from Hacker News

Last Chance to fix eIDAS: Secret EU law threatens Internet security

by mnot on 11/2/23, 5:57 AM with 299 comments

  • by supriyo-biswas on 11/2/23, 10:14 AM

    For anyone who’s about to say that surveillance isn’t the point of this legislation: it definitely is; we very recently saw Germany trying to MITM jabber.ru users[1], having a CA that can be asked to issue any certificate is definitely something that’d be used for surveillance purposes.

    [1] https://notes.valdikss.org.ru/jabber.ru-mitm/

  • by dang on 11/2/23, 11:01 AM

  • by NoboruWataya on 11/2/23, 10:08 AM

    Very concerning. As a slight aside though, it is not a "secret law". All EU laws are published on its website in every official language, and the vast majority of laws (including this one) must be publicly ratified by the directly elected European Parliament before coming effective.

    They should tone down this kind of sensationalist clickbait that I would expect to find in UK tabloids. They probably think it helps them impress the urgency of the matter on the public but frankly it just makes me doubt the veracity of the claims made in the article (though in this case I trust Mozilla and would hope that they are not misrepresenting the content of the law itself).

  • by calgoo on 11/2/23, 8:38 AM

    So what happens to open source browsers? Will they be forced to implement it? Are the governments going to audit the code to make sure no one is releasing a version that has removed the government certs or are they going to outlaw open source browsers?

    Again, this is not going to catch anyone with half a braincell that is trying to do something. This is just going to catch everyone else.

    I wonder if this will tie into the BS that Google was trying to implement that would make it impossible to modify the webpage using adblockers etc. making it so you can't navigate the web if you are using a uncertified browser.

  • by 5ersi on 11/2/23, 11:55 AM

    If you are concerned by this proposals, then you should check out current CAs trusted by your browser - all those CAs can issue rogue certificates trusted by your browser, that can be used in MITM attack.

    For example, CAs present in Firefox, that might give you pause: Beijing Certificate Authority, China Financial CA, Guang Dong CA

    The CA system in browsers is inherently broken and it allows state actors to MITM you and see all your traffic if they: 1. have ability to capture IP traffic (requires cooperation with ISP) 2. have ability to generate rogue certificate via cooperation with CA

  • by agarsev on 11/2/23, 10:48 AM

    Just adding a perspective (not necessarily mine, I'm still on the fence) supporting this legislation from a tech-literate person in the EU.

    The digital administration in my country has made my life so much easier. We all have mandatory ID cards since decades ago, but now they have a chip with some certs for auth, signing, etc. I can check my taxes, fill government forms, see any traffic tickets, sign official documents from my home thanks to this. However, as far as I understand, this relies on my user agent accepting some particular CAs. This is critical, to the point of my browser preventing me access to some parts of the administration if the CA is not up to date or recognised or whatever.

    What this legislation proposes, if I understand it correctly, is putting in the hands of the government the power to administer (part of) this CA infrastructure. As with many EU-related legislation, this forcefully transfers power from private (often American) entities to EU governments. I guess when trust in your government is higher or equal to trust on private firms, this doesn't sound so bad.

    Not saying this is right or wrong, but maybe this helps understand why many people in the EU may not be so against this type of legislation.

  • by jruohonen on 11/2/23, 6:30 AM

    From:

    https://data.consilium.europa.eu/doc/document/ST-14959-2022-...

    Article 45(2): "Qualified certificates for website authentication referred to in paragraph 1 shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1, with the exception of enterprises, considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC in the first 5 years of operating as providers of web-browsing services."

    Article 45a(3): "A qualified electronic attestation of attributes issued in one Member State shall be recognised as a qualified electronic attestation of attributes in any other Member State".

    Article 45a(4): "An attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source shall be recognised as an attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source in all Member States."

  • by phasmantistes on 11/2/23, 4:32 PM

    Fundamentally, the whole issue with eIDAS comes down to one thing: you cannot mandate trust.

    If it's mandated, it isn't trust. It's something else. By mandating that browsers "trust" certain CAs, they're breaking the entire trust model of the internet.

    My only question is whether they truly don't understand this, do understand it but don't care, or are actively interested in destroying that trust.

  • by judiisis on 11/2/23, 8:01 AM

    India is also preparing legislation for OS and browser having their CA, they also launched their own web browser challenge https://iwbdc.in/ .They were earlier removed due to unauthorised issuances https://pkic.org/2014/07/24/in-the-wake-of-unauthorized-cert...

  • by fuoqi on 11/2/23, 8:38 AM

    If certificates issued by those CAs will be tied to independent (from EU) certificate transparency (CT) services and to specific national top-level domains, then I am completely fine with this. After a big number of websites in Russia (including the biggest bank in the country) have effectively lost access to the CA infrastructure used by commonly used browsers, I don't think any honest person can say that the current status quo is robust enough. So it looks like EU simply hedges against this potential infrastructure risk.

    To mitigate the MitM risk I believe that CT and limiting CA to specific top-level domains (so a hypothetical RU CA would not be able to issue certificates for .eu or .com) should be sufficient enough.

  • by perihelions on 11/2/23, 10:58 AM

    Ignorant question: what happens if Mozilla or Brave or whoever says fuck that, we're not complying? What's the enforcement mechanism for non-EU-based devs publishing FOSS freely on the global internet?

  • by galadran on 11/2/23, 9:48 AM

    https://eidas-open-letter.org

    The open letter signed by 300+ researchers, professors and experts.

  • by pxeger1 on 11/2/23, 8:05 AM

    I’m assuming this another… misguided… attempt by the security services to make their jobs easier. The grip that intelligence communities apparently have on our governments is ridiculous. Why do they have such influence?

  • by Hard_Space on 11/2/23, 11:44 AM

    Wow - this one really crept up on me, after years of seeing it shot down in flames by people who actually understand the technology, and the implications (not least, the security implications). I wonder if the recent passing of the UK act emboldened them..?

  • by galadran on 11/2/23, 8:33 AM

  • by galadran on 11/2/23, 8:48 AM

    Title should probably be: "Last Chance to fix eIDAS: Secret EU law threatens Internet security"

  • by matthews2 on 11/2/23, 8:41 AM

    How will this be enforced? If Mozilla or Google added some hard coded certificate into a new browser version, what if a distribution like Debian patched it out? Or if a user can delete it from the certificate stores themselves?

  • by johnfonesca on 11/2/23, 10:28 AM

    eIDAS is a cartel created to protect the business interests of EU biggest certification authorities.

  • by runnedrun on 11/2/23, 9:06 AM

    Does anyone know what the supposed benefits are for this kind of bill? Are proponents overtly advocating for increased surveillance ability?

  • by radicalbyte on 11/2/23, 11:31 AM

    It's worth noting that the technical team have a github where issue such as this can be raised.

    https://github.com/eu-digital-identity-wallet

  • by sirwitti on 11/2/23, 9:18 AM

    I'd like to see what the european court of justice will have to say about this, should this actually become law.

  • by kmeisthax on 11/2/23, 7:07 PM

    So, the law says browsers have to trust eIDAS keys, but it doesn't say browsers can't complain about it, right?

    Like, put the eIDAS keys in a special "signed under protest" trust root, and throw up a bunch of scary warnings about how the EU is forcing Mozilla to trust those keys whenever they are used. Phrase it so that people who think "SSL warning" means "click advanced and 'i know the risks'" understand that this is equivalent to letting the CIA read your text messages.

  • by jruohonen on 11/2/23, 6:04 AM

    Oh dear, shooting on one's foot once again.

    Fortunately, they cannot forbid a natural person from removing any given certificate. If this passes, I am sure we have blacklists and scripts for these in no time.

  • by anonymousnotme on 11/6/23, 4:22 PM

    As far as certificate authorities (CAs) build into the browser: One way around this might be that the browsers ship with the CA as required by law, but that one can disable/delete the CA via the UI. I would guess that a law would be passed that says that the browser can't disable/delete certain CAs (perhaps this one also says that). There can be a list of various government CAs that one might want to disable. This does not help if governments can pressure CAs to issue an alernate CA for use in MITM. Does any of the CA transaprency help? What about a way to have people endorse a certficate (i.e. reputation)?

  • by jeremiahlee on 11/2/23, 12:23 PM

    EU citizens wanting to oppose the current eIDAS proposal can use my edit of the open letter to send to their Members of European Parliament: https://www.jeremiahlee.com/posts/2023-eu-eidas-feedback/

  • by PeterStuer on 11/3/23, 7:52 AM

    Honest question, so please bear with me.

    How would an EU government that uses the Internet for servicing its citizens tell those citizens that the site they are accessing to provide very sensitive information is realy the government's and not some other actor's mitm'ed snooping conduit without having control of their own root CA?

    Is demanding browsers distributed to EU citizens to carry this certificate different from demanding phone companies to route emergency service numbers correctly?

    Ofc I can see the 'dark' potential for a mandated cert. Is this realy different from current browsers ubiquitously storing trusted root certificates from CA's issued by private companies residing in states with very serious compelled secret goverment access laws and regulations?

  • by pandastronaut on 11/2/23, 11:05 AM

    Candid question : if this is european legislation, how browser editor would handle this regional specific requirement ? Provide several flavor of their browser ? I doubt people and companies from outside europe would agree to use a european flavored version of their browser.

  • by lakomen on 11/2/23, 4:16 PM

    It's like, anything coming from the EU lately in regards to IT is a totalitarian nightmare

  • by varispeed on 11/2/23, 10:16 AM

    Seems like some politicians from EU commission had parents in Stasi, KGB and other organisations and became allured by the stories of watching other people, learning they secrets or perhaps even seeing their naked photographs.

    So these pervs now want to do the same. For what?

  • by surfingdino on 11/2/23, 12:58 PM

    This is concerning, but I still have faith in big orgs' and governments' inability to do a simple thing right while paying consultancies a lot of money for it. I have experience implementing banking infrastructure using eIDAS for participant identification and I know how CAs and financial institutions do not get eIDAS. They make rookie mistakes and deny they've done something wrong for months while blaming the other party and seeking regulatory exemptions. I'd be surprised if the EU governments were able to implement it. What wouldn't surprise me would be them blaming browser devs for it.

  • by demarq on 11/2/23, 4:07 PM

    People are already self censoring what they really think on social media, this will push people to self censor in private convos.

    At that point you’ve got to wonder what happens to democracy, when people are afraid to exchange ideas

  • by JanisErdmanis on 11/2/23, 11:40 AM

    Contrary to the majority of opinions here, I see this as a reasonable development for the state’s sovereignty, which will positively affect the decentralisation of certificate authorities. I hope that unprofessional negligence by European authorities will produce enough precedents and evidence to show that certificate authorities can’t be trusted blindly, and we will end up with transparent certificate authorities and web browsers which will audit every certificate with public logs with the help of History Trees.

  • by verisimi on 11/2/23, 8:46 AM

    Lololol

    "We need to be able to break security so we can see all your data, to keep you safe! Terrorists! Child abuse!"

    "hmm yeah, but who's going to keep me safe from you?"

  • by lacoolj on 11/2/23, 1:40 PM

    EU is not the only place with insane laws like this in the pipeline. USA has been trying to introduce this kind of thing (EARN IT Act 2023) as well, under the guise of "preventing child trafficking".

    Terrifying times we live in where we may not even be able to keep our medical or financial information private anymore because of a handful of people voting on something they don't understand.

  • by algesten on 11/2/23, 10:31 AM

    To protect myself or my company, what about a pihole (or similar) that rejects any TLS connection attempted with certs signed by these root CA?

  • by xinayder on 11/2/23, 5:22 PM

    Does someone else think it's an extreme coincidence that we have Chat Control and now this in place? Pretty sure the negotiations around Chat Control revolve on this eIDAS being approved, that way you don't "undermine" encryption because, well, you have the keys to decrypt everything.

  • by diego_sandoval on 11/2/23, 9:56 AM

    The proposal is so obscene that I doubt Apple, Google or even Microsoft would ever comply with it.

  • by j45 on 11/2/23, 3:05 PM

    Maybe LLms can help people more effectively engage with their political representatives on topics like this.

    I’m increasingly convinced that this type of legislation will continue to proliferate until legislation banning it is not pushed for and put in place.

  • by phendrenad2 on 11/2/23, 1:45 PM

    In the EU they will take something that should be a standard, make it an actual law, and pretend it isn't about spying on you, and expect you to believe it. Very 1984.

  • by Jensson on 11/2/23, 8:05 AM

    There is nothing there that says every service must use specific certificates, just that browsers should accept certain ones. So this in no way breaks encryption for apps who care, this only reduces security on apps that wants to reduce security.

    For example, if you use private "e2echat.com" it can still use safe certs and be safe, the risk is only that "governmentchat.com" will use bad certs, which was already a risk.

  • by Aerbil313 on 11/3/23, 5:10 AM

    Call it surveillance or whatever. It really isn’t. Trust and power as manifested by modern technology was and should be a reflection of real life trust and power. Historically, human societies’ governing bodies had all the power to exert as they wish on their citizens. Past couple decades were a deviation from this normal, not in the real but in the online world. You could work against the values of your own government without them being able to find and catch you. This legislation is just a correction to the resulting power imbalance, as the online world has increasingly more power on real world.

    I think we’ll see the internet and digital ecosystems being segregated into separate parts with boundaries correlating to those of nation-states more and more by the year. As a member of a nation who is not exactly very comfortable with a US-dominant world, I’m all in for it. It’s a national security issue for me. Knowing that some three letter agencies on the other side of the world can surveil me against my rights as per my country’s laws. Or that payment systems (Visa/Mastercard), or Google Maps (you don’t know how vital of a service it is) or satellite internet[1] can stop working if US and her allies determine my time has come.

    Developing technologies has a power-centralizing effect, and very often it creates a disadvantage for everyone else who didn’t invent the thing first. Not exactly the world I’d have pictured as a desirable one had I lived 5 centuries ago. Maybe read some Ted Kaczynski?

    1: Elon Musk stopped Starlink service in Gaza. They have no communications with the outside world.

  • by ryukoposting on 11/2/23, 11:49 AM

    I've generally been supportive of the EU's web regulations, but this is utter insanity.

  • by 2-718-281-828 on 11/2/23, 12:26 PM

    you'd almost think that the /ˌiːˈjuː/ is bent on subverting the internet. i'm experiencing fatigue from news like that already. can't they just stick with what they do best, standardizing vegetables and banning british sausages?

  • by moogly on 11/2/23, 5:25 PM

    If they want to push more people to use the dark web, this would do it.

  • by elric on 11/2/23, 9:21 PM

    Could someone link to some actually helpful writeups on eIDAS? The linked article doesn't mention what eIDAS is about, only vague but strongly worded language about it having to be stopped, with no justifications or even what it is.

    The comments too are less helpful than usual. A lot FUD and anti-EU sentiment (which may or may not be warranted, but there's very little objective reasoning going on).

    Addendum: yes, people could look it up, but given the strong call to action ("last chance to fix eIDAS!"), I would suggest that the onus to provide clear information is on the authors. You can barely get people to care about privacy at all, let alone when so little information is provided.

  • by workfromspace on 11/2/23, 9:59 PM

    https://archive.ph/Ilhes (because it's a NRD-newly registered domain which my dns-hole blocks)

    Also brief info about website (for the ones who doesn't want to visit an unknown domain without knowing):

    A Mozilla website for open letter by 300+ cyber security experts, researchers and NGOs.

  • by mindcrash on 11/2/23, 8:25 PM

    Not just "internet security". There has been discussion that they want to use eIDAS for a lot of things like identification in general and even a health passport.

    Consider that last thing. We have this thing called bodily integrity [1], which guarantees everybody has self-ownership regarding their body and thus what can be done with it.

    However, in the COVID period, it was clear as day that those who govern us dont give a rats ass about something like bodily integrity and going as far as taking away freedom of movement in order to make people comply with injecting themselves with a - until this very day - experimental vaccine.

    Now consider what TPTB could do with a powerful toy like eIDAS.

    So no, it is not "just" about internet security. Its about slowly and surely stripping away every human right you have as a EU citizen.

    [1] https://en.wikipedia.org/wiki/Bodily_integrity

  • by bjornsing on 11/2/23, 10:32 AM

    I’m so tired of this shitstorm of crap EU regulation. Death by a thousand cuts…

  • by mbwgh on 11/2/23, 9:20 AM

    The following quote from former Jean-Claude Juncker, president of the European Commission sums up the way the EU seems to work quite nicely:

    "We decide on something, leave it lying around and wait and see what happens. If no one kicks up a fuss, because most people don't understand what has been decided, we continue step by step until there is no turning back."[0]

    [0] - https://en.wikiquote.org/wiki/Jean-Claude_Juncker