"In summary, we strongly warn against the currently proposed trilogue agreement, as it fails to properly respect the right to privacy of citizens and secure online communications; without establishing proper safeguards as outlined above, it instead substantially increases the potential for harm."
The Open Source Security Foundation (OpenSSF) has co-signed the Industry Joint Statement on Article 45 in the EU’s eIDAS Regulation, indicating that "Those provisions are likely to weaken the security of the Internet as a whole":
https://openssf.org/blog/2023/11/02/openssf-co-signs-industr...
Good morning. It has actually been happening all around the world, not just in the EU. Given how governments encroached on crypto and ad tech and social tech and in the last 10 years, the writing is on the wall for end-to-end encryption next. They have to know ALL your communications:
I wrote a summary of the countries in the world that have already undermined it, banned it or on the way to banning it:
The pushback against ad tech - or more precisely tracking tech - is hardly the same thing. One of the EU's moves will greatly improve privacy, another one will harm it.
A world is possible where we have end-to-end encryption AND a ban on profiling people online without their consent.
I'm no fan of the existing system of CA - in 2023 we should have certificate pinning for sites with mechanism for checking which certificate hashes are valid for which site (via a distributed ledger or via browser vendors etc).
However this amendment is disgusting.
I was one of the many experts reviewing previous drafts; the timing and content of these changes are absolutely an attempt by security services to break security on the web.
We're already all used to running ad/script block on our clients so accept a certain level of breakage. It's just a part of the cost of using the web that some sites are crap (youtube being the big one nowadays) but in the end we just "route around them" (they die).
Interesting - I know DNSSEC (great solution) but haven't seen DANE. From a quick glance it looks like an obvious solution which should be implemented by the browser vendors and top sites.
> The proposed eIDAS revision gives Member States the possibility of inserting root certificates at will [..]
That should've been a clear problem when architecting this system for anyone that knows how PKI works. Control and transparency around CAs (especially roots) is extremely important for web security.
Did they not consider issuing citizens with WebAuthn certificates, or working with browser vendors to support using client certificates (since they'd only need to be trusted by the server, not the client)?
Knowing the EU is behind this, I wouldn't be surprised if the people making decisions about this are even aware of any technology beyond Windows XP.
The funny thing is that several European governments have actually operated certificate authorities of their own, and they worked just fine.
It's so stupid, because the rest of the eIDAS is a pretty good idea.
From what I can tell, this stupid addendum is the result of the certificate authority industry, which were mad that nobody trusts EV certificates anymore (because they never added the security they promised in the first place).
WebAuthn uses private keys in the secure enclave. It won’t be affected.
To be clear: EU here is backdooring https encryption which protects most communication, not signing. While also moving to ban end-to-end encryption (Spain leading the way).
If this goes through without change the browser vendors should implement an UX which allows the user to disable these root certificates; ideally within different contexts.
I also hope that our community produces tools to allow the cert stack on our OSes to be purged of these certificates.
Then they’ll ban that UX. Just like US banned the ability to disclose how much taxes you pay for airline tickets
EDIT: for clarification, they banned disclosing it in initial communications like emails. They can do same for browsers. Apple also successfully banned apps from disclosing links to buying stuff online etc.
I can still see taxes and fees when I'm booking a flight. I just checked on delta.com . I can see the total taxes and fees, and the breakdown of what they are and how much each one is. I'm in the US.
> for clarification, they banned disclosing it in initial communications like emails
please give a source for that. That's the spin some airlines gave it, but as far as I understood the new requirement was to list the full price including taxes and fees in advertisements. This could be seen as hiding the fees and taxes, but the Airlines are still allowed to list fees and taxes.
In Europe, listing the full price is mandated for all industries as far as I know. Feels bad as a customer to not know what you will have to pay upfront, like it is in most industries in the US. But it also feels weird to me that this ruling was only applied to the air travel industry.
How much tax there is to pay is not my problem as a consumer. The only thing that matters is how much it will cost me to get the thing. Everything one must pay, including all fees and taxes should be included. Listing these will only cause unnecessary confusion and is often done in a deceptive manner.
It has nothing to do with adding root certificates to browsers. These are consumer protection laws against deceptive advertising. It may be surprising to Americans but in most of Europe, thanks to such laws, the price you see is usually the exact price you are paying. No taxes, fees or tips, it is all included, which I think is better for everyone.
We already have that option. At least on desktop OSes. On mobile it's hard, especially on Android it's no longer possible to add root CAs in the system store without rooting, ever since Android 7.
I believe on iOS you can do it with an MDM profile.
I would say it's not speaking against the intel agencies. The intelligence community protects us from many threats (terrorists, foreign organized crime, etc.). However, they are human, and make mistakes in the name of self-preservation, zeal for their mission, and in some cases greed.
The intel agencies of different countries act as checks and balances against each other, to some degree. In some countries there are enough different intel agencies that they act as checks and balances against each other.
However, the voice of the public is a great additional check on their behavior, especially when amplified by mainstream media and social media. Our elected officials want to be re-elected. Many will change their tune if they feel there is enough outcry that it might affect their poll numbers. And this is the only legal way to effect change in many countries.
speaking to emphasize layered representation, not the future-value of a single vote or wave of voters...
Those representatives in a position to affect the arc of the actions here, especially those who work in the civilian sphere regularly, need all manner of support now.
Making porn sites KYC is likely something that the public wants.
There have been numerous cases of nude pics of minors ending up on "amateur" porn sites.
It would be nice if browsers can require that certificates be co-signed by multiple, mutually distrusting root CAs, such as a hypothetical EU CA whose certificates are only trusted if also signed by an OSSF-backed root CA.
Readit News
The Open Source Security Foundation (OpenSSF) has co-signed the Industry Joint Statement on Article 45 in the EU’s eIDAS Regulation, indicating that "Those provisions are likely to weaken the security of the Internet as a whole": https://openssf.org/blog/2023/11/02/openssf-co-signs-industr...
I wrote a summary of the countries in the world that have already undermined it, banned it or on the way to banning it:
https://community.qbix.com/t/the-coming-war-on-end-to-end-en...
To be clear: EU here is backdooring https encryption. While also moving to ban end-to-end encryption (Spain leading the way).
A world is possible where we have end-to-end encryption AND a ban on profiling people online without their consent.
However this amendment is disgusting.
I was one of the many experts reviewing previous drafts; the timing and content of these changes are absolutely an attempt by security services to break security on the web.
That should've been a clear problem when architecting this system for anyone that knows how PKI works. Control and transparency around CAs (especially roots) is extremely important for web security.
Did they not consider issuing citizens with WebAuthn certificates, or working with browser vendors to support using client certificates (since they'd only need to be trusted by the server, not the client)?
I am confused.
The funny thing is that several European governments have actually operated certificate authorities of their own, and they worked just fine.
It's so stupid, because the rest of the eIDAS is a pretty good idea.
From what I can tell, this stupid addendum is the result of the certificate authority industry, which were mad that nobody trusts EV certificates anymore (because they never added the security they promised in the first place).
To be clear: EU here is backdooring https encryption which protects most communication, not signing. While also moving to ban end-to-end encryption (Spain leading the way).
I also hope that our community produces tools to allow the cert stack on our OSes to be purged of these certificates.
EDIT: for clarification, they banned disclosing it in initial communications like emails. They can do same for browsers. Apple also successfully banned apps from disclosing links to buying stuff online etc.
please give a source for that. That's the spin some airlines gave it, but as far as I understood the new requirement was to list the full price including taxes and fees in advertisements. This could be seen as hiding the fees and taxes, but the Airlines are still allowed to list fees and taxes.
In Europe, listing the full price is mandated for all industries as far as I know. Feels bad as a customer to not know what you will have to pay upfront, like it is in most industries in the US. But it also feels weird to me that this ruling was only applied to the air travel industry.
How much tax there is to pay is not my problem as a consumer. The only thing that matters is how much it will cost me to get the thing. Everything one must pay, including all fees and taxes should be included. Listing these will only cause unnecessary confusion and is often done in a deceptive manner.
It has nothing to do with adding root certificates to browsers. These are consumer protection laws against deceptive advertising. It may be surprising to Americans but in most of Europe, thanks to such laws, the price you see is usually the exact price you are paying. No taxes, fees or tips, it is all included, which I think is better for everyone.
I believe on iOS you can do it with an MDM profile.
Last Chance to fix eIDAS: Secret EU law threatens Internet security - https://news.ycombinator.com/item?id=38109494 - Nov 2023 (280 comments)
The intel agencies of different countries act as checks and balances against each other, to some degree. In some countries there are enough different intel agencies that they act as checks and balances against each other.
However, the voice of the public is a great additional check on their behavior, especially when amplified by mainstream media and social media. Our elected officials want to be re-elected. Many will change their tune if they feel there is enough outcry that it might affect their poll numbers. And this is the only legal way to effect change in many countries.
Do you have any evidence for this?
Those representatives in a position to affect the arc of the actions here, especially those who work in the civilian sphere regularly, need all manner of support now.
https://security.stackexchange.com/questions/189647/what-hap...