines for whoever pays the most or has the biggest guns to their heads.
It’s a sad state of affairs. Most of the public are unaware that a cage is being built around them.
But those who do have some understanding about these threats, they certainly are increasingly more distrustful.
You can't be serious. If this gets implemented, trust in the EU will be greatly reduced. And maybe I do trust the EU, but not each individual country that will implement this this?
I think many EU citizens have a distrust in other EU governments than their own, and this sounds like it would allow all EU governments to intercept all EU citizens.
From the perspective of European govs: Why should only US entities (and companies like Cloudflare, Amazon or Google) be allowed to get access to communications content ?
It’s very logical that Europe wants to do the same.
It is much, much easier to wait for someone else to do all the difficult stuff, and then write a rule that if you don't also get the same stuff that you can lock people in a box or take some of their money.
European CAs can apply to be included in the root stores, and Europeans can definitely write content-delivery (CDN) and content-parsing (browser) software.
European CAs were in root stores. The case in hand I wrote several times about is the Belgian Root CA that was in all major browsers until it was withdrawn somewhere in 2015..2017 in favor of Digicert for everything public services in Belgium.
This essentially gives a a free hand to NSA to spy non only on Belgians but also EU Institutions, NATO HQ, SWIFT and many more essential but not very public organizations headquartered in Belgium (ever heard of IPC? ENTSO-E?)
Now every government security agency dreams of having complete access to the communications of everyone so they don't go through the trouble of doing their job. First UK, now EU.
Although I'm generally closer to the EU mentality of trusting the governments more than the corporations, this aspiration of the governments is just too much even if the European governments were perfect(they are far from it).
IMHO these are good intentioned ideas by the people who are responsible of providing security, it's just that they are too narrow minded brainchild of incompetent bureaucrats.
"How easy would my job be if I was able to access the communications between terrorists/pedos/spies etc."
Yeah right, we all exist to make your job easier and that's the top priority over everything else.