---

※ [本文轉錄自 Gossiping 看板 #1bJtYBwx ]

---

備註請放最後面 違者新聞文章刪除

1.媒體來源:
The Register


2.記者署名:
Thomas Claburn

3.完整新聞標題:
Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections

EFF warns incoming rules may return web 'to the dark ages of 2011'




4.完整新聞內文:

Lawmakers in Europe are expected to adopt digital identity rules that civil soci
ety groups say will make the internet less secure and open up citizens to online
 surveillance.

The legislation, referred to as eIDAS (electronic IDentification, Authentication
 and trust Services) 2.0, has been described as an attempt to modernize an initi
al version of the digital identity and trust service rules. The rules cover thin
gs like electronic signatures, time stamps, registered delivery services, and ce
rtificates for website authentication.

But one of the requirements of eIDAS 2.0 is that browser makers trust governme
nt-approved Certificate Authorities (CA) and do not implement security controls
beyond those specified by the European Telecommunications Standards Institute (E
TSI).

Under eIDAS 2.0, government-endorsed CAs – Qualified Trust Service Providers, o
r QTSPs – would issue TLS certificates – Qualified Website Authentication Cert
ificates, or QWACs – to websites.

But browser makers, if they suspect or detect misuse – for example, traffic int
erception – would not be allowed to take countermeasures by distrusting those c
ertificates/QWACs or removing the root certificate of the associated CA/QTSP fro
m their list of trusted root certificates.

Put simply: In order to communicate securely using TLS encryption – the technol
ogy that underpins your secure HTTPS connections – a website needs to obtain a
digital certificate, issued and digitally signed by a CA, that shows the website
 address matches the certified address. When a browser visits that site, the web
site presents a public portion of its CA-issued certificate to the browser, and
the browser checks the cert was indeed issued by one of the CAs it trusts, using
 the CA's root certificate, and is correct for that site.

If the certificate was issued by a known good CA, and all the details are correc
t, then the site is trusted, and the browser will try to establish a secure, enc
rypted connection with the website so that your activity with the site isn't vis
ible to an eavesdropper on the network. If the cert was issued by a non-trusted
CA, or the certificate doesn't match the website's address, or some details are
wrong, the browser will reject the website out of a concern that it's not connec
ting to the actual website the user wants, and may be talking to an impersonator
.

Here's one problem: if a website is issued a certificate from one of those afore
mentioned Euro-mandated government-backed CAs, that government can ask its frien
dly CA for a copy of that certificate so that the government can impersonate the
 website – or ask for some other certificate browsers will trust and accept for
 the site. Thus, using a man-in-the-middle attack, that government can intercept
 and decrypt the encrypted HTTPS traffic between the website and its users, allo
wing the regime to monitor exactly what people are doing with that site at any t
ime. The browser won't even be able to block the certificate.

As Firefox maker Mozilla put it:

This enables the government of any EU member state to issue website certificates
 for interception and surveillance which can be used against every EU citizen, e
ven those not resident in or connected to the issuing member state. There is no
independent check or balance on the decisions made by member states with respect
 to the keys they authorize and the use they put them to.

How that compares to today's surveillance laws and powers isn't clear right now,
 but that's the basically what browser makers and others are worried about: gove
rnment-controlled CAs being abused to issue certificates to websites that allow
for interception. If an administration tried using a certificate not issued by a
 trusted CA, browsers would reject the cert and connection, hence Europe's desir
e to make browser makers accept government-backed CAs.

Certificates and the CAs that issue them are not always trustworthy and browser
makers over the years have removed CA root certificates from CAs based in Turkey
, France, China, Kazakhstan, and elsewhere when the issuing entity or an associa
ted party was found to be intercepting web traffic. Many such problems have been
 documented in the past.

An authority purge of this sort occurred last December when Mozilla, Microsoft,
 Apple, and later Google removed Panama-based TrustCor from their respective
lists of trusted certificate providers.

Yet eIDAS 2.0 would prevent browser makers from taking such action when the CA h
as a government seal of approval.

"Article 45 forbids browsers from enforcing modern security requirements on cert
ain CAs without the approval of an EU member government," the Electronic Frontie
r Foundation (EFF) warned on Tuesday.

"Which CAs? Specifically the CAs that were appointed by the government, which in
 some cases will be owned or operated by that selfsame government. That means cr
yptographic keys under one government's control could be used to intercept HTTPS
 communication throughout the EU and beyond."

The foundation added the rules "returns us to the dark ages of 2011, when certif
icate authorities could collaborate with governments to spy on encrypted traffic
 — and get away with it."

Mozilla and a collection of some 400 cyber security experts and non-governmental
 organizations published an open letter last week urging EU lawmakers to clari
fy that Article 45 cannot be used to disallow browser trust decisions.

"If this comes to pass it would enable any EU government or recognized third par
ty country to begin intercepting web traffic and make it impossible to stop with
out their permission," the letter warns. "There is no independent check or balan
ce on this process described in the proposed text."

In an email to The Register, a Mozilla representative added, "Mozilla is deeply
 concerned by the proposed legislation and is continuing to engage with key stak
eholders in the final stages of the trilogue process. We are committed to securi
ty and privacy on the Internet and have been heartened by the outpouring of supp
ort from civil society groups, cyber security experts, academics, and the public
 at large on this issue. We are hopeful that this heightened scrutiny will motiv
ate EU negotiators to change course and deliver regulation with suitable safegua
rds."

Google has also raised concerns about how Article 45 might be interpreted. "We a
nd many past and present leaders in the international web community have signifi
cant concerns about Article 45's impact on security," the Chrome security team
argued, and urged EU lawmakers to revise the legal language.

According security researcher Scott Helme, the latest regulatory language – whi
ch has not been made public – is still problematic.

The EFF says the legislative text "is subject to approval behind closed doors in
 Brussels on November 8." ®



5.完整新聞連結 (或短網址)不可用YAHOO、LINE、MSN等轉載媒體:
https://www.theregister.com/2023/11/08/europe_eidas_browser/


6.備註:
CNNIC跟沃通：老鄉，你好，希望你比我們死的還慘

歐盟敢這麼做，我一定DDoS爆破他們伺服器，如果可以，我連他們的機密都要挖出來
這已經不是可以玩五樓哽的東西了，你能想像對岸監聽全世界的一切通訊嗎？

--
--
※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 111.82.109.225 (臺灣)
※ 文章代碼(AID): #1bJtYBwx (Gossiping)
※ 文章網址: https://www.ptt.cc/bbs/Gossiping/M.1699707019.A.EBB.html*[m