Lawmakers in Europe are expected to adopt digital identity rules that civil society groups say will make the internet less secure and open up citizens to online surveillance.
The legislation, referred to as eIDAS (electronic IDentification, Authentication and trust Services) 2.0, has been described as an attempt to modernize an initial version of the digital identity and trust service rules. The rules cover things like electronic signatures, time stamps, registered delivery services, and certificates for website authentication.
But one of the requirements of eIDAS 2.0 is that browser makers trust government-approved Certificate Authorities (CA) and do not implement security controls beyond those specified by the European Telecommunications Standards Institute (ETSI).
Under eIDAS 2.0, government-endorsed CAs – Qualified Trust Service Providers, or QTSPs – would issue TLS certificates – Qualified Website Authentication Certificates, or QWACs – to websites.
But browser makers, if they suspect or detect misuse – for example, traffic interception – would not be allowed to take countermeasures by distrusting those certificates/QWACs or removing the root certificate of the associated CA/QTSP from their list of trusted root certificates.
Put simply: In order to communicate securely using TLS encryption – the technology that underpins your secure HTTPS connections – a website needs to obtain a digital certificate, issued and digitally signed by a CA, that shows the website address matches the certified address. When a browser visits that site, the website presents a public portion of its CA-issued certificate to the browser, and the browser checks the cert was indeed issued by one of the CAs it trusts, using the root certificate, and is correct for that site.
If the certificate was issued by a known good CA, and all the details are correct, then the site is trusted, and the browser will try to establish a secure, encrypted connection with the website so that your activity with the site isn’t visible to an eavesdropper on the network. If the cert was issued by a non-trusted CA, or the certificate doesn’t match the website’s address, or some details are wrong, the browser will reject the website out of a concern that it’s not connected to the actual website the user wants, and may be talking to an impersonator.
Here’s one problem: if a website is issued a certificate from one of those aforementioned Euro-mandated government-backed CAs, that government can ask its friendly CA for a copy of that certificate so that the government can impersonate the website. Thus, using a proxy in a man-in-the-middle attack, that government can intercept and decrypt the encrypted HTTPS traffic between the website and its users, allowing the regime to monitor exactly what people are doing with that site at any time. The browser won’t even be able to block the certificate.
As Firefox maker Mozilla put it:
How that compares to today’s surveillance laws and powers isn’t clear right now, but that’s the basically what browser makers and others are worried about: government-controlled CAs being abused to issue certificates to websites that allow for interception.
Certificates and the CAs that issue them are not always trustworthy and browser makers over the years have removed CA root certificates from CAs based in Turkey, France, China, Kazakhstan, and elsewhere when the issuing entity or an associated party was found to be intercepting web traffic. Many such problems have been documented in the past.
An authority purge of this sort occurred last December when Mozilla, Microsoft, Apple, and later Google removed Panama-based TrustCor from their respective lists of trusted certificate providers.
Yet eIDAS 2.0 would prevent browser makers from taking such action when the CA has a government seal of approval.
“Article 45 forbids browsers from enforcing modern security requirements on certain CAs without the approval of an EU member government,” the Electronic Frontier Foundation (EFF) warned on Tuesday.
“Which CAs? Specifically the CAs that were appointed by the government, which in some cases will be owned or operated by that selfsame government. That means cryptographic keys under one government’s control could be used to intercept HTTPS communication throughout the EU and beyond.”
The foundation added the rules “returns us to the dark ages of 2011, when certificate authorities could collaborate with governments to spy on encrypted traffic — and get away with it.”
Mozilla and a collection of some 400 cyber security experts and non-governmental organizations published an open letter last week urging EU lawmakers to clarify that Article 45 cannot be used to disallow browser trust decisions.
“If this comes to pass it would enable any EU government or recognized third party country to begin intercepting web traffic and make it impossible to stop without their permission,” the letter warns. “There is no independent check or balance on this process described in the proposed text.”
In an email to The Register, a Mozilla representative added, “Mozilla is deeply concerned by the proposed legislation and is continuing to engage with key stakeholders in the final stages of the trilogue process. We are committed to security and privacy on the Internet and have been heartened by the outpouring of support from civil society groups, cyber security experts, academics, and the public at large on this issue. We are hopeful that this heightened scrutiny will motivate EU negotiators to change course and deliver regulation with suitable safeguards.”
Google has also raised concerns about how Article 45 might be interpreted. “We and many past and present leaders in the international web community have significant concerns about Article 45’s impact on security,” the Chrome security team argued, and urged EU lawmakers to revise the legal language.
According security researcher Scott Helme, the latest regulatory language – which has not been made public – is still problematic.
The EFF says the legislative text “is subject to approval behind closed doors in Brussels on November 8.” ®