It just doesn't make sense to me why anyone tries these things. The reality of the situation would be very obvious. Just because everyone in the EU is in the EU, doesn't make them one big happy family. Do the French want the Germans to be able to spy on their citizens? Seems unlikely. And at a larger scale, the US isn't going to go with that. So the browsers will simply be updated to distrust all of these CA's whom no longer can be trusted and... those EU CA's are out of business. Poof. Hell, if it were reverse you'd see the EU up in arms. "Why should we trust the USA?" - And rightly you shouldn't. That's why Galileo exists.
But on the Internet, it doesn't work that way. You can't just do your own thing, lest you kneecap your citizens. How will the Europeans citizens react if their own "free and democratic" governments take away their access to Wikipedia? Or Facebook? Or Tiktok?
Using known suspect TLS Certs would also violate basically every B2B contract. When businesses sign contracts for SaaS applications, it involves some verbiage about encryption and best practices and data security in transit and at rest. What business will WANT to sign a deal that says "Yes, it's ok to use a TLS cert that we know our government can intercept" when they have the option to use a cert from someone else that's secure? Cool, shoot your own businesses in the foot too, while you're at it.
Freaking politicians. Can't be bothered to do anything about the issues we citizens ACTUALLY want, but instead are too busy meddling in shit that no one wants.
I understand that it helps to have a name for something like this, but
there is no "EU". "It" cannot think.
Heed the Meehan quote; "Men are at war because each man is at war with
himself". It's not just that human minds are one psychotic insight
away from seeing our dissociative identity disorder just beneath the
surface... evey institution and collective is the same. What is wrong
in the "EU" (principally the Commission) is that it's large and
disparate enough for some extraordinary bad actors to hide within it
and exercise undue toxic influence. It is by lack of transparency that
they cannot easily be rooted out, named, shamed and dislodged.
Meanwhile much of the "EU" functions very well, and cares for its
citizens.
I need to clarify. I was using "the EU thinks" as shorthand for "the strong consensus view of the people running the EU". I thought (obviously wrongly) that this was obvious because an organisation cannot think.
I think it is safe to assume that the majority of people running the EU share the aim of "ever closer union" enshrined in EU treaties, which implies aiming to put the interests of the EU above national interests, which I took to be what the comment I was replying to meant by being "one big happy family"
> I was using "the EU thinks" as shorthand for "the strong consensus
view of the people running the EU".
Understood. And I was questioning the concept of "consensus" in that
frame.
> I thought (obviously wrongly) that this was obvious
Not at all. I don't think that is obvious. Interestingly some are
raising GPT as a metaphor for emergent organisational "thinking". Is
it a good analogy? I don't know, but we do see similar phenomena in
networks whether they be human brains, machines or other organisms.
And one feature is that we are not sure how to locate "consensus".
There's lot more than weighted sums at play. And despite official
structures and protocols, that's not really how things work, I think
we all know.
Thus the emergent identity gets a lot attributed to it, which it may
not be "aware of" in large parts of itself. For minds we have the
concept of the unconscious. Perhaps in neural networks we will come to
recognise something similar. But the concept seems sadly lacking in
organisational dynamics where it might help us to stop talking about
ideas such as "What Google says" or "What the market demands".
> because an organisation cannot think.
And yet we so often talk as if they can. We see Searle's "Chinese
Room" everywhere and wish to encapsulate and name too readily.
The "EU" is "mentally unhealthy" in that sense. in that it's simply
too big and disparate to be coherent and consistent. The article about
snooping on web TLS certificates could not more clearly contradict
other strongly held "beliefs" within the organism about "privacy".
That might have be more helpful if it was clear that there is actually anything like thinking going on in GPT-4, but to the extent there is I don't believe it's a good analogy for EU-the-organization.
It's multiple regular humans doing regular human thinking (in various quantities) and otherwise acting, and interacting, subject to social pressures.
Calling that an organization thinking might be a convenient shorthand, but as I far as I'm concerned the utility stop right there, and forgetting that it is merely a shorthand is potentially badly misleading (which, I take it, was one major point of https://news.ycombinator.com/item?id=38182349 )
>Do the French want the Germans to be able to spy on their citizens?
They might. It's how the US intelligence agencies route around laws that prohibit spying on US citizens. They spy on a 5-eyes nation's citizens (often the UK) who is spying on US citizens. Then they trade connections.
This is an often parroted conspiracy theory rooted in novices looking at leaked documents and not really understanding the context. Just because GCHQ shares data with NSA it does not mean the program lacks controls that protect American citizens. Partner data is still filtered for US nexus and tagged appropriately as to require multiple layers of approvals and oversight to query or view.
> how sharing takes place in spite of those controls
Sharing takes place because countries have mutual data sharing agreements. It is up to the receiving country to comply with domestic laws.
For example if GCHQ has a dish pointed at a foreign communications satellite and receives all downlink communications, they might share that stream of raw data with partner countries. If NSA receives that stream the first thing that happens is it gets decoded into call data and parsed for any hint of US nexus communications at which point it gets tagged USPER and is not accessible to analysts.
But there's presumably little to stop the NSA asking GCHQ "can you give us a list of US citizen that match profile X", so does the fact that they strip it out of their local copy make a big difference?
These are the same government agencies that the Snowden leaks informed about. How many people in the government were fined or went to jail because those were revealed to the public?
But unlike Kazakhstan, the EU can actually ORDER browser makers to keep approving their backdoored certificates. And then mandate that anyone serving their own citizens use them.
Look at what the UK has already done with its “think of the children” bills. The UK is weaker than the EU
> the EU can actually ORDER browser makers to keep approving their backdoored certificates
But they can’t. Maybe they can order some companies to do so, those companies which would fight tooth and nail in court, whom cumulatively have more money than the EU (probably).. . and certainly more lawyers.
But at the end of the day, they couldn’t force every browser. No company would accept a website that doesn’t work with 30% of the internet. It would, once again, knee cap that company.
And while I’m not sure of every browser, I’m fairly sure you can delete CA’s in most browsers today. You certainly can on an OS level. So as soon as one CA get’s p0wned by the government, the techies would just run around and “help” all their friends and family delete the CA from being trusted.
How? Mozilla can just get out of the EU. Google can spin off its browser to a nominally independent project (Chromium) and offer plugins for Google functionality. I don't see how they will win this.
The logical solution for browser vendors is to also roll back the URL bar by 10 years, where we had different indicators for extended validation, normal certificates and plaintext. I guess a blue EU-logo whenever Article-45 compliant CAs are used would make sense. Then we just have to teach people: blue is for "government snoop mode".
eIDAS in fact forces browser vendors to do that, but there are two problems with what you're suggesting:
1. Good luck teaching 99% of people to be wary when they see the blue address bar. People generally do not understand address bars, which is a large part of why browsers removed the EV indicator.
2. There is a strong possibility that a future version of eIDAS will force businesses in the EU to get certificates from an eIDAS CA. At that point, people in the EU will be seeing the blue address bar constantly, and most of the time the certificate will in fact be legit.
Teaching users is of course the tricky part, and I'm not trying to excuse the insane draft regulation here. That said, eIDAS doesn't force browser vendors to visually distinguish Article 45-forced CA certificates from traditional CAB CA certificates, and I doubt they considered the possibility. So re-adding the distinction is a valid band-aid. Your second point can be addressed relatively easily by businesses getting multiple certificates. Then, the browser can show 'trusted' only if one of the certificates is not from a Article 45-forced CA.
I thought the blue address bar would have a person's name and country in it. That person has a good lawsuit case against the government if it's faked. Or, are we worried the DE government will make up a fake Larry Ellision and MITM oracle.com with it? Larry Ellision would easily win that lawsuit.
I thought that was the whole intention of eIDAS. Everyone gets a government approved certificate they can use to sign their websites if they want to, and then the URL bar shows their identity. They don't have to sign websites with their identity, but they have the option to.
I've talked about TLS before, it is a bane on the Internet in its current form.
Here is what users need from any browser that cares about the user:
- An option to not use OS supplied root certificates. Instead, to customize and set up user allowed certificates on the first run/first site use.
- An easy UI for trusted certificates that give categories and what each certificates scope means.
E.g. 'This certificate is issued by a telco provider on behalf of the Government of Canada, is a blanket certificate for all domains, can let the government see all your encrypted traffic.'
'This certificate is issued by the IT department of your organization and let's them see all encrypted traffic'
- It should appear as a warning when a user sees these blanket certificates used on general purpose websites (like Google services) and have a way to tell whether there is a potential MITM happening.
'Normally this website would use a certificate provided by Google.com Inc but it seems your Government issued certificate is being used to see all encrypted traffic you are sending to Gmail.com'
- Warn meaningfully about algorithm usage choices: 'The algorithm strength is 2048 bits and the year is 2023, and governments already have capable computers that can break this encryption with this strength.'
Requiring users to manage their own root bundle is a recipe for disaster for ordinary users. You shouldn’t need to understand path building to securely initiate a connection with a website.
(Besides, macOS and Windows do let you tweak the trust store from their respective GUIs. There’s nothing stopping you from doing so.)
Anyone who would suggest putting security decisions in the face of users should be reminded of Windows Vista and its User Account Control. Dialog fatigue is not to be taken lightly.
Then a first time setup may be okay. People assume everything is safe because there's a green lock icon but the situation must change for improving the actual users privacy.
While dialogue fatigue is true, browsers can take care of offloading the cookie dialogues if there were a standard for it.
Doing what's necessary for privacy is no excuse to throw bad UI at a user. There has to be a way to customize our transit security and subsequently privacy. It's a step in the right direction.
Corporate users do not have a control over this, nor will people where governments try to propose a law forcing people to accept crony CAs to the trusted list.
These are orthogonal issues: it’s not enough for governments to have CAs in trusted roots, as this attempted regulation demonstrates. OS-supplied roots exist because ordinary users can’t and shouldn’t be expected to make PKI policy decisions to use the Internet securely.
If you’re trying to circumvent your corporate laptop’s MITM, you’re playing a lost game. It’s also a game that has nothing to do with ordinary users on ordinary, non-work computers.
Corporate users don't generally have control period. Keep your personal stuff away from the work laptop. TLS is useless on a machine you don't control.
This prevents them from actually misusing their certificate on blanket spying programs. Every browser that allows you to configure your trusted list in a more manageable way is one more hurdle these CAs have to cross.
Warnings like that would likely violate eIDAS' requirements for "user-friendly" recognition, as well as its prohibition against "mandatory requirements".
This is why eIDAS is so nuts - it forbids browsers from rolling out pro-user security measures.
> 'This certificate is issued by the IT department of your organization and let's them see all encrypted traffic'
I'm a bit out of the loop on modern security implementations. In theory though, I thought the purpose of certificates and certificate authorities was to certify that you're actually talking to who you think you're talking to?
A browser can still communicate security with any computer out there, regardless of corporate certs, etc. Or do the corporate firewalls block communications that they cannot inspect?
> A browser can still communicate security with any computer out there, regardless of corporate certs, etc. Or do the corporate firewalls block communications that they cannot inspect?
Yes, you’ve got it. Many corporate firewalls require you to install their own root CA certificate and “transparently” intercept and rewrite traffic leaving the network. It looks like you’re negotiating with the external site, but you’re actually doing TLS negotiation with an on-prem proxy that connects to the destination site on your behalf.
I say “transparently” in quotes because it definitely, in practice, breaks things here and there.
I'm sure it's well established practice, and the courts would find it legal, but it seems like fraud. My computer says "I want to connect to my bank, are you my bank?" and the corporate firewall says "yes, I am your bank".
It's not your computer. It's the company's computer and they installed the root certificate on it. For any non-provisioned machine you'd get a certificate error because the corporate-issued certificates are signed by the corporate CA that isn't browser-approved by default.
Your IT department owns a certificate authority. They add its self-signed, root certificate to the trust stores of all the machines in your firm using group policies or whatever. They then install something like a Bluecoat browsing proxy, which they configure your browsers to use using group policies or whatever. The Bluecoat terminates the TLS connection by transparently providing certificates for the sites that you're trying to access, which your browser trusts. It then makes the outbound connection to the actual site, if appropriate.
Your understanding is correct, but if your IT department puts a wildcard cert on your machine, it can MitM all your traffic (e.g. your company's firewall can say "Hi I am $SITE, here's a certificate to prove it" and your browser will accept it). Traffic between you and the firewall, as well as between the firewall and the actual site is still encrypted.
In theory, you know whom you are talking to. In practice though, every company and authoritarian government wants to sniff, be it through https proxies or enterprise-wide certificates.
User-friendly recognition means some way to say this is a certificate from John Doe, France. Probably a green box in the URL bar like EV certificates used to be, but maybe blue instead.
Someone has to explain the threat model to me better. If I go to google.com and the certificate says the site is owned by John Doe (France) I should be suspicious. Is the problem that the certificate validates something other than the domain name? Any government can already easily get a domain certificate for google.com.
The certificate is associated with a private key which can decrypt the traffic for a session established using the cert. The issue is that, given a bogus certificate from a trusted authority, someone can impersonate any site they want, then proxy the traffic to the real site and spy on your session.
Longer explanation:
If an organization is able to obtain a certificate that the browser trusts, which matches the domain name you are visiting, then they can easily terminate the TLS at the organization's server, then make a new request to the site, where the encrypted session is between the site and the organization's proxy server. They get an effective man-in-the-middle attack and your browser pretends like everything is secure because there is a trusted certificate matching the domain name you visited. The browser doesn't throw up any red flags because it doesn't differentiate between certificates, only certificate authorities.
So if a 3rd party can acquire an arbitrary certificate for some domain, and the 3rd party has the private key associated with that cert, and the same 3rd party can intercept the traffic between you and the domain in question, then they can get your traffic in the clear and there are no obvious signs that they did it.
Given the current state of TLS and the way browsers deal with certs, the only way for a user to discover that something is amiss is to investigate the details of the cert. Then they might notice that it was issued by a suspicious certificate authority. Unfortunately, the proposed EU law is attempting to prohibit browser vendors from withholding trust (or otherwise scrutinizing) the state-controlled (or state-influenced) certificate authorities, with the intention of preventing browsers from interfering with government's ability to issue illegitimate/insecure (but you must trust them, or else!) certificates.
Wait, your government issued certificate? That makes no sense. You think the hypothetical government MITM device will identify who's connecting to it, then sign google.com with their personal identity certificate? Instead of just signing all of them with a specific real or fake person's?
I think something more like ssh which exchanges certificates on first connection would be better, maybe with expiry, pinning, and sending new certs before an old one expires. On top of that some way of sending certificates, maybe offline, for really critical things like banking.
The correct move here is not to try and plead with the EU or do other things which implicitly recognise their authority to make such regulation. The correct move here is to hold such regulations in contempt and expressly refute any claim the EU makes to regulating web browsers as illegitimate.
I may as well add that web browsers are generally open source software and their source code thus a form of speech. Recent actions by the EU have made it clear they are trying to start to exert control over web browsers, which they presumably see as prime estate for exerting control over the internet. The correct answer to this is to distribute web browsers from jurisdictions with strong freedom of speech (code) protections, remove any assets from the EU which the EU might try to take hostage to extort compliance, and respond to the EU's frequent attempts to assert "if anyone in the EU uses your product, you have to comply with our rules" with "you and what army."
> This upper bar on security may even ban browsers from enforcing Certificate Transparency, an IETF technical standard that ensures a CA’s issuing history can be examined by the public in order to detect malfeasance.
I don't quite understand that. How does a browser enforce CT? Even if a browser queries CT logs, they're not that helpful without any context, right? How would a browser get anything useful from the logs beyond knowing a certificate was published to the logs?
Isn't it the job of the domain owner to monitor those logs since they're the only one that's going to know definitively if a certificate is illegitimate?
Browsers enforce Certificate Transparency by rejecting certificates which aren't published in CT logs. A certificate that is published in CT logs isn't necessarily legitimate, but at least it's public so domain owners can detect it and raise the alarm if the certificate is illegitimate.
Unfortunately, Article 45 states that certificates issued by EU-mandated CAs "shall not be subject to any mandatory requirements other than the requirements laid down in paragraph 1" and paragraph 1 does not allow browsers to reject certificates not published in CT logs.
Thus, EU-mandated CAs will be able to issue undetectable MitM certificates.
When Kazakhstan tried pulling this the browser vendors did that to them and were able to because Kazakhstan couldn’t imprison their executives and employees to compel compliance. The EU on the other hand can and will.
How would the EU punish Google, who is an American company? At most, the EU affects things within its borders. They have no say on the greater Internet.
The EU had better invest in its own browser if it intends to outlaw encryption.
A better example would be Brave or another smaller organisation.
Big multinationals have employees and assets everywhere that can be threatened.
However smaller organisations operating from a single jurisdiction can only be threatened by their local government (or at least with the consent of their local government).
I thought about Brave, but because they repackage Blink, the EU could choose to go upstream and target the engine rather than the browser, and Google ends up part of the equation anyway.
Firefox is in the US, right? Pale Moon is too iirc and they forked Gecko to make Goanna.
It's very hard for legal tools to change open source engines. Even if they compelled code changes from the engine maker, the downstream browsers could modify the engine code before putting it in their browsers. This is especially true for configuration type changes, like which certificate authorities to trust or which websites to blacklist.
Do you happen to have the full text you're referring to? I cannot find that on Google and the one I'm reading says something else. I also couldn't find it on eff's post
Unfortunately, the text is being drafted in secret and the latest version has not been released publicly. I have seen a leaked copy but I don't have permission to post it. I can attest that the various posts and letters speaking against eIDAS are accurately representing the text.
I know this isn't a satisfying answer, but blame the EU for drafting legislation in secret.
Why are we arguing about something still in the drafting stage, then? If they're still working on it, they're still working on it. It's not even finished to the stage where the public or the parliament can review it. There's probably stuff in there they're still thinking through and will eventually delete.
Laws don't go from secret drafting, straight to law. They get public comments, the parliament has to vote on them, the commission has to vote on them (I think - something like that), they go back to drafting to make an amended version that's more acceptable, etc etc... of course the unfinished draft version isn't acceptable.
This isn't the first time everyone's got upset about an unfinished EU law. All previous times, it was shot down by the EU Parliament, who are supposed to represent the citizens.
Because this is not the “start of drafting” but roughly “final text that is largely a rubber stamp approval.” This is the output of having been through the the trilogue process - where the Parliament would/has shut things down before - and not been shut down.
> A certificate that is published in CT logs isn't necessarily legitimate, but at least it's public so domain owners can detect it and raise the alarm if the certificate is illegitimate.
Oh yeah. I can't believe I didn't put that together. Thanks for spelling it out :-)
The certificate contains signatures from the CT logs. The browser can either accept those signatures or check the CT log itself. This "enforces" CT for the certificate of the site you're accessing, but not necessarily the CA.
Of course if a certificate comes up that fails CT logging, that can raise scrutiny of the CA.
I don't understand how they think they can force EU citizens to use only approved browsers. What's to stop anyone who wishes to from using a non EU one and changing the user agent.
They can't and won't. Just like nothing stops an EU citizen from taking the USB-C charging port out of their new iPhone and changing it to a Lightning port...
Well, the law[1] stops them, if they feel like following the law is important. And to the extent they don't, enforcement provisions in the same might compel them. Same as "what's to stop anyone who wishes to from shoplifting", really.
But this misunderstands the situation anyway. The overwhelming majority of web clients that interpret CA data are provided by default in devices sold by companies with a clear interest in following the law; because if they don't they can't sell products.
[1] Which I won't engage on, except to say that this seems a lot more like "dumb mistake in the legislation" than "evil plot by an unelected metagovernment" to me. The hyperbole on issues like this gets out of control sometimes, and the EFF seems to be getting worse about it and not better over time. They used to be pretty cerebral.
The companies offering browsers will probably be punished with harsh fees by EU courts if they don't implement things like IP based discrimination. You would get around only with a VPN.
Or it will be circumvented by anyone out of EU reach mirroring the good software versions and offering them for download to all. There are thousands of people with their own web hosts who would probably be willing to do that, myself included.
EDIT: I wrote the above thinking of desktop operating systems. It's much worse on e.g. iOS if the only way to get a browser is through the store, and the store isn't allowed to provide the good browser version in some regions.
Simple, they’ll also mandate that the web sites use WEI and check for approved browsers. They will also lean on software distributors to not distribute unapproved browsers or be fined, jailed or lose their ability to distribute software to Europeans. Think of how they tighten the screws on crypto and end-to-end encryption — same playbook!
At every step those that don’t follow the EU’s rules will get fined by the same apparatus as GDPR violators
This isn't an attempt to break encryption. Can you show how it is? The EFF has just posted a load of FUD in this article - governments already control CAs, so giving them another one wouldn't give them any new interception capabilities. Actually eIDAS would give them less interception capability, since the browser would have to display some icon saying it's an eIDAS certificate, which it doesn't do for other CAs.
Their claims center around "the current language is imprecise" and I'm having a really hard time seeing why that's a problem for a bill that hasn't even finished being written yet.
It does make a technically correct claim that QWACs are currently accepted by browsers. However, the reality is that QWACs are only accepted by browsers if the issuer fully complies with both CAB Forum baseline requirements, and Root program rules. The entire purpose of the clause in question is effectively to ensure an EU Bureaucracy is responsible for for setting rules instead of CAB Forum and Root programs.
Another example it is absolutely true that the eIDAS 2.0 regulars impose some certain weaker security requirements than current browsers.
A trivial example is that the response claims QWACs will comply with Brower's Certificate Transparency standards, but those standards are not in the regulation, and the regulation makes it clear that a browser cannot reject QWACS for other reasons not listed in the regulation.
Another example, Mozilla has found that CAs who simply request audits done to ETSI standards (the standards imposed by this regulation) will often end up with audits that are incomplete (unable to audit all relevant controls). This can happen for legitimate reasons, but the audit results don't provide enough details here, hence Mozilla added a requirement for an ETSI Audit Attestation Letter (AAL) that explains these limitations. Even worse, once the impediments are no longer in place, by often ETSI auditors do not re-audit the previously un-auditable controls for the last time period. Mozilla needed to impose additional rules including explaining what if any controls could not be audited, and also rules that the next audit must cover previously un-auditable controls for the previously issued audit, in addition to auditing for the that time period. Describing how to do this audits properly within in the ETSI context is complicated because the ETSI audit standards were not really designed to make such rules (Full audit of all controls over all timespans, re-auditing later if some controls could not be evaluated for any reason the first time) easy.
This won't stop here. Whoever in the EU government is willing to suffer the bad PR optics of outlawing Firefox, is willing to go further I'd wager. How long before Linux is banned in the EU on personal devices?
Can we stop the FUD? Your comment is the equivalent of saying the EU government is willing to outlaw iPhones: No they're not, they're just saying they have to have USB-C charging ports.
You think if the government issues certificates this breaks TLS? I had no idea it was so fragile.
Here's what's happening - the government wants a unified framework for digital identity. They're not saying you have to use it, but they want the framework to be there.
Part of the framework is that you can get a certificate with your name on it, signed by the government saying this is officially you, and you can put this on a website to digitally sign the website.
Obviously the government-issued certificate is going to have certain parameters, and they want browsers to accept these parameters so these websites will work.
How else would you possibly do this, than publishing the certificate parameters and saying browsers must accept these? I don't think they prohibited the browser from saying "this is an EU identity certificate", did they? I imagine it appears as an EV green box showing the person's name and country code.
I don't know why I'd ever want that to appear on my website, but I guess some people do.
> You think if the government issues certificates this breaks TLS? I had no idea it was so fragile.
Nice strawman. The actual situation is that the government wants to require browsers to accept signatures from CAs that the government selects, and ban them from validating the security of the certs signed by those CAs. In other words, they want the ability to be able to issue their own cert for example.com and forbid the browser from telling you that it's signed by a .gov rather than, say, Comodo.
With this idiotic, mandated arrangement, it would be impossible for an end user to tell whether they were speaking directly to example.com or to the government's MITM proxy.
Well, yes? Part of the government issuing certificates for people is that those certificates shall be accepted as proof of identity, including in browsers. I'm not sure how else you'd like to do that. Maybe they issue certificates but nobody accepts them? No, that way is madness.
> and ban them from validating the security of the certs signed by those CAs.
I'm going to need a source on that one, chief. Are you talking about this part?
> To that end, web-browsers should ensure support and interoperability with Qualified certificates for website authentication pursuant to Regulation (EU) No 910/2014. They should recognise and display Qualified certificates for website authentication to provide a high level of assurance, allowing website owners to assert their identity as owners of a website and users to identify the website owners with a high degree of certainty.
Maybe you are talking about this?
> For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner.
Frankly, displaying the fact that a government issued identity certificate is used seems to me to be the exact opposite of a MITM, but what do I know?
Where does it say that if google.com has Angela Merkel's personal certificate instead of Google's one, the browser shall present it as a secure connection?
I recommend reading the eff.org article linked above. It states: "Article 45 forbids browsers from enforcing modern security requirements on certain CAs without the approval of an EU member government. Which CAs? Specifically the CAs that were appointed by the government, which in some cases will be owned or operated by that selfsame government." and: "The current text of Article 45 requires that browsers trust CAs appointed by governments, and prohibits browsers from enforcing any security requirements on those CAs beyond what is approved by ETSI. In other words, it sets an upper bar on how much security browsers can require of CAs" and: "This upper bar on security may even ban browsers from enforcing Certificate Transparency"
If you can't connect the dots and understand why people are upset, I can't help you.
Government-issued identity verification is at least as good as private-entity-issued identity verification, since, you know, the government is the one with the databases of identities.
It's not FUD it's the truth, they OBVIOUSLY want to control everything and remove privacy and enable government surveillance. They have just proven that by trying over and over again. They just know they can not blatantly outlaw Linux or things like that, that is why they try to sneak in shit like this with some buried text on the legislation. If they could at the flip of a finger outlaw Linux and things like that and impose total control, they would for sure do it instantly. It's just that it's too established, too common so there would be too much outrage, so they try to break encryption this way instead. If they had their way, they would have a total control!
I will not do what you ask because you will not believe it anyway. You are desperately clinging on to some failed mindset that they are out for you because you like that they force Apple to use USB-C or whatever.
You also seem not to read the actual point of the objection everyone has. They want to SPY ON EU citizens! WTF are you not understanding about this? Its all explained in the EFF article and countless others that are on top of HN right now. If you not see the INTENTIONS and the slow creeping dystopia you are blind. I am not going to search some specific text part out for you that proves that, its perfectly obvious for people who follow just a little bit of news and have common sense.
It's a slippery slope. In my language (french), we call it "sausage politics", where you take small slices of your freedom one by one. This regulation is unwanted by anyone in the EU, creates security risks, and relies mainly on "trust me I won't do anything bad", that we all know is not going to happen.
Also, laws can't be reverted in the EU semi-dictatorial regime, so, such things are really dangerous. Each year that goes, I'm thinking of a plan to leave, as our freedoms get lower and lower. Recently, the digital services' EU gauleiter declared that "content calling for rebellion" should be deleted from social media.
Same goes with AML, and with the digital ID, where your government will have a single key allowing to know every service you're registered to. And let's not speak about the CBDC.
The Internet is a place where governments have very little power.
Even if this passes, it will not affect anyone who cares about hosting things correctly.
Governments hide much more from people, and they have much less moral reasov to do so! If anything, it's inside gov't comms that don't deserve protection.
Pissbabies mad that they can't spy and want to abuse policy to force it.
Good luck reverse engineering math, govs. Y'all can't win this one.
I wonder if eIDAS is deliberately made to sound like edas in John Ringo's Legacy of Aldenata books? Edas was a crippling debt that lasted one's whole life that was designed to keep people in slavery.
If this passes, I will keep an eye on Browsers and if they actually help people mitigate the problem in some way. Like will not new CAs spawn outside the EU like in Switzerland and sites will begin to advertise they that is a certificate from Switzerland where we have at least a bit more trust in that the EU will not spy on?
I am really curious on how this will play out. Will they mandate a certificate for sites that server the EU that they have control over? This is fucking insane.
We need some new tech that is decentralized, where they just can't do this kind of thing. Hopefully this spawns something. SSL seems to be outdated and unfit for this job, as this clearly shows.
No, any law can be changed. The closest you can come is to make a Constitution hard to change and embed a right to free speech, including encrypted speech, therein. Anything beyond that has to be a cultural conservation.
Bit trickier in the EU. The countries themselves have constitutions that can be amended, with varying ways in which they can be enforced.
In theory this should give sufficient protection, but it becomes a bit complicated if the EU enacts regulations that contradict national laws or even the constitution.
The EU derives its power not from a constitution but from its founding treaties. As best I can tell the EU claims these treaties have precedence, but honestly it's a bit unclear how it could overrule the constitutions that gave the signatories the power to ratify the treaties. I do know that the EU wasn't happy when Poland ruled some parts of these treaties unconstitutional (which is really part of a much bigger political fight, but is illustrative).
Most postwar constitutions explicitly allow for transfer of sovereignty to structures necessary to maintain peace among nations. They were originally meant for UN-like organisms and apply equally to the EU.
Canada’s “constitution” explicitly creates a back door right in section 1. I’ve heard Canadian legal scholars comment that the only part of the Charter that would likely completely stand up against a section 1 challenge is section 12: “the right not to be subjected to any cruel and unusual treatment or punishment”
Alas, there's just so many people with so many reasons for wanting to grab & coerce the noosphere's thoughpaths to route through their specific power grabs. The move would spring up spontaneously in so many ways.
Thanks again EFF for so vigilantly watching against encroachment.
It doesn't really have anything to do with the Internet. CALEA only applies to phone calls. VoIP calls are only encrypted to and from the carrier, so they can tap them there with pre-existing telephony hardware if they have a warrant to do so.
It applies to broadband, in the second paragraph of the wikipedia article: "it has since been extended to cover broadband Internet and VoIP traffic. Some government agencies argue that it covers mass surveillance of communications rather than just tapping specific lines and that not all CALEA-based access requires a warrant."
Oh, wow. Wikipedia's statements are uncited so I kinda ignored it, but a DC court did okay that rule even though the statute says it doesn't apply to the Internet. That is worrying. Still it only allows the police to have switches forward packets to them. It doesn't have any ability to decrypt traffic.
Isn't this a new Schrems situation? Just because the commission can make a law doesn't mean that it's legal. Seems like it would certainly interfere with the European Convention on Human Rights that grants everyone right to privacy of it's personal life and correspondence – meaning the CJEU would overthrow this law in an instance?
What are the practical steps to this outcome. Presume this becomes law. Then do we need a person with standing to bring a case? Is there some other mechanism? Does CJEU rule without a case? How does this happen and more importantly, how long does it take. If the process is weeks or months, we may stand a chance. If it's years, the damage will have been done with a generation of compliant (broken) products and hundreds of millions of people deprived of privacy.
But on the Internet, it doesn't work that way. You can't just do your own thing, lest you kneecap your citizens. How will the Europeans citizens react if their own "free and democratic" governments take away their access to Wikipedia? Or Facebook? Or Tiktok?
Using known suspect TLS Certs would also violate basically every B2B contract. When businesses sign contracts for SaaS applications, it involves some verbiage about encryption and best practices and data security in transit and at rest. What business will WANT to sign a deal that says "Yes, it's ok to use a TLS cert that we know our government can intercept" when they have the option to use a cert from someone else that's secure? Cool, shoot your own businesses in the foot too, while you're at it.
Freaking politicians. Can't be bothered to do anything about the issues we citizens ACTUALLY want, but instead are too busy meddling in shit that no one wants.