Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections

We really need to go back to days of police actually going through the trouble of investigating and catching criminals - at least in principle.<p>Now every government security agency dreams of having complete access to the communications of everyone so they don&#x27;t go through the trouble of doing their job. First UK, now EU.<p>Although I&#x27;m generally closer to the EU mentality of trusting the governments more than the corporations, this aspiration of the governments is just too much even if the European governments were perfect(they are far from it).<p>IMHO these are good intentioned ideas by the people who are responsible of providing security, it&#x27;s just that they are too narrow minded brainchild of incompetent bureaucrats.<p>&quot;How easy would my job be if I was able to access the communications between terrorists&#x2F;pedos&#x2F;spies etc.&quot;<p>Yeah right, we all exist to make your job easier and that&#x27;s the top priority over everything else.

The current internet is essentially so secure, it doesn&#x27;t need or have a properly walled-off of underground of people who value secure communications. In the west few people outside actual criminals practice it strictly.<p>&gt; EFF warns incoming rules may return web &#x27;to the dark ages of 2011&#x27;<p>I don&#x27;t want this law to pass, but I have fond memories of some of the communities that existed back then. If it passes, I at the very least hope like-minded people find a reason to congregate and practice fuckery again.<p>Obviously (for now) this law is easy to &quot;opt out of&quot; as a user - just download your browser from a mirror outside the EU, or remove the EU certs manually on your end. It&#x27;s also a dumb law because it makes traffic interception trivially detectable by the end user - the EU is <i>telling</i> you that they&#x27;re going to use these root certs for it! If they think nobody is going to modify their browser to POST not-safe-for-life imagery whenever such a cert is detected, they&#x27;re probably wrong.

This is insane, and we should hurry up and prepare the technical ways to ensure we know it if we are served a different cert than everybody else.<p>There&#x27;s ongoing work on this field, but it is now a priority to have it ready.

How is forbidding browsers from distrusting spying CAs proposed to work? E.g. would using&#x2F;distributing Firefox become a crime?

I remember a (now removed?) passage in Wikipedia stated that <i>self-signed</i> certificates where considered as default for HTTPS back in the 90ies. But the idea of signing <i>Certificate-Authorities</i> prevailed. Users get instantly a “lock” creating a feeling of security - and it made some people rich.<p>Self-Signed actually is the only trustworthy approach to use certificates. And with QR-Codes or ASCII-Art it is user friendly. Your partner (e.g. bank) would print a hash&#x2F;fingerprint on the contract and the user MUST check it on first connection.<p>To complicated? SSH does that always. PGP is built upon the idea of users itself trusting. No end users?<p>Signal and WhatsApp! Actually you need to check the hash&#x2F;fingerprint in the profile of your chat or you’ve only an encrypted connection but no security who receives the messages.<p>I think we should drop the entire approach of Certificates and issuing through “Authorities”. SecureBoot was flawed from the very first moment due its use of Certificates signed by an Authority named Microsoft. And a top-down security enforced from companies isn’t one.<p>PS: Lenovo turns off SecureBoot when you order a Laptop with Linux. A wise decision. I just miss a note that the password for hardware-disk-encryption and UEFI.

The problem the EU faces - or the respective national European intelligence agencies for that matter - is that they lack access to a comprehensive, global data funnel. The US, Russia and China all have their respective systems: The US has access to the data of Facebook (WhatsApp and Instagram), Apple messenger, Google&#x27;s GMail. Russia has Telegram and China has I think Weibo, WeChat, TikTok and probably some more. I want to put the value of these data sources into question - as anti governmental actors increasingly learn to use other means for coordination - but still it&#x27;s an attempt to get a foot into this global arms race.

Useful other side discussion here: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38187479">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=38187479</a><p>Important to note is that the main thing everyone is up in arms about, the TLS&#x2F;HTTPS certificate stuff, already got adjusted after browser makers complained about it; browser makers aren&#x27;t mandated to trust any certificates for internet traffic and DNS resolution. The only real problem left is QWACs in general being a part of the proposed legislation from what I can tell.<p>The rest of the bill seems more aimed at providing an easier authentication method to safely export private data. Could (hopefully) be good for dealing with KYC laws.<p>Digital stores obtain so much information to complain with those laws and it&#x27;s a giant risk with things like the GDPR. As I understand it, under this law they could just store the absolute minimum (the reference ID for the centralized system in question) and if KYC laws are ever needed by the government, they can supply the ID rather than having to store a lot of Personal Information (which is a big issue with data breaches and the like being what they are.)

&gt; This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, even those not resident in or connected to the issuing member state.<p>This is already possible though, all a state needs to do for that is to bribe Microsoft[1] like Tunisia did ~20 years ago to include a government intelligence agency&#x27;s root certificate that can then be used for MitM.<p>[1] and&#x2F;or Apple and Google, if they want to target mobile devices as well.

Even ignoring the whole spying issue(which you shouldn&#x27;t). Wouldn&#x27;t problems like we had with DigiNotar(<a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;DigiNotar" rel="nofollow noreferrer">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;DigiNotar</a>) take much longer to resolve if it had to go through some government revokal process each time?

poor understanding of how PKI work.<p>&gt; that government can ask its friendly CA for a copy of that certificate<p>1&#x2F; copying&#x2F;reafing the certificate without the private key is something every TLS client must be able to do, this is a must. It is absolutely not a security concern.<p>2&#x2F; copying the certificate <i>and</i> the private key would be a concern, except s CA never sees the private key and hence cannot have it. The CA signs a CSR which does not contains the private key.<p>Overall I still agree with the article since the problem is not that the CA can copy the cert but rather that is can issue a new cert for the same URL, enabling MitM attacks.<p>Also, I garantee this gov CA will be breached in no time. There would be simply too many government agencies with access... Impossible to secure.

This claim that eIDAS is an attempt to intercept TLS and spy on citizens has been repeated over and over this week without any basis and I&#x27;m getting sick of it. I don&#x27;t understand why everyone immediately assumes bad faith here when it&#x27;s much more likely that this is just a botched article written by someone who has not had to deal with the intricacies of the web PKI.<p>Do you seriously think the intent here is to allow, say, Italy to issue a certificate and spying on german citizens? Or maybe it is to make sure italian citizens (regardless of browser vendor) can access the social security website without getting a scary warning message?

&gt;This enables the government of any EU member state to issue website certificates for interception and surveillance<p>Wouldn&#x27;t this be very easy to identify?

Government turned Hacker, what a beautiful future!

Bad idea, but even if implemented someone would have to elect to use the CA still right?

Just implement second layer E2EE.<p>Problem solved.

I remember the good old days when everything was HTTP. Anyways, this is really only an issue for those who has an innate distrust in their government, something most EU citizens don&#x27;t have.

From the perspective of European govs: Why should only US entities (and companies like Cloudflare, Amazon or Google) be allowed to get access to communications content ?<p>It’s very logical that Europe wants to do the same.