this post was submitted on 10 Nov 2023
518 points (98.9% liked)

Technology

57453 readers
4884 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
518
EU Article 45 requires that browsers trust certificate authorities appointed by governments (www.eff.org)
submitted 9 months ago by [email protected] to c/[email protected]
111 comments fedilink hide all child comments
 

EU Article 45 requires that browsers trust certificate authorities appointed by governments::The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from...

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 10 points 9 months ago (6 children)

Jesus, this is not about spaying. This is because browsers have history of sucking at trusting new certificate authorities.

In Spain you get private certificate on your ID. You can use this ID to sing documents and access government pages. Those certificates are signed and provided by the government institution responsible for printing money (Royal Mint). It took them like 10 years to get the root cert added to the main browsers so that people could authenticate using those certs on government pages. It still doesn't work very well and I have to manually trust certs on Linux. I think I don't have to explain why being able to identify yourself on govt pages would be great.

What's the security risk here? People really think that the Spanish spy agency would request certs signed by the Royal Mint for 3rd party domain and use those for MITM attack? When they are caught this would raise huuuuge stink, Spanish govt certs would get banned and Royal Mint would lose all credibility. I'm not saying they are definitely not stupid enough to try it but they would only be able to do it once.

[–] [email protected] 21 points 9 months ago (1 children)

They wouldn't get banned. That's the problem. The article mandates that these certificates are exempt from the usual repercussions for acting out

[–] [email protected] -5 points 9 months ago (1 children)

You would get warnings from the browser, plugins removing those certs and versions of browsers without them (EU version and non-EU version). I

[–] [email protected] 1 points 9 months ago

You just went from complaining about having to manually trust certificates, to acting like you’d be ok having to install a browser plugin that tells you which certs to trust….

Why did you need government regulation to solve the original problem? Couldn’t you have just installed a plugin for it?

[–] [email protected] 11 points 9 months ago* (last edited 9 months ago)

I'm not saying they are definitely not stupid enough to try it but they would only be able to do it once.

They will the be caught and they will do it again and again. Normies they don't give a fuck about privacy or certificates.

[–] [email protected] 5 points 9 months ago (1 children)

This isn't it. You can use a separate CA for identification and for websites (TLS). If this were the problem, they could use any existing CA for their websites and their own for identifying the user - since that doesn't involve the browser trusting the ID CA.

See RFC 5280, Section 4.2.1.3, Key Usage: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3

[–] [email protected] 2 points 9 months ago

I guess you're right. Maybe it is about spying after all.

[–] [email protected] 3 points 9 months ago

When it comes to regulations, intent doesn’t matter when they enable abuse of power.

I don’t give a fuck if this is not aimed at spying. It trivially allows it, and that’s what matters.

[–] [email protected] 2 points 9 months ago

Whatever their "intent" it fucking dumb and an invasion of privacy with no real justification. Governments don't need to see what I'm doing on the internet.

[–] [email protected] 2 points 9 months ago (1 children)

It should be every country in EU and those looking to join to have certificates on their id cards. Am thinking they are just trying to expedite the process. EU could easily create their own regulatory body and get approved by other root certificate holders to establish path of trust, but most likely it complicates things and/or takes too long.

Not to sound too pessimistic but making a browser trust another certificate is not that difficult. If they wanted to MITM attack anyone it would be fairly easy given that people usually install software from any source let alone government without thinking twice. During that installation another certificate can be added to the list of trusted roots and problem solved. It wouldn't be harder to achieve and it would be much harder to detect.

[–] [email protected] 3 points 9 months ago (1 children)

but most likely it complicates things and/or takes too long.

It's not very complicated but it does take too long: https://bugzilla.mozilla.org/show_bug.cgi?id=435736

It took them 10 years to resolve this request.

[–] [email protected] 2 points 9 months ago

It's kind of sad when government moves faster than your triage team. Definitely want to speed that one up.