EU's Latest Internet Regulatory Madness: Destroying Internet Security With Its Digital Identity Framework
from the just-stop dept
The EU is at it again. Recently Mozilla put out a position paper highlighting the latest dangerous move by busybody EU regulators who seem to think that they can magically regulate the internet without (1) understanding it, or (2) bothering to talk to people who do understand it. The issue is the Digital Identity Framework, which, in theory, is supposed to do some useful things regarding interoperability and digital identities. This could be really useful in enabling more end user control over identity and information (a key part of my whole Protocols, Not Platforms concept). But the devil is in the details, and the details are a mess.
It would force browsers to support a specific kind of authentication certificate -- Qualified Web Authentication Certificates (QWACs) -- but as Mozilla points out, that would be disastrous for security:
At the same time, the types of website certificates that browsers would be forced to accept, namely QWACs, are based on a flawed certificate architecture that is ill-suited for the security risks users face online today. In the years since the original eIDAS regulation was adopted in 2014, an increasing body of research has illustrated how the certificate architecture upon which QWACs are inspired – namely, extended validation certificates – lull individuals into a false sense of security that is often exploited for malicious purposes such as phishing and domain impersonation. For that reason, since 2019 no major browser showcases EV certificates directly in the URL address bar.
As such, should the revised Article 45 be adopted as is, Mozilla would no longer be able to honour the security commitments we make to the hundreds of millions of people who use our Firefox browser or any of the other browser and email products that also depend on Mozilla’s Root Program. It would amount to an unprecedented weakening of the website security ecosystem, and undercut the browser community’s ability to push back against authoritarian regimes’ interference with fundamental rights (see here and here for two recent examples).
As Mozilla notes, the EU can still fix this. Whether or not it does is an open question.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: certificates, digital identity, eu, regulations, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
we killed it long ago, at least a few years.
We all ready had someone pass a bill that released the FCC from protecting our Internet privacy.
https://money.cnn.com/2017/03/28/technology/house-internet-privacy-repeal/
We cant even fight SPAM now.
[ link to this | view in chronology ]
Maybe the EU wants to catch up with Australia by passing laws that make Internet users less safe by reducing the right to browse the Internet without using certain ID certificates which may be used by hackers to attack or track users
[ link to this | view in chronology ]
Re:
But...but...our gubmint here in Australia is all about protecting the people. How could you be so mean about our caring leaders, they only want what's best for us because we are children who know nothing about the horrible evil internet, and are desirous of being protected.
Whether we want it or not!
[ link to this | view in chronology ]
Re:
Pretty sure the ID certificates for websites will fall apart and never happen.
[ link to this | view in chronology ]
Crap like this...
...is why I'm leaning toward the EU not being sustainable. Too many inept morons with dunning-kruger in positions of authority to change stuff they don't understand in order to cater to a vision of the world which wasn't even true thirty years ago when they first learned that technology was a thing.
This is why we can't have nice things. The village idiot gets to make decisions for the village.
[ link to this | view in chronology ]
Re: Crap like this...
The european union might be slightly larger than your average village.
[ link to this | view in chronology ]
Re: Re: Crap like this...
The EU is independent of the nations they are ???
Each nation in Europe had to supply 1-2 people to the EU to regulate things for each country.
Most of Europe has Problems with the Euro Union. 1 group deciding What the whole of these nations can and cant do, and they are being paid Good money, to do the same thing those In country are supposed to be doing.
[ link to this | view in chronology ]
Re: Re: Crap like this...
"The european union might be slightly larger than your average village."
The extended metaphor - every nation sending its village idiots to govern the EU - doesn't really make it better. An empire run entirely by the court jesters and the "touched" rounded up and exiled from the courts of the member states who all watch the plague of the land toddle off to Brussels while drawing sighs of relief.
[ link to this | view in chronology ]
Main issue from actual Mozilla's PDF
--
Unfortunately the 2021 regulatory proposal makes the risks associated with the QWAC framework much more dramatic, and will lead to a regression in the security assurances that users have come to expect from their browsers. This is because through Article 45.2, the legislative proposal, in effect, mandates that browsers automatically include Trust Service Providers (TSPs) in their browser root programs. ‘Trust Service Providers’ (TSPs), in this context, are essentially Certificate Authorities (CAs) that can issue QWACs under the eIDAS regime. These TSPs are notified by member states and as Mozilla has highlighted in the past, many of them do not meet the criteria required to also be included in our Root Store. By mandating that TSPs be supported by browsers in general, and in particular when they fail to meet the security and audit criteria of their root program, Article 45.2 will negatively transform the website security ecosystem in a fundamental way. This is outlined in the following subsection in more detail
As far as I understood this means that browser's root stores must use CAs for 'special' https certificates from CAs which have nothing to do with being open and accountable to public. They also can be insecure.
Another possible is that this it would be more hard to found reason other than 'we don't trust your goverment' to NOT accept Chinese's (or Burmese(https://www.techdirt.com/articles/20211114/17280147944/updated-myanmars-military-junta-sente nces-american-journalist-to-eleven-years-prison.shtml ) version of it).
All borwser
[ link to this | view in chronology ]
Re: Main issue from actual Mozilla's PDF
Could a browser include such a TSP, allow it to issue a QWAC, and then just not do anything with it? Just continue relying on the certificates you actually trust, while the quack of a certificate that was forced on you gathers dust without affecting any of the browser's behavior.
[ link to this | view in chronology ]
QWAC?
QWAC! QWAC! QWAC! QWAC!
I guess it was written by some DAFFY politician?
[ link to this | view in chronology ]