this post was submitted on 08 Nov 2023
172 points (94.3% liked)

Europe

8484 readers
1 users here now

News/Interesting Stories/Beautiful Pictures from Europe πŸ‡ͺπŸ‡Ί

(Current banner: Thunder mountain, Germany, πŸ‡©πŸ‡ͺ ) Feel free to post submissions for banner pictures

Rules

(This list is obviously incomplete, but it will get expanded when necessary)

  1. Be nice to each other (e.g. No direct insults against each other);
  2. No racism, antisemitism, dehumanisation of minorities or glorification of National Socialism allowed;
  3. No posts linking to mis-information funded by foreign states or billionaires.

Also check out [email protected]

founded 2 years ago
MODERATORS
[email protected]
172
Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections (www.theregister.com)
submitted 2 years ago by [email protected] to c/[email protected]
28 comments fedilink hide all child comments
all 30 comments
sorted by: hot top controversial new old
[–] [email protected] 79 points 2 years ago (4 children)

This article isn't completely genuine. And it is important to understand that.

eIDAS came into effect in 2016 and was around the oversight of online identification. This PROPOSED change is around allowing the EU to impersonate anyone getting a CA that is valid in the EU.

Now this is concerning but will never pass. Your bank needs to be assured that their CA can only be validated by them. Your insurance agency, your ecommerce sites...

It won't work, it breaks network trust by definition.

As soon as they try to push this through, banks, insurance and tech companies will push back and this will die.

Banks don't want the security model to be undermined because it will have a massive impact on the escrow services which underpin the digital economy.

If the CA owner can be impersonated then your bank can be impersonated, your online vendor can be impersonated and your e-commerce is dead.

Dumb idea and won't happen.

[–] [email protected] 19 points 2 years ago* (last edited 2 years ago) (1 children)

Considering that this has been in the works for ~~a year~~ two years already and there haven't been any reports of banks and insurance agencies objecting, your version of "it can't happen here" seems less than fully convincing.

[–] [email protected] 9 points 2 years ago* (last edited 2 years ago)

The fact it has been in the works for two years and not passed tells me that the powers that be are working to stop it in the background.

I could be wrong, we will have to wait and see. But this is not the first or last time I have seen governments try to break authentication without success.

[–] [email protected] 14 points 2 years ago (1 children)

Mozilla says that it's fairly close to passing though: https://last-chance-for-eidas.org/

[–] [email protected] 6 points 2 years ago (1 children)

Well I'll eat my words if this passes. But I don't see it happening.

[–] [email protected] 3 points 2 years ago

I hope you're right!

[–] [email protected] 7 points 2 years ago

I can only hope that this is what is going to happen. It's a stupid idea and I have no clue why noone things about the consequences and evaluates if it's for the better or worse..

[–] [email protected] 3 points 2 years ago

Agreed. PwC, big banks and the internet as a whole would stand against such policy, giving institutions the power to destroy the very basis of internet trust is simply asking for the entire system to become discredited

[–] [email protected] 44 points 2 years ago (3 children)

Sorry, but this is on the level where I'll never trust EU... I rather liked this organization but this makes no sense.

Like, which children to protect are going to be manufactured this time?

[–] [email protected] 24 points 2 years ago (1 children)

If it is any reassurance, not even the EU trusts the EU to control internet security: Parliament voted this down in its position, but member states are trying to bring it back. MEPs are fighting to ensure control remains with browsers.

[–] [email protected] 6 points 2 years ago (1 children)

I think the EP voted down Chat Control for now, but this is a different thing.

[–] [email protected] 4 points 2 years ago (1 children)

It did, but we are also fighting against eIDAS. I'm told last night's deal supposedly solves the problem, but I'm waiting for the text myself. (I worked on eIDAS in Parliament, my committee (Legal Affairs) recommended the complete deletion of Art45.

[–] [email protected] 3 points 2 years ago

Let's hope so, feels like orgs were able to build up a reasonable amount of pressure in such a short amount of time.

[–] [email protected] 4 points 2 years ago

It does kinda depend on whether this manages to actually pass...

[–] [email protected] 6 points 2 years ago

This is the best summary I could come up with:

Lawmakers in Europe are expected to adopt digital identity rules that civil society groups say will make the internet less secure and open up citizens to online surveillance.

Thus, using a proxy in a man-in-the-middle attack, that government can intercept and decrypt the encrypted HTTPS traffic between the website and its users, allowing the regime to monitor exactly what people are doing with that site at any time.

How that compares to today's surveillance laws and powers isn't clear right now, but that's the basically what browser makers and others are worried about: government-controlled CAs being abused to issue certificates to websites that allow for interception.

An authority purge of this sort occurred last December when Mozilla, Microsoft, Apple, and later Google removed Panama-based TrustCor from their respective lists of trusted certificate providers.

"Article 45 forbids browsers from enforcing modern security requirements on certain CAs without the approval of an EU member government," the Electronic Frontier Foundation (EFF) warned on Tuesday.

Mozilla and a collection of some 400 cyber security experts and non-governmental organizations published an open letter last week urging EU lawmakers to clarify that Article 45 cannot be used to disallow browser trust decisions.

The original article contains 965 words, the summary contains 196 words. Saved 80%. I'm a bot and I'm open source!

[–] [email protected] 5 points 2 years ago (1 children)

https://nitter.cz/Rob_Roos/status/1722304545676497141?t=SDb1qsGpMC8CtZmNdc70mQ&s=19

The European Parliament and Member States just reached an agreement on introducing the Digital Identity, #eID.

Directly afterwards, #EU Commissioner Breton said: "Now that we have a Digital Identity Wallet, we have to put something in it...", suggesting a connection between #CBDC and eID.

They ignored all the privacy experts and security specialists. They're pushing it all through.

[–] [email protected] 2 points 2 years ago (1 children)

Are we doomed? After 08/11/23, yes we are.

[–] [email protected] 3 points 2 years ago (1 children)

As far as I understand, the parliament must vote now, but it doesn't look good. You may write to your MEP.

[–] [email protected] 3 points 2 years ago

We should organize manifestations in streets and make it visible if we don't agree. Writing an email that just gets ignored seems polite but it hasn't worked so far.