Fortunately, they cannot forbid a natural person from removing any given certificate. If this passes, I am sure we have blacklists and scripts for these in no time.
Or, proliferation of the English (US) or English (UK) versions of browsers, which refuse to (and are not obliged to) include any of these CAs...
I suspect if this ever does play out, it could result in fewer people using "EU spec" browsers, and more people using the international overseas version, thus undermining the entire intention of the policy proposal.
It seems a pretty safe bet no browser maker would ship these CAs to users outside of the EU (and maybe EEA).
That's great if you are not going to be legally and technically required to use these EU spec browsers to be able to access your online banking or any platform registered as doing business in Europe.
EU court: serves Mozilla a court order to add the extension to the blocklist.xml file, a global blocklist of all extension IDs that users can’t install.
Article 45(2): "Qualified certificates for website authentication referred to in paragraph 1 shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services."
Article 45a(3): "A qualified electronic attestation of attributes issued in one Member State shall be recognised as a qualified electronic attestation of attributes in any other Member State".
Article 45a(4): "An attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source shall be recognised as an attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source in all Member States."
That text is almost a year old. The recent trilogue negotiations added paragraph 45(2a) which is not public yet (hence the complaints about secrecy) but is alluded to in the open letter (https://eidas-open-letter.org):
> The proposed legislation also prevents the introduction of security checks when verifying the certificates used for encrypted web traffic in Art 45, (2a). As written, this language requires that the EU’s website certificates not be subjected to any mandatory requirements beyond those specified in ETSI standards.
This is awful, as it would forbid browsers from requiring Certificate Transparency, or banning a weak hash algorithm (like SHA-1), or requiring post-quantum keys unless the EU agrees to it.
What they should do is to create an EU CA and all countries to have subordinate CAs. Then you only have to have one CA added to the browser list that ca be added/removed at will or only added when interacting with the government and then removed from the browser.
For non-tech people I am pretty sure someone could write a program that does this automatically - like two buttons, one saying you need to access the government and another that says you don't want to access the government anymore.
These are some of the requirements: "Ability to digitally sign documents in the browser using a crypto token" and "Support for Web3". What does that even mean? This is a serious, government-backed competition?
I’m assuming this another… misguided… attempt by the security services to make their jobs easier. The grip that intelligence communities apparently have on our governments is ridiculous. Why do they have such influence?
Western security services are what we call secret police in other parts of the world. Its goal is to protect the local status quo. That's it, and thats why it can assert so much influence.
This is one of the most important and least talked about power dynamics.
This is because that world is hidden to most people but would have just 20 years ago been covered by classical research journalism, namely the intersections between power, fiscal policy, law, the security state, foreign policy and mass media or other systems of control.
Politics and policy making is downstream from mostly non public clubs of people.
Become a part of the security apparatus to gain power and draft plans for whole regions of the world and the future of society. The rest of us get to see their own self branding in Hollywood romantizations and ideological "event driven" smokescreens that cover the realpolitcal battles of power and resources that actually drive history.
That way the masses end up seeing the good fights for "Democracy", "Child safety", "Necessary financial bailouts" or "Primitive stupid people in X country need intervention" while these are all covering a big old game of Risk or Civilization ie. resource plundering, land grabs, violent exploitation of foreign markets, siphoning of wealth from the masses to the few, and panopticon-level systems of control implemented to keep dissent and enlightenment about these fact as much in the dark as possible.
Theres a reason the richest European families already took an interest in controlling the emerging postal services of several hundreds years ago just like early pamphlet media but somehow these very old facts have been so memoryholed everyone thinks we live in a somewhat meritocratic or even democratic society these days.
Probably not really. The EU itself (at the Brussels level) doesn't have much of an intelligence apparatus. One exists but it's small and weak compared to the likes of the NSA. The most capable was GCHQ but of course that's no longer a part of the EU.
The EU likes passing internet related legislation because of:
1. The politics of it. It involves the raw exercise of power over people who are easily bullied and that they don't like much, namely successful American companies. The EU loves passing extra-territorial laws and seeing people jump, it makes them feel like a big power bloc which is the whole aim of the EU project to begin with.
2. The revenue from it. Tech companies either fight or they try to obey, but the laws are vague and easily reinterpreted. This yields massive fines which go straight into the EU coffers, money which is then spent on purchasing loyalty both of the elected political elites (via post-election-loss sinecures and enormous "pensions" that start being paid out long before retirement), and the population itself (via EU branded projects and grants).
3. The unaccountability of it. EU law is created by the Commission which does whatever it wants. By treaty it is accountable to nothing except itself and it is the highest power in Europe. In that situation why not spend all your time on easily achieved upper-class luxury agenda items like internet regulation, which feels futuristic and cool, instead of messy stuff that bothers the regular citizens like illegal immigration, where you don't want to do it and failure comes easy?
That's why there's a constant flood of tech-related regulation coming from the EU. Seeing this specific act in isolation is a mistake, it's just the continuation of a long term trend.
The en commissioners are appointed by the eu heads of state (one each) and subject to confirmation from Parliament (congress). Somewhat analogous to the US exec branch.
The commission President is proposed by the council (the heads of states) and appointed by parliament.
I’m not aware of the EU arresting random US citizens for breaking laws like the gdpr, you’re thinking of America and the DMCA
That's what they claim, but in reality the President of the Commission rejects any Commissioner they don't like. This isn't meant to happen but eventually Juncker admitted that he did it all the time, and that this was considered normal.
So the Commissioners are in reality selected by the President.
This problem appears in every HN thread about the EU or its activities. People argue that it's a legitimate democratic structure based on how its treaties say it works, but the treaties aren't followed.
It’s intriguing to observe this phenomena on HN where any posts critical of the EU will get downvoted, even though it is natural for any country or block to try various means to show or enforce its power.
And before someone says otherwise, I’ve seen this playing out hundreds of times.
It got downvoted since it says this regulation isn't made to spy on people. People want to believe it was made for a sinister purpose and not just due to naivete.
If you look around you see plenty of people that gets upvoted and are critical of EU, so that isn't it.
We had a recent MITM on jabber.ru[1] conducted by Germany, a EU state that was only detected because they failed to renew the MITM cert. I have no reason to believe making this easier isn’t one of the goals of EIDAS.
Eurosceptics aren't welcome here and will usually give up rather than burn karma and get throttled.
If you spend time in central Europe you'll see why this occurs. Some people have incorporated the EU institutions into their personal identity. People will call themselves European Citizens although the EU doesn't grant citizenship. Businesses will be called Euro-this or Euro-that for no obvious reason. You can catch the Eurobus to go ride the rollercoasters at the Europa Park then meet their famous mascot Ed Euromouse. This stuff is everywhere.
And in some ways, it is understandable. The 20th century was wracked by wars between different European empires or countries. The assumption at the core of this movement is that if everyone has the same social identity and is ruled by the same government, then everyone will hold hands and there will be peace on Earth. Or at least that bit of it.
But you can't force unity on people. It has to develop naturally, through shared experiences and cultures. Unfortunately the vision is so enticing that the political and credentialed classes in these countries don't want to wait, and so attempt to enforce it from the top down via schemes that eliminate democracy in favor of power transfers towards the Right Sort Of People, the type who "get it" and who can then rule unchecked without needing to answer to electorates. This is deeply corrupting, but because it's an identity issue when this is pointed out people feel their personal identity and whole progress story is under attack.
The post was typical anti gov tin foil hat nonsense. You see the same types of posts from people who like camping out on compounds in the mid west complaining about “the feds”
Laws are not created by the commission. Laws can be proposed by the commission, but must pass an unanimous vote by the council (made up of a representative of the government of every country) and pass a qualified majority vote in the EU parliament.
The council also uses qualified majority voting and has done for nearly a decade.
The Commission is the sole source of legislation. The Council cannot change EU law against the will of the Commission, so in practice it's a rubber stamp body that just always votes yes to everything.
This is what I'm saying in another comment: HN is flooded with incorrect claims about how the EU actually works, always in the direction of making it sound more accountable than it actually is.
There is nothing there that says every service must use specific certificates, just that browsers should accept certain ones. So this in no way breaks encryption for apps who care, this only reduces security on apps that wants to reduce security.
For example, if you use private "e2echat.com" it can still use safe certs and be safe, the risk is only that "governmentchat.com" will use bad certs, which was already a risk.
If "e2echat.com" has no method to explicitly forbid your browser from accepting eIDAS certs (via a DNS record or something) then your browser will just blindly accept the compromised cert when attacked.
This forces browsers to accept all the CAs approved by the EU states, and you can be certain that some of them will be used for decrypting (and if needed modifying) the traffic
And then you can just tell the browser to not trust those CAs and you are safe. This is nothing like "chat control". This only lets the government spy on people who don't care if the government spies on them.
Why shouldn't you be able to do that? Seems like a simple thing to implement. I get why they want a hardcoded list, but I don't get why you can't add a way to block parts of that hardcoded list.
The only requirement is that browsers displays the data. The browser can add "warning, this certificate is potentially compromised" when it displays it, nothing in the current document says browsers aren't allowed to say that, just that the browser has to be aware of the certificate.
It is similar to how Chrome displays a warning when you visit some sites. You can visit the site anyway, but you get a warning since Google thinks it is bad.
Technically correct. But if Firefox displays a big red warning when someone's grandma goes to her favourite recipe website, and Safari (or Chrome) just display the website to grandma (and to the officer on duty, but who cares) - how long will Firefox survive?
Wouldn't a client certificate from e2echat protect that kind of attack ? Since even when a man in the middle offers u a server cert u accept, the e2echat servers can't validate the client certificate from you anymore
(Still bad but would at least protect connections from ever talking to e2echats servers)
Governments still can't see your requests to servers under normal circumstances with this law.
The weakness is only if someone controls your internet connection and can use a compromised certification process to trick you into thinking you are at "e2e.com" when you are on another site, and in those cases the only difference from now is that your browser will display "secure" instead of "invalid cert". There is no other difference.
So to orchestrate an attack they would need to build an webbapp that is sufficient similar for you not to notice, take over your internet connection and break the certification process.
"The weakness is only if someone controls your internet connection and can use a compromised certification process to trick you into thinking you are at e2e.com"
That will be (or already is) done at ISP level. It will probably be fully automated, where they just put a court order number into a form, and it automatically just catches all your traffic in gear that's installed at the ISP.
It is only undetectable if the site actually uses the vulnerable certificates. Otherwise you can see that the government is spying on you since the browser tells you what certificate it got (Telling you what certificate was used is a part of eIDAS). There is no way the government will replace certificates like that on an automated basis, it is too easy for people to notice and make a big deal about.
If a nonprofit like Let’s Encrypt can perform automated certificate renewal with a few API calls, so can the government.
Also, MITMs are a thing and getting the EIDAS certs in the root store will show that the certs in question are trusted, which is all that really matters because there is no way for users to know what certificates were actually installed by the website owner.
That has nothing to do with this, I don't think you understand this vulnerability. You can see which certificate authority issued the cert, so you can see if the suddenly the site started using a vulnerable cert provider and thus know that it is compromised. Note that the same attack is possible right now, the only difference is how your browser displays it, you can just install a plugin to get back the original behavior if you want. So this in no way prevents you from secure browsing.
TLDR: If you are worried about security you can always install a plugin to get back the old behavior. This just says that browsers should be able to trust them, not that you have to configure your browser to trust them.
These certificate authories will also issue legitimate certificates btw, the regulation explicitly encourages local states to use them for their services
First, few people would know that they should install a plugin, second, since the laws says that browsers "shall ensure", there's a good chance that they would be forced to try to block these plugins
There's probably at most one person every ten millions who uses add-ons displaying each connection's certificate authority; and even them will likely not notice anything if it's only done to them occasionally (not to mention that absolutely no one checks the connections used to download third-party stuff, to my knowledge).
Yes, because CA level attacks are basically nonexistent and not a very big deal since they require you to control the targets internet connection.
The moment people learn that the US government could control a CA and your internet provider to spy on you maybe that will change. But as is people think it is too much work for governments to bother with it.
> Yes, because CA level attacks are basically nonexistent and not a very big deal.
I'd call that bs, CA level attacks are very unlikely to be detected, so we know little about their prevalence.
(you edited your comment to add... that it requires you to control the targets internet connection?? And "the moment people learn that thenUS government could control (a CA) and your internet provider to spy on you maybe that will change
With tls becoming ubiquitous they're now indispensable
> the only difference from now is that your browser will display "secure" instead of "invalid cert". There is no other difference.
Oh that's SUCH as an insignificant difference!!!
> So to orchestrate an attack they would need to build an webbapp that is sufficient similar for you not to notice, take over your internet connection and break the certification process.
You can simply relay the requests to the original site/"webapp", no need to build one similar
There is no way for e2echat.com to make sure that the client will insist on a certain safe CA. Sure, in case e2echat.com controls all clients this would be possible, but this is a rare case.
In the general case, any CA can sign any website certificate. So all those new government CAs can sign all the man-in-the-middle certificates they like, and browsers are obliged to accept them. Nothing the website can do about that.
There are ways to pin certain CAs via DNSSEC and TLSA resource records in DNS. But browsers ignore those, and even if they didn't, the same EU proposal also specifies government DNS manipulation.
You still wont be able to break the end to end encryption of a site. You can only intercept traffic that the server can read, you can't intercept traffic that are encrypted end to end.
And if the site can see your data assume the government can see it as well, they can get it with a warrant.
Website-based end-to-end encryption isn't usually. In most cases, the "e2e-encrypting" website will deliver the Javascript that does the "e2e-encryption", which can easily be manipulated to provide a copy of all messages to some convenient third location.
A warrant will maybe warn the site and the user that something is going on.
A man-in-the-middle attack without a warrant delivered to either party is more likely to go undetected.
> which can easily be manipulated to provide a copy of all messages to some convenient third location.
Updating others javascript as a proxy isn't "easily".
Also if the government goes all this way to tell each internet provider to spy on people, why do you think they couldn't tell certificate authorities to spy on people? It is the same level. I wouldn't be surprised if many CA's in USA already does this.
It is "easily", because current commercially available "firewall" appliances include that kind of capabilities. Just a few clicks, install a CA certificate, add a logging endpoint, done. Certain regulated industries like finance and medicine are required to use those. All chats are instantly intercepted and logged.
And the way to spy on people via a certificate authority is exactly as described, you get a CA that signs your man-in-the-middle certificate for a website you do not own. Then you MitM that traffic using that certificate, while still getting a green "lock" icon.
With current WebCA certificates, certificate transparency does help a little to detect such MitM certificates, and some CAs have actually been caught red-handed. There are processes to punish or remove such CAs. However, this law would also prevent such actions, thus making it impossible to prevent any future malfeasant CAs.
Maybe browsers shouldn't hardcode those things? If they let you blacklist CAs you could do that yourself or via a plugin. There is nothing preventing browsers from implementing that, and have a one click button "don't trust compromised CAs". Could even had that during install as a toggle, would satisfy every legal requirement.
If this means users gets more power over what CAs to trust then that is a good thing.
You can manually distrust hardcoded CAs in all common browsers. But even now, this is rarely used because it is tedious, there are roughly a hundred active CAs.
And depending on how that law will be interpreted by courts, manually distrusting might be considered illegal.
> manually distrusting might be considered illegal
It is just a display change, all the law says is:
"For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner."
I don't see how adding a warning icon or block icon instead of the lock hurts would be banned. To me it seems like so much here is based on baseless assumptions.
I would also urge you to refrain from using terminology such as "baseless assumptions" when your own assumptions are so easily refuted by directly reading the text of the proposal.
> If this means users gets more power over what CAs to trust then that is a good thing.
Do you really think your average user is going to go into the browser and manually distrust root CAs? We have learned again and again that good security is "secure by default", not "secure after arcane configuration".
If certificates issued by those CAs will be tied to independent (from EU) certificate transparency (CT) services and to specific national top-level domains, then I am completely fine with this. After a big number of websites in Russia (including the biggest bank in the country) have effectively lost access to the CA infrastructure used by commonly used browsers, I don't think any honest person can say that the current status quo is robust enough. So it looks like EU simply hedges against this potential infrastructure risk.
To mitigate the MitM risk I believe that CT and limiting CA to specific top-level domains (so a hypothetical RU CA would not be able to issue certificates for .eu or .com) should be sufficient enough.
Re: Russia - SberBank, which is used by the vast majority of population, voluntarily switched to a new Russian government-controlled CA. This move aimed to coerse people to install this CA's cert under false premises and to let the state splice https if needs be. The goal was bloody obvious and it has never been about the "robustness" of infrastructure. They just want to take away people's Internet privacy.
I hope you are simply not familiar with the situation and not FUDing around.
The "false premise" was that GlobalSign has refused to issue new certificates for Sberbank and there were several cases of CAs revoking existing certificates. They eventually have found a CA (Harica DV) which was willing to issue new certificates, but it was not clear at the time that such CA will be found and the new certificates can be revoked at any moment after a new wave of sanctions or simply after a strongly worded warning from Washington or Brussels. Relying on a relatively minor Greek CA for bank operations is clearly not a good strategy in their situation.
So what happens to open source browsers? Will they be forced to implement it? Are the governments going to audit the code to make sure no one is releasing a version that has removed the government certs or are they going to outlaw open source browsers?
Again, this is not going to catch anyone with half a braincell that is trying to do something. This is just going to catch everyone else.
I wonder if this will tie into the BS that Google was trying to implement that would make it impossible to modify the webpage using adblockers etc. making it so you can't navigate the web if you are using a uncertified browser.
> I wonder if this will tie into the BS that Google was trying to implement that would make it impossible to modify the webpage using adblocker
Very likely, yes. Also note that a similar client-side CSAM scanning feature was rolled out by Apple with a similar anticipation, and shortly after we saw the proposal of Chatcontrol and the like.
How will this be enforced? If Mozilla or Google added some hard coded certificate into a new browser version, what if a distribution like Debian patched it out? Or if a user can delete it from the certificate stores themselves?
People get very hung up on what people can technically do, but the domains of the browser or OS that doesn’t follow these rules will simply be blocked at the DNS level so that you can’t download them any more. The relevant entities such as companies developing or using said non-compliant projects will be fined, and any natural persons jailed outright, à la Stallman’s The Right To Read.
He might be right. Browsers come with CAs from EU states (or agencies controlled by states) for the last 10 years (at least). I work for a public admin in Spain and our site uses one of such CAs and browsers accept it without problems. So I believe that eIDAS has to do with personal identification rather than TLS.
It's not. Read the documents linked to from the article. The law clearly refers to certificates with domain names in them, not client certificates. Actually the bigger impact of this seems to be that you wouldn't be able to host websites anonymously anymore, making WHOIS privacy meaningless, because the law appears to mandate that all certificates contain legal identities in them.
Annex IV:
Qualified certificates for website authentication shall contain:
(b) a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates including at least the Member State in which that provider is established and:
—
for a legal person: the name and, where applicable, registration number as stated in the official records,
—
for a natural person: the person’s name;
...
(e) the domain name(s) operated by the natural or legal person to whom the certificate is issued;
It is interface between webservice and member state for sending authentication data to member state for purpose of auth. Think OAUTH so webservice does not have to save any auth data.
So you don't need to know anything to use all-caps and throw around LIARS.
Article 45
Requirements for qualified certificates for WEBSITE AUTHENTICATION
1. Qualified certificates for WEBSITE AUTHENTICATION shall meet the requirements laid down in Annex IV. Evaluation of compliance with the requirements laid down in Annex IV shall be carried out in accordance with the specifications and standards referred to in paragraph 4.
2. Qualified certificates for WEBSITE AUTHENTICATION referred to in paragraph 1 shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for WEBSITE AUTHENTICATION referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services.
I believe that the stated/claimed intent is to create cross-country, bloc-wide digital signature interoperability and acceptance standards. The theory being that you can "digitally sign" things with a national ID (e.g. a smart card), and have that recognised anywhere in the EU. That would, in theory, help to reduce and simplify bureaucracy, especially for people moving between countries in the EU (a process which can be quite complex even with freedom of movement, due to totally different cultural norms around government systems, forms, languages, etc.)
Something better than typing your name and trusting a third party to do email verification for a digital signature certainly sounds like it could have advantages for doing business though.
I believe the issues identified here seem to stem from a (very) over-enthusiastic desire to have certificate acceptance everywhere (i.e. prevent discriminating against one country's citizens by excluding their ID card CA), without understanding the different types of trust chains and certificate chains. Presumably scattered with a bit of technical naivety as well. The concept itself is (probably?) fine, as long as it doesn't try to force browsers or SSL verifiers to accept or trust certificates they don't want to.
Indeed: the goals are justifiable and very much welcome, in my opinion. Yet, I do not understand what CAs and the global TLS/PKI ecosystem have to do with the goals.
> Yet, I do not understand what CAs and the global TLS/PKI ecosystem have to do with the goals.
Technically that is also digital signing. The regulators probably thought that all kinds of digital signing should be included in this bill and just slapped something down for browsers while they were at it.
My guess is that someone saw the value (rightly) in being able to do "good" digital signatures on the web (better than docusign in terms of integrity/proof), and that meant (in their head) those certificates have to work in the web browser.
Which, if you don't understand web trust and PKI, means a bit of searching online will tell you that you need your browser to trust the CAs you use for digital signatures.
Which is of course not true - you can (and should) present an "untrusted" (i.e. not a server authentication) certificate as your client certificate or for signatures, as there's different trust bits and use-cases for different kinds of certificates.
I suppose this is the first step towards a stricter kind of the German "Impressumspflicht". Currently, if you are operating a website in any kind of (even most remotely) commercial function, you need an imprint. Lacking one, you get nasty expensive letters from lawyers and courts. At the moment, this imprint is just a text on your website.
With certificates from a government CA containing your name, address and maybe other data like tax ID, the certificate becomes that imprint, digitally signed and hard to fake. So I guess the next step after this directive is in place will be to require such government certificates for all European websites instead of the usual domain-validated WebCA ones. For a modest fee going into the pockets of some government cronies, of course.
A key idea behind all of this is to sell "qualified certificates". Which is another way of saying "expensive certificates".
In the past, CAs sold EV certificates which gave you a nice green look in the browser bar and no security advantage (arguably security downsides, because you cannot automate it). That was good business, until browsers decided that this makes no sense and scraped any special treatment for EV certificates.
The "qualified certificates" by the EU are essentially EV with a new name.
>Which is another way of saying "expensive certificates".
True, basically eIDAS is a cartel. With the help of EU legislation, some Certification Authorities banded together and are now saying that certificates emited by anyone but them are not good. And obviously they fully controll the pricing for the "good" certificates.
> True, basically eIDAS is a cartel. With the help of EU legislation, some Certification Authorities banded together and are now saying that certificates emited by anyone but them are not good
For very specific needs like electronic signatures, "seals" and an interesting one I hadn't heard before, timestamping (proving that an electronic document has existed at that timestamp), not for general computing.
Also, considering Bulgaria has 5 CAs on the official list, with 2 others as potential, the claims of a shady cartel of "big Cert" being behind this is laughable.
EU bureaucrats are annoyed that ~100% of the trust decisions are made outside the EU (given that majority of browsers and the trust stores like Microsoft, Android, Java etc., are operated from US). They see it as the issue about the third part of security triade of confidentiality, integrity and availability. In short, they fear that EU company can theoretically be put out of business on a whim of US entity which is unaccountable to EU poeple (by revoking the cert in case of e-commerce, or trust bits in case of CA, or "TSP" as it's called in eIDAS). Hence the prohibition from distrusting certs unless ETSI (which is accountable to EU people) agrees.
Most of the commenters here miss the point, because they concentrate on confidentiality and integrity (cf. any post about MITM). They are of course correct that this creates capability to intercept TLS connections. They still miss the point that EU bureaucrats see it as reasonable tradeoff (which I don't think it is, but that's their POV).
The following quote from former Jean-Claude Juncker, president of the European Commission sums up the way the EU seems to work quite nicely:
"We decide on something, leave it lying around and wait and see what happens. If no one kicks up a fuss, because most people don't understand what has been decided, we continue step by step until there is no turning back."[0]
“it is a historic mistake to not want to tax at the appropriate levels the profits of multinational companies which act globally and don’t pay the taxes they owe.”
- Jean-Claude Juncker ...Prime minister of ....Luxembourg
The worst part is that this is still better than how most governments currently work. At least there is a chance to give feedback.
Also, keep in mind that this is in the context of getting all member states of the EU to agree on something. People kicking up a fuss is the default situation because of conflicting interests between different states.
Make no mistake about how I feel about this though: it's still pretty horrible even with that context in mind. And as graemep pointed out the rest of the quotes on that page will tell you all you need to know about Juncker too.
I think the worst part is, that most governments work like this, but only some can dare to speak about it in the open. Now why could Juncker speak so open? Probably because he is quite disconnected from the democratic election process ..
I mean, I certainly did not vote for Ursula von der Leyen either.
She was nominated by the European Council (=Heads of gov't of EU countries) because the EU parliament is a divided mess and the leading parties have no internal cohesion whatsoever. Parties at the european level are disparate coalitions between national parties and MEPs follow the national party line. The decision was made by national governments and rubber-stamped by the parliament.
This is fundamentally different from how a PM is voted in a traditional parliamentary system where an MP leads the party during the election process and elected as PM after a clear victory or negotiations between MPs.
Having a prominent MP leader like that is one of my second least favorite part of parliamentary governments[1]. Politics and governance aren't so simple that one person will ever be found that fairly represents the majority of the populace because the majority of the populace can't agree on multiple things. It's better for the majority of the power in governments to be devolved down to MPs voting on matters with the executive branch just being a formality for PR on the local and international stage - as well as being entrusted with emergency powers if we ever need to get anything done.
We're a people with a wide spectrum of beliefs - we should be represented by a wide spectrum of MPs... never by a single voice.
1. My first being whenever a single party actually wins a majority.
> We're a people with a wide spectrum of beliefs - we should be represented by a wide spectrum of MPs... never by a single voice.
This is a fair statement. I'm not from the EU but I think it's true for basically any society. Also a lot of the dysfunction in the EU is obviously by design and it's supposed to instill cooperation and deliberation between different stakeholders.
Still, in politics "getting things done" is very important, imo much more important than representation because the main job of a government is to govern and a fairly balanced government that fails to govern will lose support very quickly and become unrepresentative/useless. Also if someone can't get things done, others will do it and force their hand, like the case of the election of the EU commission president. Or practically everything the UN does.
The good thing about a government by a single party or a well defined coalition is that you know what they roughly stand for, what they don't stand for, who is for them and who is against. You can support them or vote against them. In an election one side wins. Being an incumbent is difficult so in the next the other side wins, they are supposed to balance each other that way.
What is the alternative of a de facto coalition between the right, center-left and liberals? Which of these is really in power? Who are you going to vote for if you don't like where the things are headed?
Looking at the EU parliament (or the parliaments of many EU countries) the main alternatives are fascism-lite and actual fascism. That's the risk of plethoric supranational governing bodies like the EU or very large coalition governments, they rob people of viable democratic alternatives.
I think you pointed the defining aspect here. Having many opinions is inefficient but representative. Having one winner is efficient but lopsided. You can't have the cake and eat it, so each society had to decide which way (and revisit the decision over time).
I was not very clear on what I meant, sorry for that.
I meant that whatever the government metaphorical "you" voted in, has voice in EC.
In fact current Lisboa treaty came into effect after previous reform attempt was torpedoed in part for "taking away sovereignty" by giving more power to European Parliament vs European Council - where the national governments have power.
> People kicking up a fuss is the default situation because of conflicting interests between different states.
In some cases less between the states and more between gonvernment and people. The european parliament is elected by the people. But many important matters are defined by the comission consisting of representatives of the member states governments.
Of course the different governments are also elected. But as part of the comission they can act against the will of the people and later blame the EU.
But the plans were on display…”
“On display? I eventually had to go down to the cellar to find them.”
“That’s the display department.”
“With a flashlight.”
“Ah, well, the lights had probably gone.”
“So had the stairs.”
“But look, you found the notice, didn’t you?”
“Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.
The interesting part with the EU is that all policy (proposed and accepted) is actually all organized, findable and out in the open on the internet (and even translated to all official member state languages IIRC)... if you have the mindset of a bureaucrat and know the system.
I know because my ex did European Studies and knew how to navigate those websites. I for the life of me cannot figure out how she did it if I try now.
EU website makes the IBM and HP websites seem user-friendly and easy. I tried engaging with some of the Open Source stuff a few years ago, and I definitely felt like I needed a "European Studies" PhD to be able to navigate all of that.
A really good friend of mine created the first version of eur-lex.europa (hopefully it's that one, it was a website for lawyers to find European legislation and case law), he barely finished his first internship at the time, only had one true web project on his belt (and two weeks of intensive formation), and was spectacularly underpaid (not for his inexistant qualifications, but for the work he did).
I thought he did a good work, but I was a student too so maybe I was just impressed with basic stuff (highly likely).
TBF, when my former partner explained the system to me, it did feel like a lot of the complexity was inherent to the problem of what the EU as a project is trying to achieve. It is not a trivial problem to solve.
Another issue is basically the legal analogy of how certain difficult programming languages impose a selection bias on who actually is willing to learn it, which then leads to an echo-chamber culture where most people underestimate the issues with the programming language.
Sounds like it might be a good web-scraping project for a civic-minded group or individual: scrape the sites, unify and organize them into something more approachable and discoverable.
I know in the US we have orgs like Code for America and events like National Day of Civic Hacking. Does the EU have similar groups and events? I wonder if this could be presented to something like that.
As someone else said, sounds like an interesting project to scrape, organize, and somehow "re-surface" that data in a much more accessible manner (how? I don't know; I've never done such a project before).
Obviously it should be said that such a project shouldn't be needed in the first place in an ideal world, but it does sound like something I might be interested in chipping in regardless (and a great learning opportunity).
There was an episode of the Mark Thomas Comedy Product where he describes how they were trying to find the spending habits of EU MPs, but they were in a basement with no electronic devices allowed, so they hired an army of students to run up and down with notebooks and pens and relay all the information to more students upstairs who had to type it all up and put it online.
It's a market of nearly half a billion people, two-tier browsers seem more likely. IIRC Netscape did this in the past over US export laws on cryptography.
If it gets to that point, one alternative would be creating some ad-hoc non profits that are on paper not controlled by them (but in practice they are) and then giving up the control of their respective browsers to said non-profits.
But it won't get to that point. I don't really think the US government would be ok with a regulation like this, either, and they have even more bargaining power than tech companies.
Very concerning. As a slight aside though, it is not a "secret law". All EU laws are published on its website in every official language, and the vast majority of laws (including this one) must be publicly ratified by the directly elected European Parliament before coming effective.
They should tone down this kind of sensationalist clickbait that I would expect to find in UK tabloids. They probably think it helps them impress the urgency of the matter on the public but frankly it just makes me doubt the veracity of the claims made in the article (though in this case I trust Mozilla and would hope that they are not misrepresenting the content of the law itself).
I don't think "classified" is the right word, but they haven't been published. They were leaked to various third parties, who got them to Mozilla / EFF / the other folks writing letters of protest today. Those parties haven't published the full text themselves, to protect the identity of the leaker.
> and will be presented to the public and parliament for a rubber stamp before the end of the year
That's not how the EU parliament works, they're not just a rubber stamp. The topic is sufficiently grave without the need for clickbait and painfully obvious exaggerations.
As I understand it, the EU Parliament engages through the trilogues. Once agreement has been reached there, final approval is indeed more of a rubberstamp. (But: I'm just somewhat interested in the subject; I'm not an expert on the process.)
Once an agreement has been reached, the Parliament can still reject the proposed law (which can easily happen because a conciliatory committee does not represent all the factions in parliament and of course public outcry/petitions can change opinions).
You’re conflating two things. Yes, the EP CAN reject. In practice, it rarely ever DOES.
How the democratic process actually works is important. Public outcry often happens after something becomes LOCAL law (i.e. a few years or months down the road) implemented in a member state. The usual defense from EU-enthusiasts is then “you should have engaged in public debate, it’s too late now”. That should tell you something about the visibility and publicity of the process.
For anyone who’s about to say that surveillance isn’t the point of this legislation: it definitely is; we very recently saw Germany trying to MITM jabber.ru users[1], having a CA that can be asked to issue any certificate is definitely something that’d be used for surveillance purposes.
eIDAS exists since there are many conflicting standards for electronic certificates. eIDAS is an effort to unify those standards. Maybe the clause where they say browsers has to add specific CA's is for spying, but eIDAS in general isn't to help spying its just there to help unify all the different electronic certificate services in EU.
For example banking, signing official documents like grades from school etc, all of those usecases are a part of eIDAS. That is the core of the standard and there you really want to see all the certificate information to be sure it is the right origin, since unlike browsers there is no list of trusted CAs, you just see that some organization accepted it.
Edit: Browsers already had their own standard that they think is better than eIDAS, so they don't want this to apply to them. But Occam's razor says that EU just added "and browsers should also do this" instead of there being some conspiracy behind it, it was simple to just add everything instead of leaving just browsers out.
> Browsers already had their own standard that they think is better than eIDAS
Unlike the Browser/CA forum
rules which are security focused, EIDAS comes from a government mandate first and foremost, so the concern isn’t entirely subjective as you suggest.
> "and browsers should also do this" instead of there being some conspiracy behind it
The law isn’t RFC 2119 where there is a distinction between SHOULD and MUST: the law is all about what an entity MUST do, so bringing up “should” in this context isn’t helping the point you’re typing to make.
I don't get what your point is here, you said this and that is what I argued against, your points here does nothing to defend this: "For anyone who’s about to say that surveillance isn’t the point of this legislation".
> Unlike the Browser/CA forum rules which are security focused, EIDAS comes from a government mandate first and foremost, so the concern isn’t entirely subjective as you suggest.
I didn't say this was subjective. My argument was that it is easy to see why EU would do this without having surveillance in mind. They just wanted all certificates to follow the same standard, the main part of these standards were document signing and they thought web sites are documents so we add them as well to the standard.
> so bringing up “should” in this context isn’t helping the point you’re typing to make.
I didn't make a distinction between should and must there, that wasn't my point at all. What was hard to understand there? This bill is first and foremost about document signing, and then they added a clause that it also applies to browsers. That is the main part of my argument.
A bill that first and foremost targets document signing doesn't seem like it was obviously made to add spying on browsers, if that is what they wanted they would have labeled it "web protection bill" or something like they did with the chat one, they aren't afraid of saying it is about spying when that is what they want.
More healthier approach for the EU to get e.g. the document signing to a single standard would be
- Make sure there is an open standard (is there?)
- Fund and promote its open source development
- Have an industry lobbyist non-profit to onboard individual businesses
If the goal is to ”promote standards” the way this is being done does not seem to be aligned the 50 years of software industry standard development, with the examples like TCP/IP, PNG, AV1 and so on.
> eIDAS exists since there are many conflicting standards for electronic certificates. eIDAS is an effort to unify those standards.
Did we need laws to "unify" all the standards we successfully use today, like IP, UDP, TCP, HTTP, TLS, Certificate Transparency, HTML, ECMAScript, CSS, DNS, DMARC, DKIM, SSH, etc.? Laws are not the right tool for this. And law makers don't have the necessary expertise.
It’s either laws or market forces, both have drawbacks.
While eIDAS seems like a great idea to coerce member states into adopting a common standard, it just also happens to sneak EU-centralist ideology in, and total digital surveillance is the 0th application of that ideology.
The big catch with EU is: once you opt in, opting out is very difficult.
There are also great many standards we use today that were unified and enforced through laws.
Open any law on produce, construction, cars, industrial equipment (and a million others), and you'll find thousands of specs and standards mandated by law, and for a reason.
University grades are standardised already. This is useful because it allows people to work in other countries, digitally signing them prevents fraud.
This is just one use case for eIDAS, then you have things like interacting with different government institutions, banks, et cetera, et cetera.
There are a lot of people who live in/work/visit other EU countries as is their near absolute right. We should therefore standardise technology on the EU level to make their lives easier.
Alright, so I am not a security researcher so actual security researchers may not share my views. Also, as mentioned in the site, the full text of the new regulation is not public yet. And finally, I have only skimmed whatever text is available given that it's over 100 pages and I skipped over most of the EDIW stuff (it's a really complex system that I can't understand/audit in 20 mins).
But with that out of the way, no I don't have any other complaints, I think the regulation is generally a move in the right direction.
Since you obviously ignorant of how it works. When you get a degree you get a transcript where all local grades are translated to to ECTS, which you then would use to apply for jobs. Of course in the tech industry grades or even whole degrees are generally disregarded but in finance and other fields they of course, are.
The diploma comes with an explanatory supplement (at least mine does), so employers don't really need to know about it, they just need to read (and maybe they won't do that).
Job applications in Europe typically list a degree that is required, rarely the score that an applicant is expected to have received. Nonetheless, ECTS scoring is nowadays awarded to every degree that is obtained in a country that is a signatory to the Bologna accord. To answer your question, it is an established standard.
> since unlike browsers there is no list of trusted CAs,
This Trusted CA is such a lie. I mean we all know that Google, MS etc does ugly things with user data but apparently we have no objection to trust them with cryptography.
A proper solution for MitM is mandatory independent certificate transparency, not outright denial of national CAs support in browsers. A German National CA should not be able to issue certificates for .ru in the first place and having a clear record of misbehavior in CT is probably not something operators of such CA would like to have even when pressured by intelligence agencies.
Browsers should get their shit together and add proper support of domain-limited CAs and add optional whitelisting of CAs for given websites.
> Browsers should get their shit together and add proper support of domain-limited CAs
They do in fact support this - e.g. Mozilla trusts KamuSM only for .tr [1], Chrome limited ANSSI to French TLDs [2].
However, there is no indication that the EU would be willing to accept such constraints on their national CAs. If you look at several of the current national European CAs, they routinely issue for generic TLDs like .com.
CAA records only apply at the time a certificate is issued, and they only need to be considered by CAs. If the CAA record is changed later, all certificates that have already been issued continue to be valid, even if the new CAA record does not allow the issuing CA anymore. So looking at CAA records would be useless for browsers anyway.
Browsers do have this, although this measure is only selectively applied for certain CAs where misissuance has been an issue (There was a Indian CA for which this was used, need to look around MDSP for the link. I’ll post it shortly.)
Historically, root constraints were only used in response to misissuance, but more recently, KamuSM voluntarily limited themselves to .tr when they applied.
But it doesn't enable covert surveillance. Even without Certificate Transparency, the change in server certificate is visible to the client. Initiatives like Let's Encrypt could make it visible to server operators, too. The browser UI will present those new qualified certificates and existing certificates differently anyway, so I'm not sure if this is going to work.
The bigger issue is that for this in order to work at all, the regulation must have provisions for issuing fake assertions of existing identities to law enforcement and other security services. The predecessor didn't seem to have that. This is different from providing fake identification documents for undercover operations because as far as I understand it, those use are usually mostly made-up and do not impersonate another person.
We would have to read the actual text of the proposed regulation to know the details, but both sides (legislators and those fueling the outrage machine) do not really want us to form our own opinion and hide the draft text from us.
Unfortunately this isn't how it works in practice.
Changes to server certificates happen all the time -- every 60 days or so, if you're getting certs from Let's Encrypt. Browsers can't tell their users every time a certificate changes because the users will just get notification-blindness and be trained to click past the warnings.
Let's Encrypt doesn't help server operators see this; I really not sure what you mean by that. Certificate Transparency would help server operators see this, but the new law text forbids browsers from requiring CT for these certs!
The law doesn't have to solve the problem of how security services will assert fake identities. Each member state can solve that internally. Allegedly, given the recent report of a hijack against jabber.ru and xmpp.ru, they already have. The problem is that, when they do, no one else has any recourse. No other member state can say "hey, don't hijack my websites!", no citizen can say "hey, don't hijack my traffic!", and no browser can say "hey, you issued a false certificate, we don't trust you anymore!".
Fundamentally, the whole issue with eIDAS comes down to one thing: you cannot mandate trust. By definition. If it's mandated, it isn't trust, it's something else. By mandating that browsers "trust" certain CAs, they're breaking the entire trust model of the internet.
Seems like some politicians from EU commission had parents in Stasi, KGB and other organisations and became allured by the stories of watching other people, learning they secrets or perhaps even seeing their naked photographs.
It is a digital certificate standard. Browser certificates is only a tiny part of it, that wasn't why it was made. Having a standard for digital certificates is a good thing, it makes it easy to switch document signer provider etc since they all are forced to implement the same interface.
The ETSI checker you have linked doesn't have anything to do with CA API interoperability and "switch document signer provider".
That's just a basic tool which validates if a signature is PADES/ETSI compliant or not.
The real value in eIDAS would be "unlocked" if they would release a proper API specification with which a digital signatures application would integrate with any EIDAS CA to emit/sign certificates. And then enforce that any eIDAS compliant CA would implement this API.
In practice that means any company/digital signatures product could do a integration with this API once and then be able to use ANY certification authority they want/need/offer best prices for certificates.
Without this API, eIDAS is just a marketing moniker because the power belongs to the selected Certification Authorities. They set the prices, they choose WHOM can integrate with them to isse certificates and there is NO interoperability between them. This doesnt allow for a open market and makes the top players control everything while shouting "standards" and "eIDAS".....
>In the meantime, any digital signature done in EU must be done with a certificate issued only by the "select" CA to be considered "valid".
article 25 of EIDAS 1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.
Why is that website using a domainhack (with a non-EU ccTLD) rather than a proper .eu domain? Doesn't exactly inspire confidence that these people should have anything to do with security standards.
I’ve read enough mozilla.dev.security.policy threads along the lines of “but we’re a qualified eIDAS CA (erm, TSP)! — but your audits, key management, and issuance controls are all crap! — but eIDAS!” that I feel that it might, in fact, be partly an attempt by CAs to ensure that they can’t be kicked out of browsers at the browsers’ discretion, or even have to obey CA/BF decisions. It certainly appeared that the fuss around QWACs got much louder as the EV UI downgrade progressed.
Maybe it wasn’t the original intention, but right now, even ignoring the surveillance angle, I feel that it would be a major downgrade to the post-Symantec state of the Web PKI. In particular, the process for getting a CA disqualified or inconvenienced in any other way seems to be so onerous as to be basically intractable, especially if you, the relying party, are not in the EU. As far as I can tell (but here I can be wrong), as a relying party you don’t even have standing to do anything about it—it’s considered to be solely the business of your country’s government, and if the government body doesn’t care (see: Facebook and the Irish DPA), tough, guess you’re a single-issue voter now.
Which https proxy you're referring to? HTTP proxies capable of forwarding HTTPS just offer HTTP CONNECT method, which allows client to tunnel regular TCP connection and HTTPS inside it. These proxies do not do anything with certificates.
That's illegal then. But the pihole won't do the trick, you need to remove the mandated certs from your browsers certstore. If these certs are used for legitimate places (e.g. EU or state websites, and I'll bet they will) you then will get a certificate error.
Of course there is still HSTS, but that's not supported by all tech using TLS.
313 comments
[ 2.9 ms ] story [ 263 ms ] threadFortunately, they cannot forbid a natural person from removing any given certificate. If this passes, I am sure we have blacklists and scripts for these in no time.
I suspect if this ever does play out, it could result in fewer people using "EU spec" browsers, and more people using the international overseas version, thus undermining the entire intention of the policy proposal.
It seems a pretty safe bet no browser maker would ship these CAs to users outside of the EU (and maybe EEA).
The EU is playing the long game here I believe.
Edit: rest of world might be fine(big maybe, these things have tendency to proliferate),eu citizens... screws are tightening.
https://data.consilium.europa.eu/doc/document/ST-14959-2022-...
Article 45(2): "Qualified certificates for website authentication referred to in paragraph 1 shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services."
Article 45a(3): "A qualified electronic attestation of attributes issued in one Member State shall be recognised as a qualified electronic attestation of attributes in any other Member State".
Article 45a(4): "An attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source shall be recognised as an attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source in all Member States."
> The proposed legislation also prevents the introduction of security checks when verifying the certificates used for encrypted web traffic in Art 45, (2a). As written, this language requires that the EU’s website certificates not be subjected to any mandatory requirements beyond those specified in ETSI standards.
This is awful, as it would forbid browsers from requiring Certificate Transparency, or banning a weak hash algorithm (like SHA-1), or requiring post-quantum keys unless the EU agrees to it.
For non-tech people I am pretty sure someone could write a program that does this automatically - like two buttons, one saying you need to access the government and another that says you don't want to access the government anymore.
₹ 3,41,00,000
This brought me to discover the Indian numbering system [1] , another brick on the "localization is hard" wall.
https://en.m.wikipedia.org/wiki/Indian_numbering_system
This is because that world is hidden to most people but would have just 20 years ago been covered by classical research journalism, namely the intersections between power, fiscal policy, law, the security state, foreign policy and mass media or other systems of control.
Politics and policy making is downstream from mostly non public clubs of people. Become a part of the security apparatus to gain power and draft plans for whole regions of the world and the future of society. The rest of us get to see their own self branding in Hollywood romantizations and ideological "event driven" smokescreens that cover the realpolitcal battles of power and resources that actually drive history.
That way the masses end up seeing the good fights for "Democracy", "Child safety", "Necessary financial bailouts" or "Primitive stupid people in X country need intervention" while these are all covering a big old game of Risk or Civilization ie. resource plundering, land grabs, violent exploitation of foreign markets, siphoning of wealth from the masses to the few, and panopticon-level systems of control implemented to keep dissent and enlightenment about these fact as much in the dark as possible.
Theres a reason the richest European families already took an interest in controlling the emerging postal services of several hundreds years ago just like early pamphlet media but somehow these very old facts have been so memoryholed everyone thinks we live in a somewhat meritocratic or even democratic society these days.
The EU likes passing internet related legislation because of:
1. The politics of it. It involves the raw exercise of power over people who are easily bullied and that they don't like much, namely successful American companies. The EU loves passing extra-territorial laws and seeing people jump, it makes them feel like a big power bloc which is the whole aim of the EU project to begin with.
2. The revenue from it. Tech companies either fight or they try to obey, but the laws are vague and easily reinterpreted. This yields massive fines which go straight into the EU coffers, money which is then spent on purchasing loyalty both of the elected political elites (via post-election-loss sinecures and enormous "pensions" that start being paid out long before retirement), and the population itself (via EU branded projects and grants).
3. The unaccountability of it. EU law is created by the Commission which does whatever it wants. By treaty it is accountable to nothing except itself and it is the highest power in Europe. In that situation why not spend all your time on easily achieved upper-class luxury agenda items like internet regulation, which feels futuristic and cool, instead of messy stuff that bothers the regular citizens like illegal immigration, where you don't want to do it and failure comes easy?
That's why there's a constant flood of tech-related regulation coming from the EU. Seeing this specific act in isolation is a mistake, it's just the continuation of a long term trend.
The commission President is proposed by the council (the heads of states) and appointed by parliament.
I’m not aware of the EU arresting random US citizens for breaking laws like the gdpr, you’re thinking of America and the DMCA
So the Commissioners are in reality selected by the President.
This problem appears in every HN thread about the EU or its activities. People argue that it's a legitimate democratic structure based on how its treaties say it works, but the treaties aren't followed.
And before someone says otherwise, I’ve seen this playing out hundreds of times.
If you look around you see plenty of people that gets upvoted and are critical of EU, so that isn't it.
[1] https://notes.valdikss.org.ru/jabber.ru-mitm/
Fair chance they'll just keep using letsencrypt.
If you spend time in central Europe you'll see why this occurs. Some people have incorporated the EU institutions into their personal identity. People will call themselves European Citizens although the EU doesn't grant citizenship. Businesses will be called Euro-this or Euro-that for no obvious reason. You can catch the Eurobus to go ride the rollercoasters at the Europa Park then meet their famous mascot Ed Euromouse. This stuff is everywhere.
And in some ways, it is understandable. The 20th century was wracked by wars between different European empires or countries. The assumption at the core of this movement is that if everyone has the same social identity and is ruled by the same government, then everyone will hold hands and there will be peace on Earth. Or at least that bit of it.
But you can't force unity on people. It has to develop naturally, through shared experiences and cultures. Unfortunately the vision is so enticing that the political and credentialed classes in these countries don't want to wait, and so attempt to enforce it from the top down via schemes that eliminate democracy in favor of power transfers towards the Right Sort Of People, the type who "get it" and who can then rule unchecked without needing to answer to electorates. This is deeply corrupting, but because it's an identity issue when this is pointed out people feel their personal identity and whole progress story is under attack.
The Commission is the sole source of legislation. The Council cannot change EU law against the will of the Commission, so in practice it's a rubber stamp body that just always votes yes to everything.
This is what I'm saying in another comment: HN is flooded with incorrect claims about how the EU actually works, always in the direction of making it sound more accountable than it actually is.
For example, if you use private "e2echat.com" it can still use safe certs and be safe, the risk is only that "governmentchat.com" will use bad certs, which was already a risk.
This is still very bad.
Yes, potentially, but it isn't "another kind of chat control".
It is similar to how Chrome displays a warning when you visit some sites. You can visit the site anyway, but you get a warning since Google thinks it is bad.
Mozilla has proposed text[1] that would make clear that the requirement is only to display identity information, but this text has not been adopted.
[1] https://securityriskahead.eu/wp-content/uploads/2023/09/Mozi...
Accepting certificates from a given issuer does not give them the issuer the right to impersonate others
(Still bad but would at least protect connections from ever talking to e2echats servers)
The weakness is only if someone controls your internet connection and can use a compromised certification process to trick you into thinking you are at "e2e.com" when you are on another site, and in those cases the only difference from now is that your browser will display "secure" instead of "invalid cert". There is no other difference.
So to orchestrate an attack they would need to build an webbapp that is sufficient similar for you not to notice, take over your internet connection and break the certification process.
That will be (or already is) done at ISP level. It will probably be fully automated, where they just put a court order number into a form, and it automatically just catches all your traffic in gear that's installed at the ISP.
Also, MITMs are a thing and getting the EIDAS certs in the root store will show that the certs in question are trusted, which is all that really matters because there is no way for users to know what certificates were actually installed by the website owner.
TLDR: If you are worried about security you can always install a plugin to get back the old behavior. This just says that browsers should be able to trust them, not that you have to configure your browser to trust them.
The moment people learn that the US government could control a CA and your internet provider to spy on you maybe that will change. But as is people think it is too much work for governments to bother with it.
I'd call that bs, CA level attacks are very unlikely to be detected, so we know little about their prevalence.
(you edited your comment to add... that it requires you to control the targets internet connection?? And "the moment people learn that thenUS government could control (a CA) and your internet provider to spy on you maybe that will change With tls becoming ubiquitous they're now indispensable
It originally was
* I'd call that bs, CA level attacks are very unlikely to be detected, so we know little about their prevalence.
With tls becoming ubiquitous they're now indispensable*
Oh that's SUCH as an insignificant difference!!!
> So to orchestrate an attack they would need to build an webbapp that is sufficient similar for you not to notice, take over your internet connection and break the certification process.
You can simply relay the requests to the original site/"webapp", no need to build one similar
Doesn't work if the app encrypts messages locally, so end to end encryption is still valid with this.
The only way around this would be a "real" app.
In the general case, any CA can sign any website certificate. So all those new government CAs can sign all the man-in-the-middle certificates they like, and browsers are obliged to accept them. Nothing the website can do about that.
There are ways to pin certain CAs via DNSSEC and TLSA resource records in DNS. But browsers ignore those, and even if they didn't, the same EU proposal also specifies government DNS manipulation.
So the gist is: EIDAS must die.
And if the site can see your data assume the government can see it as well, they can get it with a warrant.
A warrant will maybe warn the site and the user that something is going on.
A man-in-the-middle attack without a warrant delivered to either party is more likely to go undetected.
Updating others javascript as a proxy isn't "easily".
Also if the government goes all this way to tell each internet provider to spy on people, why do you think they couldn't tell certificate authorities to spy on people? It is the same level. I wouldn't be surprised if many CA's in USA already does this.
And the way to spy on people via a certificate authority is exactly as described, you get a CA that signs your man-in-the-middle certificate for a website you do not own. Then you MitM that traffic using that certificate, while still getting a green "lock" icon.
With current WebCA certificates, certificate transparency does help a little to detect such MitM certificates, and some CAs have actually been caught red-handed. There are processes to punish or remove such CAs. However, this law would also prevent such actions, thus making it impossible to prevent any future malfeasant CAs.
About an example MitM certificate case and removal, see the DigiNotar case: https://blog.mozilla.org/security/2011/08/29/fraudulent-goog...
For more about how certificate transparency works see http://nil.lcs.mit.edu/6.824/2020/papers/ct-faq.txt
If this means users gets more power over what CAs to trust then that is a good thing.
And depending on how that law will be interpreted by courts, manually distrusting might be considered illegal.
It is just a display change, all the law says is:
"For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner."
I don't see how adding a warning icon or block icon instead of the lock hurts would be banned. To me it seems like so much here is based on baseless assumptions.
I would also urge you to refrain from using terminology such as "baseless assumptions" when your own assumptions are so easily refuted by directly reading the text of the proposal.
Do you really think your average user is going to go into the browser and manually distrust root CAs? We have learned again and again that good security is "secure by default", not "secure after arcane configuration".
To mitigate the MitM risk I believe that CT and limiting CA to specific top-level domains (so a hypothetical RU CA would not be able to issue certificates for .eu or .com) should be sufficient enough.
The "false premise" was that GlobalSign has refused to issue new certificates for Sberbank and there were several cases of CAs revoking existing certificates. They eventually have found a CA (Harica DV) which was willing to issue new certificates, but it was not clear at the time that such CA will be found and the new certificates can be revoked at any moment after a new wave of sanctions or simply after a strongly worded warning from Washington or Brussels. Relying on a relatively minor Greek CA for bank operations is clearly not a good strategy in their situation.
Again, this is not going to catch anyone with half a braincell that is trying to do something. This is just going to catch everyone else.
I wonder if this will tie into the BS that Google was trying to implement that would make it impossible to modify the webpage using adblockers etc. making it so you can't navigate the web if you are using a uncertified browser.
Very likely, yes. Also note that a similar client-side CSAM scanning feature was rolled out by Apple with a similar anticipation, and shortly after we saw the proposal of Chatcontrol and the like.
> So what happens to open source browsers?
See my other comment on the same thread[1].
[1] https://news.ycombinator.com/item?id=38110667
If Debian patches this out, you won't be able to access those sites. That's a living edge case for them.
"We need to be able to break security so we can see all your data, to keep you safe! Terrorists! Child abuse!"
"hmm yeah, but who's going to keep me safe from you?"
Annex IV:
Qualified certificates for website authentication shall contain:
(b) a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates including at least the Member State in which that provider is established and:
—
for a legal person: the name and, where applicable, registration number as stated in the official records,
—
for a natural person: the person’s name;
...
(e) the domain name(s) operated by the natural or legal person to whom the certificate is issued;
So you don't need to know anything to use all-caps and throw around LIARS.
Article 45
Requirements for qualified certificates for WEBSITE AUTHENTICATION
1. Qualified certificates for WEBSITE AUTHENTICATION shall meet the requirements laid down in Annex IV. Evaluation of compliance with the requirements laid down in Annex IV shall be carried out in accordance with the specifications and standards referred to in paragraph 4.
2. Qualified certificates for WEBSITE AUTHENTICATION referred to in paragraph 1 shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for WEBSITE AUTHENTICATION referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services.
Something better than typing your name and trusting a third party to do email verification for a digital signature certainly sounds like it could have advantages for doing business though.
I believe the issues identified here seem to stem from a (very) over-enthusiastic desire to have certificate acceptance everywhere (i.e. prevent discriminating against one country's citizens by excluding their ID card CA), without understanding the different types of trust chains and certificate chains. Presumably scattered with a bit of technical naivety as well. The concept itself is (probably?) fine, as long as it doesn't try to force browsers or SSL verifiers to accept or trust certificates they don't want to.
Technically that is also digital signing. The regulators probably thought that all kinds of digital signing should be included in this bill and just slapped something down for browsers while they were at it.
Which, if you don't understand web trust and PKI, means a bit of searching online will tell you that you need your browser to trust the CAs you use for digital signatures.
Which is of course not true - you can (and should) present an "untrusted" (i.e. not a server authentication) certificate as your client certificate or for signatures, as there's different trust bits and use-cases for different kinds of certificates.
That definitely has almost nothing to do with TLS and browsers. Why does my browser need to verify national ID cards? (no need to answer that)
With certificates from a government CA containing your name, address and maybe other data like tax ID, the certificate becomes that imprint, digitally signed and hard to fake. So I guess the next step after this directive is in place will be to require such government certificates for all European websites instead of the usual domain-validated WebCA ones. For a modest fee going into the pockets of some government cronies, of course.
In the past, CAs sold EV certificates which gave you a nice green look in the browser bar and no security advantage (arguably security downsides, because you cannot automate it). That was good business, until browsers decided that this makes no sense and scraped any special treatment for EV certificates.
The "qualified certificates" by the EU are essentially EV with a new name.
[1] https://scotthelme.co.uk/looks-like-a-duck-swims-like-a-duck...
True, basically eIDAS is a cartel. With the help of EU legislation, some Certification Authorities banded together and are now saying that certificates emited by anyone but them are not good. And obviously they fully controll the pricing for the "good" certificates.
For very specific needs like electronic signatures, "seals" and an interesting one I hadn't heard before, timestamping (proving that an electronic document has existed at that timestamp), not for general computing.
Also, considering Bulgaria has 5 CAs on the official list, with 2 others as potential, the claims of a shady cartel of "big Cert" being behind this is laughable.
Most of the commenters here miss the point, because they concentrate on confidentiality and integrity (cf. any post about MITM). They are of course correct that this creates capability to intercept TLS connections. They still miss the point that EU bureaucrats see it as reasonable tradeoff (which I don't think it is, but that's their POV).
Your bank account is now frozen.
Please report at your local police station tomorrow at 10am.
"We decide on something, leave it lying around and wait and see what happens. If no one kicks up a fuss, because most people don't understand what has been decided, we continue step by step until there is no turning back."[0]
[0] - https://en.wikiquote.org/wiki/Jean-Claude_Juncker
I mean, I'm not saying Juncker is great, just that reading the random collection of quotes on wikiquotes might not be the best way to judge his work.
Also, keep in mind that this is in the context of getting all member states of the EU to agree on something. People kicking up a fuss is the default situation because of conflicting interests between different states.
Make no mistake about how I feel about this though: it's still pretty horrible even with that context in mind. And as graemep pointed out the rest of the quotes on that page will tell you all you need to know about Juncker too.
I mean, I certainly did not vote for Ursula von der Leyen either.
This is fundamentally different from how a PM is voted in a traditional parliamentary system where an MP leads the party during the election process and elected as PM after a clear victory or negotiations between MPs.
We're a people with a wide spectrum of beliefs - we should be represented by a wide spectrum of MPs... never by a single voice.
1. My first being whenever a single party actually wins a majority.
This is a fair statement. I'm not from the EU but I think it's true for basically any society. Also a lot of the dysfunction in the EU is obviously by design and it's supposed to instill cooperation and deliberation between different stakeholders.
Still, in politics "getting things done" is very important, imo much more important than representation because the main job of a government is to govern and a fairly balanced government that fails to govern will lose support very quickly and become unrepresentative/useless. Also if someone can't get things done, others will do it and force their hand, like the case of the election of the EU commission president. Or practically everything the UN does.
The good thing about a government by a single party or a well defined coalition is that you know what they roughly stand for, what they don't stand for, who is for them and who is against. You can support them or vote against them. In an election one side wins. Being an incumbent is difficult so in the next the other side wins, they are supposed to balance each other that way.
What is the alternative of a de facto coalition between the right, center-left and liberals? Which of these is really in power? Who are you going to vote for if you don't like where the things are headed?
Looking at the EU parliament (or the parliaments of many EU countries) the main alternatives are fascism-lite and actual fascism. That's the risk of plethoric supranational governing bodies like the EU or very large coalition governments, they rob people of viable democratic alternatives.
The council is made up of the prime ministers of the EU member countries, which also were not voted for seats in the EC.
Likewise there was no vote on the Lisboa treaty which effectively put the EC above the parliament and outside its jurisdiction.
I meant that whatever the government metaphorical "you" voted in, has voice in EC.
In fact current Lisboa treaty came into effect after previous reform attempt was torpedoed in part for "taking away sovereignty" by giving more power to European Parliament vs European Council - where the national governments have power.
In some cases less between the states and more between gonvernment and people. The european parliament is elected by the people. But many important matters are defined by the comission consisting of representatives of the member states governments.
Of course the different governments are also elected. But as part of the comission they can act against the will of the people and later blame the EU.
I know because my ex did European Studies and knew how to navigate those websites. I for the life of me cannot figure out how she did it if I try now.
I thought he did a good work, but I was a student too so maybe I was just impressed with basic stuff (highly likely).
Another issue is basically the legal analogy of how certain difficult programming languages impose a selection bias on who actually is willing to learn it, which then leads to an echo-chamber culture where most people underestimate the issues with the programming language.
I know in the US we have orgs like Code for America and events like National Day of Civic Hacking. Does the EU have similar groups and events? I wonder if this could be presented to something like that.
Obviously it should be said that such a project shouldn't be needed in the first place in an ideal world, but it does sound like something I might be interested in chipping in regardless (and a great learning opportunity).
There was an episode of the Mark Thomas Comedy Product where he describes how they were trying to find the spending habits of EU MPs, but they were in a basement with no electronic devices allowed, so they hired an army of students to run up and down with notebooks and pens and relay all the information to more students upstairs who had to type it all up and put it online.
The open letter signed by 300+ researchers, professors and experts.
But it won't get to that point. I don't really think the US government would be ok with a regulation like this, either, and they have even more bargaining power than tech companies.
They should tone down this kind of sensationalist clickbait that I would expect to find in UK tabloids. They probably think it helps them impress the urgency of the matter on the public but frankly it just makes me doubt the veracity of the claims made in the article (though in this case I trust Mozilla and would hope that they are not misrepresenting the content of the law itself).
I’ve watched many of their YouTube presentations.. all with less than 100 views when I watched them, despite them being uploaded for some time.
> and will be presented to the public and parliament for a rubber stamp before the end of the year
That's not how the EU parliament works, they're not just a rubber stamp. The topic is sufficiently grave without the need for clickbait and painfully obvious exaggerations.
How the democratic process actually works is important. Public outcry often happens after something becomes LOCAL law (i.e. a few years or months down the road) implemented in a member state. The usual defense from EU-enthusiasts is then “you should have engaged in public debate, it’s too late now”. That should tell you something about the visibility and publicity of the process.
[1] https://notes.valdikss.org.ru/jabber.ru-mitm/
For example banking, signing official documents like grades from school etc, all of those usecases are a part of eIDAS. That is the core of the standard and there you really want to see all the certificate information to be sure it is the right origin, since unlike browsers there is no list of trusted CAs, you just see that some organization accepted it.
Edit: Browsers already had their own standard that they think is better than eIDAS, so they don't want this to apply to them. But Occam's razor says that EU just added "and browsers should also do this" instead of there being some conspiracy behind it, it was simple to just add everything instead of leaving just browsers out.
Unlike the Browser/CA forum rules which are security focused, EIDAS comes from a government mandate first and foremost, so the concern isn’t entirely subjective as you suggest.
> "and browsers should also do this" instead of there being some conspiracy behind it
The law isn’t RFC 2119 where there is a distinction between SHOULD and MUST: the law is all about what an entity MUST do, so bringing up “should” in this context isn’t helping the point you’re typing to make.
> Unlike the Browser/CA forum rules which are security focused, EIDAS comes from a government mandate first and foremost, so the concern isn’t entirely subjective as you suggest.
I didn't say this was subjective. My argument was that it is easy to see why EU would do this without having surveillance in mind. They just wanted all certificates to follow the same standard, the main part of these standards were document signing and they thought web sites are documents so we add them as well to the standard.
> so bringing up “should” in this context isn’t helping the point you’re typing to make.
I didn't make a distinction between should and must there, that wasn't my point at all. What was hard to understand there? This bill is first and foremost about document signing, and then they added a clause that it also applies to browsers. That is the main part of my argument.
A bill that first and foremost targets document signing doesn't seem like it was obviously made to add spying on browsers, if that is what they wanted they would have labeled it "web protection bill" or something like they did with the chat one, they aren't afraid of saying it is about spying when that is what they want.
- Make sure there is an open standard (is there?)
- Fund and promote its open source development
- Have an industry lobbyist non-profit to onboard individual businesses
If the goal is to ”promote standards” the way this is being done does not seem to be aligned the 50 years of software industry standard development, with the examples like TCP/IP, PNG, AV1 and so on.
Did we need laws to "unify" all the standards we successfully use today, like IP, UDP, TCP, HTTP, TLS, Certificate Transparency, HTML, ECMAScript, CSS, DNS, DMARC, DKIM, SSH, etc.? Laws are not the right tool for this. And law makers don't have the necessary expertise.
While eIDAS seems like a great idea to coerce member states into adopting a common standard, it just also happens to sneak EU-centralist ideology in, and total digital surveillance is the 0th application of that ideology.
The big catch with EU is: once you opt in, opting out is very difficult.
Open any law on produce, construction, cars, industrial equipment (and a million others), and you'll find thousands of specs and standards mandated by law, and for a reason.
I have no Earthly idea why a) this needs to be done digitally, or b) for the EU to be involved (at EU level) with this.
Unfortunately if you pitch mission creep vs the principle of subsidiarity, the former wins every time.
This is just one use case for eIDAS, then you have things like interacting with different government institutions, banks, et cetera, et cetera.
There are a lot of people who live in/work/visit other EU countries as is their near absolute right. We should therefore standardise technology on the EU level to make their lives easier.
But with that out of the way, no I don't have any other complaints, I think the regulation is generally a move in the right direction.
... for some value of "standardised"?
UK[0]: First, 2:1, 2:2, Third
Germany[1]: 1 to 5
France[2]: "on a scale from 0-20"
<chuckle>
[0] https://www.imperial.ac.uk/students/success-guide/ug/assessm... [1] https://www.uni-passau.de/en/international/coming-to-passau/... [2] https://u-paris.fr/en/higher-education-in-france/
https://en.wikipedia.org/wiki/ECTS_grading_scale
https://www.google.com/search?q=%22job+application%22+%22ECT... gets me only a handful of results and a warning that 'It looks like there aren't many great matches for your search'
Do (m)any European employers know about this scheme?
https://en.wikipedia.org/wiki/Bologna_Process#Signatories
It seems that ECTS is indeed useful to those who move internationally between institutions during a course of study (Erasmus and similar).
I'm struggling to detect much of a use case once a qualification is achieved and someone's looking for work.
> To answer your question, it is an established standard
OK, but so is Esperanto :)
This Trusted CA is such a lie. I mean we all know that Google, MS etc does ugly things with user data but apparently we have no objection to trust them with cryptography.
Browsers should get their shit together and add proper support of domain-limited CAs and add optional whitelisting of CAs for given websites.
They do in fact support this - e.g. Mozilla trusts KamuSM only for .tr [1], Chrome limited ANSSI to French TLDs [2].
However, there is no indication that the EU would be willing to accept such constraints on their national CAs. If you look at several of the current national European CAs, they routinely issue for generic TLDs like .com.
[1] https://groups.google.com/a/mozilla.org/g/dev-security-polic...
[2] https://security.googleblog.com/2013/12/further-improving-di...
The bigger issue is that for this in order to work at all, the regulation must have provisions for issuing fake assertions of existing identities to law enforcement and other security services. The predecessor didn't seem to have that. This is different from providing fake identification documents for undercover operations because as far as I understand it, those use are usually mostly made-up and do not impersonate another person.
We would have to read the actual text of the proposed regulation to know the details, but both sides (legislators and those fueling the outrage machine) do not really want us to form our own opinion and hide the draft text from us.
Changes to server certificates happen all the time -- every 60 days or so, if you're getting certs from Let's Encrypt. Browsers can't tell their users every time a certificate changes because the users will just get notification-blindness and be trained to click past the warnings.
Let's Encrypt doesn't help server operators see this; I really not sure what you mean by that. Certificate Transparency would help server operators see this, but the new law text forbids browsers from requiring CT for these certs!
The law doesn't have to solve the problem of how security services will assert fake identities. Each member state can solve that internally. Allegedly, given the recent report of a hijack against jabber.ru and xmpp.ru, they already have. The problem is that, when they do, no one else has any recourse. No other member state can say "hey, don't hijack my websites!", no citizen can say "hey, don't hijack my traffic!", and no browser can say "hey, you issued a false certificate, we don't trust you anymore!".
Fundamentally, the whole issue with eIDAS comes down to one thing: you cannot mandate trust. By definition. If it's mandated, it isn't trust, it's something else. By mandating that browsers "trust" certain CAs, they're breaking the entire trust model of the internet.
So these pervs now want to do the same. For what?
eIDAS was introduced in 2016. Now 7 years later there still isn't a API specification for interoperability (there are drawings though https://blog.eid.as/new-apis-for-the-eidas-ecosystem/ )
In the meantime, any digital signature done in EU must be done with a certificate issued only by the "select" CA to be considered "valid".
The standard existed 2016, I did a short stint for a company that was implemented eIDAS back then.
They even have a test suite you can use to check how well you comply with the standard: https://ec.europa.eu/digital-building-blocks/wikis/display/D...
It is very archaic to work with though, but at least they try to have a standard.
The real value in eIDAS would be "unlocked" if they would release a proper API specification with which a digital signatures application would integrate with any EIDAS CA to emit/sign certificates. And then enforce that any eIDAS compliant CA would implement this API.
In practice that means any company/digital signatures product could do a integration with this API once and then be able to use ANY certification authority they want/need/offer best prices for certificates.
Without this API, eIDAS is just a marketing moniker because the power belongs to the selected Certification Authorities. They set the prices, they choose WHOM can integrate with them to isse certificates and there is NO interoperability between them. This doesnt allow for a open market and makes the top players control everything while shouting "standards" and "eIDAS".....
article 25 of EIDAS 1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.
Maybe it wasn’t the original intention, but right now, even ignoring the surveillance angle, I feel that it would be a major downgrade to the post-Symantec state of the Web PKI. In particular, the process for getting a CA disqualified or inconvenienced in any other way seems to be so onerous as to be basically intractable, especially if you, the relying party, are not in the EU. As far as I can tell (but here I can be wrong), as a relying party you don’t even have standing to do anything about it—it’s considered to be solely the business of your country’s government, and if the government body doesn’t care (see: Facebook and the Irish DPA), tough, guess you’re a single-issue voter now.
Of course there is still HSTS, but that's not supported by all tech using TLS.
Prediction: If this passes, users having to bypass cert errors will be the new cookie popup.