by slics on 11/8/23, 11:41 AM with 69 comments
by mrtksn on 11/8/23, 12:35 PM
Now every government security agency dreams of having complete access to the communications of everyone so they don't go through the trouble of doing their job. First UK, now EU.
Although I'm generally closer to the EU mentality of trusting the governments more than the corporations, this aspiration of the governments is just too much even if the European governments were perfect(they are far from it).
IMHO these are good intentioned ideas by the people who are responsible of providing security, it's just that they are too narrow minded brainchild of incompetent bureaucrats.
"How easy would my job be if I was able to access the communications between terrorists/pedos/spies etc."
Yeah right, we all exist to make your job easier and that's the top priority over everything else.
by chmod775 on 11/8/23, 12:32 PM
> EFF warns incoming rules may return web 'to the dark ages of 2011'
I don't want this law to pass, but I have fond memories of some of the communities that existed back then. If it passes, I at the very least hope like-minded people find a reason to congregate and practice fuckery again.
Obviously (for now) this law is easy to "opt out of" as a user - just download your browser from a mirror outside the EU, or remove the EU certs manually on your end. It's also a dumb law because it makes traffic interception trivially detectable by the end user - the EU is telling you that they're going to use these root certs for it! If they think nobody is going to modify their browser to POST not-safe-for-life imagery whenever such a cert is detected, they're probably wrong.
by snvzz on 11/8/23, 12:11 PM
There's ongoing work on this field, but it is now a priority to have it ready.
by SenAnder on 11/8/23, 12:05 PM
by ho_schi on 11/8/23, 1:27 PM
Self-Signed actually is the only trustworthy approach to use certificates. And with QR-Codes or ASCII-Art it is user friendly. Your partner (e.g. bank) would print a hash/fingerprint on the contract and the user MUST check it on first connection.
To complicated? SSH does that always. PGP is built upon the idea of users itself trusting. No end users?
Signal and WhatsApp! Actually you need to check the hash/fingerprint in the profile of your chat or you’ve only an encrypted connection but no security who receives the messages.
I think we should drop the entire approach of Certificates and issuing through “Authorities”. SecureBoot was flawed from the very first moment due its use of Certificates signed by an Authority named Microsoft. And a top-down security enforced from companies isn’t one.
PS: Lenovo turns off SecureBoot when you order a Laptop with Linux. A wise decision. I just miss a note that the password for hardware-disk-encryption and UEFI.
by jcfrei on 11/8/23, 12:59 PM
by noirscape on 11/8/23, 12:50 PM
Important to note is that the main thing everyone is up in arms about, the TLS/HTTPS certificate stuff, already got adjusted after browser makers complained about it; browser makers aren't mandated to trust any certificates for internet traffic and DNS resolution. The only real problem left is QWACs in general being a part of the proposed legislation from what I can tell.
The rest of the bill seems more aimed at providing an easier authentication method to safely export private data. Could (hopefully) be good for dealing with KYC laws.
Digital stores obtain so much information to complain with those laws and it's a giant risk with things like the GDPR. As I understand it, under this law they could just store the absolute minimum (the reference ID for the centralized system in question) and if KYC laws are ever needed by the government, they can supply the ID rather than having to store a lot of Personal Information (which is a big issue with data breaches and the like being what they are.)
by littlestymaar on 11/8/23, 12:42 PM
This is already possible though, all a state needs to do for that is to bribe Microsoft[1] like Tunisia did ~20 years ago to include a government intelligence agency's root certificate that can then be used for MitM.
[1] and/or Apple and Google, if they want to target mobile devices as well.
by xaitv on 11/8/23, 12:39 PM
by illiac786 on 11/8/23, 7:36 PM
> that government can ask its friendly CA for a copy of that certificate
1/ copying/reafing the certificate without the private key is something every TLS client must be able to do, this is a must. It is absolutely not a security concern.
2/ copying the certificate and the private key would be a concern, except s CA never sees the private key and hence cannot have it. The CA signs a CSR which does not contains the private key.
Overall I still agree with the article since the problem is not that the CA can copy the cert but rather that is can issue a new cert for the same URL, enabling MitM attacks.
Also, I garantee this gov CA will be breached in no time. There would be simply too many government agencies with access... Impossible to secure.
by rnhmjoj on 11/8/23, 12:47 PM
Do you seriously think the intent here is to allow, say, Italy to issue a certificate and spying on german citizens? Or maybe it is to make sure italian citizens (regardless of browser vendor) can access the social security website without getting a scary warning message?
by landgenoot on 11/8/23, 12:17 PM
Wouldn't this be very easy to identify?
by dp-hackernews on 11/8/23, 11:51 AM
by pard68 on 11/8/23, 12:39 PM
by jdthedisciple on 11/8/23, 1:00 PM
Problem solved.
by pelorat on 11/8/23, 12:17 PM
by rvnx on 11/8/23, 12:27 PM
It’s very logical that Europe wants to do the same.