Last Chance to fix eIDAS: Secret EU law threatens Internet security

[jagdtigger]

(Title borrowed from source.)

Summary

 

In short browser developers would have to include any certificate issued by any member state in the trust store without any regard to security outside what the EU allowed, furthermore they are not allowed to remove these without approval from the issuing government. These certificates can and without a doubt will be used to perform MITM attacks without any oversight.

 

 

Quotes

Quote

After years of legislative process, the near-final text of the eIDAS regulation has been agreed by trialogue negotiators¹ representing EU’s key bodies and will be presented to the public and parliament for a rubber stamp before the end of the year. New legislative articles, introduced in recent closed-door meetings and not yet public, envision that all web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments.

Quote

This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to. This is particularly troubling given that adherence to the rule of law has not been uniform across all member states, with documented instances of coercion by secret police for political purposes.

The text goes on to ban browsers from applying security checks to these EU keys and certificates except those pre-approved by the EU’s IT standards body - ETSI.  This rigid structure would be problematic with any entity, but government-controlled standard bodies are especially susceptible to misaligned incentives in cryptography. ETSI in particular has both a concerning track record (1,2,3) of producing compromised cryptographic standards and a working group dedicated entirely to developing interception technology.

 

My thoughts

HELL NO! This is bad, very-very bad. This will be abused to "epic" proportions, and not just by the government. Lets face it, its not a question of "if" but "when" will hackers get their hands on these back-door certificates.......

 

Sources

https://last-chance-for-eidas.org/

[Alex Atkin UK]

I just don't get what they think they will achieve.

 

Law abiding citizens end up with an insecure browser, while criminals can completely side-step this entirely by compiling their own browser omitting these certificates.

 

I said from day one with these schemes, its only a matter of time before someone uses this to snoop on a high profile politician and THEN they may rethink the insanity.  But its scary how much damage can be done before this happens.

[Forbidden Wafer]

42 minutes ago, jagdtigger said:

In short browser developers would have to include any certificate issued by any member state in the trust store without any regard to security outside what the EU allowed, furthermore they are not allowed to remove these without approval from the issuing government. These certificates can and without a doubt will be used to perform MITM attacks without any oversight.

This has already happened here (Brazil) a really long time ago (ICP-Brasil). You just recompile from sources instead of getting binary distributions if you really care.

[jagdtigger]

10 minutes ago, Forbidden Wafer said:

This has already happened here (Brazil) a really long time ago (ICP-Brasil). You just recompile from sources instead of getting binary distributions if you really care.

Then get up and do something about it? This  whatauboutism drives me (and my bloodpressure) up the wall....

[Forbidden Wafer]

1 hour ago, jagdtigger said:

Then get up and do something about it? This  whatauboutism drives me (and my bloodpressure) up the wall....

If you do that here, you're going to get called a fascist, antivax, antiscience, undemocratic, and get jailed for spreading fake news and "trying the abolish the country"...

[Taf the Ghost]

2 hours ago, Alex Atkin UK said:

I just don't get what they think they will achieve.

 

Law abiding citizens end up with an insecure browser, while criminals can completely side-step this entirely by compiling their own browser omitting these certificates.

 

I said from day one with these schemes, its only a matter of time before someone uses this to snoop on a high profile politician and THEN they may rethink the insanity.  But its scary how much damage can be done before this happens.

Centralized Governments care first and foremost about their own power and survival. That's why there are things they "push" and things they are "pushed into".  If it's something they are "pushing", then it serves their explicit interests. Yes, degraded security is the point for their own people, but there's likely a couple of other purposes as well. None of which are really related to what they'll tell you they're up to.

 

But all governments, to a major extent, are oligopoly based. There are always multiple power factions, and sometimes the really dumb things the a government is pushing is to prevent other power factions from gaining some advantage.   Energy Politics is normally the place you can see this the most. I find it fairly useful to have an understanding of the old feudal systems, especially something like the Holy Roman Empire, for how power factions interact and what they do.  You can see the interactions better in a front-facing multi-faction system than the modern, closed-door, PR-Focused systems.

[Quackers101]

I guess another reason that there should be a more common and global consumer/digital rights group? aw man

[TetraSky]

I wonder which company bribed these politicians to make this pass.

[Senzelian]

I love it! Let the world burn!

[Kisai]

On 11/3/2023 at 12:27 PM, Alex Atkin UK said:

I just don't get what they think they will achieve.

 

Law abiding citizens end up with an insecure browser, while criminals can completely side-step this entirely by compiling their own browser omitting these certificates.

 

I said from day one with these schemes, its only a matter of time before someone uses this to snoop on a high profile politician and THEN they may rethink the insanity.  But its scary how much damage can be done before this happens.

You don't even need to do that.

https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

 

Unlike, say breaking OpenSSL and forks, the certificate is something that the user has always been able to nerf it.

 

Just it's very difficult to understand what certificate does what.

 

What will MOST LIKELY happen is that if eIDAS goes into effect, you'll see a re-run of "40/56bit encryption" that happened with Netscape back in the 90's. Where you were not permitted to download anything with strong encryption if you didn't explicitly hand over information to Netscape to download the strong encryption version.

 

So Firefox and Chrome will make separate distributions for Europe, and the auto-update process will only ever install the EU version, even if they download the American version.

 

But more to the point, this has consequences beyond the browser, getting a "EU root certificate" that has to be trusted by the OS is extremely dangerous if Windows, Apple, and Linux Distros can't be installed in EU without it. Good luck trying to get Linux to install this. It's bad enough trying to find a distro that isn't broken, and you want to add a "weakcrypto-euonly" build? No.

 

Mostly I just don't seeing this being enforceable without requiring EU users to only use a EU-built web browser and to exclude Chrome, Safari, Edge, Opera, Firefox, etc entirely.  It's going to have to be pulled from the other side, where web servers hosted in Europe will instead only support this EU certificate, and if you nerf it from your browser, you're completely blocked from online shopping and banking.

 

 

[jagdtigger]

On 11/3/2023 at 9:01 PM, Forbidden Wafer said:

If you do that here, you're going to get called a fascist, antivax, antiscience, undemocratic, and get jailed for spreading fake news and "trying the abolish the country"...

Well then enjoy living in a dictatorship while we actually try to do something before the EU turns into one....

[Forbidden Wafer]

2 hours ago, jagdtigger said:

Well then enjoy living in a dictatorship while we actually try to do something before the EU turns into one....

It's not about enjoying, but nothing you can do when most people are idiotic and defend that.
I'm actually moving to the EU, but I think you are too late to do anything.

[Senzelian]

5 hours ago, jagdtigger said:

Well then enjoy living in a dictatorship while we actually try to do something before the EU turns into one....

What is it that you're doing? How can I join?

[jagdtigger]

2 minutes ago, Senzelian said:

What is it that you're doing? How can I join?

Right around the end of source article:
 

Quote

If you’re a European citizen, you can write to the member of the European Parliament responsible for the eIDAS file - Romana JERKOVIĆ - and register your concern.

Enough ppl write they will chicken out........

[williamcll]

On 11/4/2023 at 3:27 AM, Alex Atkin UK said:

I said from day one with these schemes, its only a matter of time before someone uses this to snoop on a high profile politician and THEN they may rethink the insanity.  But its scary how much damage can be done before this happens.

I'll give it a week before someone from Eastern Europe makes a phishing site for every government page.

[suicidalfranco]

just a friendly reminder that everything that a governments touches instantly rots

[StDragon]

Not "threatens", but actually breaks security; by design.

[jagdtigger]

It only "threatens" because it not yet a law. But i agree, it would hopelessly break trust and security on the internet. If anyone implements it that is, i could see companies and developers rejecting the implementation in a mass protest.


Also it seems the EU made a material in an attempt to depict mozilla in bad light by saying they spread misinformation:
https://www.european-signature-dialog.eu/ESD_answer_to_Mozilla_misinformation_campaign.pdf

Yeah its definitely misinformation when countless experts signed an open letter of their own (also available in the linked source in 1st post) calling out the glaring issues.....

[BaneIonica78]

10 hours ago, jagdtigger said:

It only "threatens" because it not yet a law. But i agree, it would hopelessly break trust and security on the internet. If anyone implements it that is, i could see companies and developers rejecting the implementation in a mass protest.


Also it seems the EU made a material in an attempt to depict mozilla in bad light by saying they spread misinformation:
https://www.european-signature-dialog.eu/ESD_answer_to_Mozilla_misinformation_campaign.pdf

Yeah its definitely misinformation when countless experts signed an open letter of their own (also available in the linked source in 1st post) calling out the glaring issues.....

Hi ! I want to write a message to Romana Jerkovic, but i have no idea how to frame this, because i myself don t really understand how this would screw us over fully, and thus i dont feel like i can explain it without it looking like : "THIS BAD DON T DO PLS". Got any idea or any frame for me and the rest of us idiots to contribute as well ?

[Mark Kaine]

On 11/4/2023 at 11:28 PM, Kisai said:

You don't even need to do that.

https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

 

Unlike, say breaking OpenSSL and forks, the certificate is something that the user has always been able to nerf it.

 

Just it's very difficult to understand what certificate does what.

 

What will MOST LIKELY happen is that if eIDAS goes into effect, you'll see a re-run of "40/56bit encryption" that happened with Netscape back in the 90's. Where you were not permitted to download anything with strong encryption if you didn't explicitly hand over information to Netscape to download the strong encryption version.

 

So Firefox and Chrome will make separate distributions for Europe, and the auto-update process will only ever install the EU version, even if they download the American version.

 

But more to the point, this has consequences beyond the browser, getting a "EU root certificate" that has to be trusted by the OS is extremely dangerous if Windows, Apple, and Linux Distros can't be installed in EU without it. Good luck trying to get Linux to install this. It's bad enough trying to find a distro that isn't broken, and you want to add a "weakcrypto-euonly" build? No.

 

Mostly I just don't seeing this being enforceable without requiring EU users to only use a EU-built web browser and to exclude Chrome, Safari, Edge, Opera, Firefox, etc entirely.  It's going to have to be pulled from the other side, where web servers hosted in Europe will instead only support this EU certificate, and if you nerf it from your browser, you're completely blocked from online shopping and banking.

 

 

They will just remove any such options,  "NO SECURITY FOR YOU...!"

[jagdtigger]

14 hours ago, BaneIonica78 said:

because i myself don t really understand how this would screw us over fully

Itt allows governments to basically perform a MITM* attack on any website:
https://last-chance-for-eidas.org/art45interception.html

 

The eIDAS would force browsers to accept government owned certificate authorities (CA for short)). These authorities can issue any certificate and it will be trusted no matter what, even for existing sites using a different CA. Governments already can mess with DNS so if this passes it will be trivial for them to perform the MITM attack on any site they want.

 

 

*https://www.techtarget.com/iotagenda/definition/man-in-the-middle-attack-MitM

[suicidalfranco]

On 11/7/2023 at 11:42 AM, jagdtigger said:

It only "threatens" because it not yet a law. But i agree, it would hopelessly break trust and security on the internet. If anyone implements it that is, i could see companies and developers rejecting the implementation in a mass protest.


Also it seems the EU made a material in an attempt to depict mozilla in bad light by saying they spread misinformation:
https://www.european-signature-dialog.eu/ESD_answer_to_Mozilla_misinformation_campaign.pdf

Yeah its definitely misinformation when countless experts signed an open letter of their own (also available in the linked source in 1st post) calling out the glaring issues.....

Remember when people where being called crazy for thinking that governments would abuse their power if given the ability to arbiter free speech?

Here we are boys, everything they don't like is now misinformation

[jagdtigger]

EFF wrote an article which digs a little bit deeper into this topic and why it is a very bad idea:
https://www.eff.org/deeplinks/2023/11/article-45-will-roll-back-web-security-12-years
 

[suicidalfranco]

6 hours ago, jagdtigger said:

EFF wrote an article which digs a little bit deeper into this topic and why it is a very bad idea:
https://www.eff.org/deeplinks/2023/11/article-45-will-roll-back-web-security-12-years
 

Time to had EFF to the misinformation list