12 mo. ago • 98%

EU Article 45 requires that browsers trust certificate authorities appointed by governments

www.eff.org Article 45 Will Roll Back Web Security by 12 Years

The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from...

EU Article 45 requires that browsers trust certificate authorities appointed by governments::The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from...

110

Privacy @lemmy.ml Article 45 Will Roll Back Web Security by 12 Years

Hacker News @derp.foo Article 45 Will Roll Back Web Security by 12 Years

110 comments

What the fuck is EU doing? Why are they trying so hard to participate in the enshitification effort?

141
Great and in 2 -3 years we find out, that someone has actively abused this security hole for years and stole whatever master key is required, to create their own fake government CA and has been spying on everyone for years. Or political opposition was imprisoned before they could act. Best is, such man in the middle attacks allow for all sorts of things, including putting fake evidence on your computer.

Oh yes, no one would ever do that every, totally never happened and won't. Nazis will also never come back. What, they soon are the biggest party in Germany, in other countries too? And will dictate rules in the EU? No one could see that happening...

Where there's honey, there will be bears.

I just hope we can create a browser plugin to deny gov CAs automatically or a browser from outside EU to block that shit. ...until your ISP is forced by law to block traffic from these.

One step closer to a great EU firewall and it sucks. Good old salami tactics. Because at some point it doesn't even matter if there are ways to mitigate this spying, if the alternative are so complicated and uncomfortable to use, that 99,999% of the people won't bother.

116
This is really bad. This is the EU taking a page out of the books of Russia, Iran, and the PRC by implementing website blocking and government-issued CAs. Europeans could be at real risk in the event of a democratic backslide.

87
You know, they are not being autocratic, it's for people's own good, to protect children and other "random bullshit go!" things.

Unless we act, we're doomed. This is the new "nobles and clergymen", only it's "riches and beurocrats".

62
What a fucking nightmare. And I thought the US was bad about trying to encroach more on privacy.

45
Where and how do we complain? This is really bad...

32
Oh HELL NO

11
That means cryptographic keys under one government’s control could be used to intercept HTTPS communication

Could someone smarter than me explain how this would be possible? Wouldn’t the browser still be able to enforce privacy between the client and origin? Or is it the case that certificates issued by these CAs could in theory only support weaker cyphers?

Edit: Some really useful explanations. Thank you!

9
Jesus, this is not about spaying. This is because browsers have history of sucking at trusting new certificate authorities.

In Spain you get private certificate on your ID. You can use this ID to sing documents and access government pages. Those certificates are signed and provided by the government institution responsible for printing money (Royal Mint). It took them like 10 years to get the root cert added to the main browsers so that people could authenticate using those certs on government pages. It still doesn't work very well and I have to manually trust certs on Linux. I think I don't have to explain why being able to identify yourself on govt pages would be great.

What's the security risk here? People really think that the Spanish spy agency would request certs signed by the Royal Mint for 3rd party domain and use those for MITM attack? When they are caught this would raise huuuuge stink, Spanish govt certs would get banned and Royal Mint would lose all credibility. I'm not saying they are definitely not stupid enough to try it but they would only be able to do it once.

9
knowing that EU commission is full of IT "campers" waiting to reimburse their mortgage and they will probably outsource the work to india (despite being forbidden), i am not really fond of the idea.

8
Can we at least admit that requiring CAs is not how ecryption in Internet should work? Just FYI there is already distributed public key infrastructure: DNS(DNSSEC).

4
Just a heads up: new wording has killed this.

2
That's some bullshit.

1
Seems great, if they achieve the same security standards as a private company I don't see why we cannot have public CAs.

1
Surely they can't force say US browser companies to do this to browsers downloaded from the USA?

1
Fuck the EU. Fuck ruining my built in phone batteries too.

-18
Nice clickbait title, man...

It's still a proposal for now.

-22

You've viewed 110 comments.