EU Article 45 requires that browsers trust certificate authorities appointed by governments::The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from…

  • sonymegadrive@feddit.uk
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    1 year ago

    That means cryptographic keys under one government’s control could be used to intercept HTTPS communication

    Could someone smarter than me explain how this would be possible? Wouldn’t the browser still be able to enforce privacy between the client and origin? Or is it the case that certificates issued by these CAs could in theory only support weaker cyphers?

    Edit: Some really useful explanations. Thank you!

    • WDX@feddit.de
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      There can be an infinite amount of certificates for a single domain.

      When you setup a connection to a website you basically get a response back that has been signed with a certificate.

      Your Browser / OS has a list of certification authorities that it deems trustworthy.

      So when you get the response the browser checks if the certificate was issued by a trusted CA.

      Now, if the EU forces browsers to trust their CA they can facilitate a man-in-the-middle attack.

      In this instance they will intercept the TLS Handshake and give you back a response that was signed by their certificate. Your Browser deems the certificate valid and sets up a secure tunnel to the EUs Server.

      From then on they can forward packets between you and the real website while being able to read everything in cleartext

    • peeteer@feddit.de
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      A government could create a new certificate for any domain without having ownership of the domain or permission of the owner. This way they can perform Man-in-the-middle attacks.

      In such an attack someone intercepts the traffic of a client and presents their own certificate.

      Because a government can create a universally accepted certificate, thise would be accepted as valid. The traffic can then be decrypted and forwarded to the real website. The attacker is now between the client and the real host (the Man in the middle) and can view the unencrypted traffic.

    • Pfosten@feddit.de
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      Cryptography works. At least until sufficiently powerful quantum computers arrive, TLS reliably ensures confidentiality between your browser and the server. No one else can snoop on the data transmitted via that connection.

      But are you connected to the right server? Without some kind of authentication, any adversary in the middle (such as your ISP) could impersonate the real server.

      That is where certificates come in. They are issued by neutral certificate authorities (CAs) that check the identity. It works something like this:

      • I, the server operator, create a private key on that server. I use that key to create a certificate request which asks the CA to give me a certificate. This request also contains the domain names for which the key shall be used.
      • The CA performs identity checks.
      • The CA issues me the certificate. I install it on my server. Now, when browsers create a TLS connection I can tell them: here’s my public key you can use to check my identity, and here’s a certificate that shows that this is a valid key for this domain name!
      • The browser will validate the certificate and see if the domain name matches one of the names in the certificate.

      What kind of checks are done depends on the CA. I’ve obtained certificates by appearing in person at a counter, showing my government ID, and filling out a form. Nowadays more common is the ACME protocol which enables automated certificate issuance. With ACME, the CA connects to the server from multiple network locations (making interception unlikely) and checks if the server provides a certain authentication token.

      To know which certificates are valid, browsers must know which CAs are trusted. Browser makers and CAs have come together to create an evolving standard of minimum requirements that CAs must fulfill to be eligible for inclusion in the browser’s default trust store. If a CA violates this (for example by creating certificates that can be used for government traffic interception, or by creating a certificate without announcing it in a public transparency list), then future browser versions will remove them, making all their certificates worthless.

      eIDAS 2 has the effect of circumventing all of this. There is to be a government-controlled CA (already high-risk) that has its own verification rules set by legislation (does not meet industry standard rules). And browsers would be legally forced to include the eIDAS CAs as “trusted”.

      This puts browsers in a tough spot because they’ve resisted these kinds of requests from authoritarian regimes in the past. But now the world’s largest trade bloc is asking. Browsers can comply or leave the EU market, or maybe provide a less secure EU edition? Awakens uncomfortable memories around the failed US attempts at cryptography export control (cryptography is considered a munition, like hand grenades or ballistic missiles).

      It is plausible that the EU is doing this with good intentions: having a digital identity scheme is useful, it makes sense for identity to be government-controlled (like passports), and such a scheme will only see success if it sees industry adoption. The EU has also seen that hoping for voluntary industry adoption doesn’t generally work, e.g. see the USB-C mandate.

  • Send_me_nude_girls@feddit.de
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    Great and in 2 -3 years we find out, that someone has actively abused this security hole for years and stole whatever master key is required, to create their own fake government CA and has been spying on everyone for years. Or political opposition was imprisoned before they could act. Best is, such man in the middle attacks allow for all sorts of things, including putting fake evidence on your computer.

    Oh yes, no one would ever do that every, totally never happened and won’t. Nazis will also never come back. What, they soon are the biggest party in Germany, in other countries too? And will dictate rules in the EU? No one could see that happening…

    Where there’s honey, there will be bears.

    I just hope we can create a browser plugin to deny gov CAs automatically or a browser from outside EU to block that shit. …until your ISP is forced by law to block traffic from these.

    One step closer to a great EU firewall and it sucks. Good old salami tactics. Because at some point it doesn’t even matter if there are ways to mitigate this spying, if the alternative are so complicated and uncomfortable to use, that 99,999% of the people won’t bother.

    • vacuumflower@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      1 year ago

      Nazis will also never come back. What, they soon are the biggest party in Germany, in other countries too?

      Calling AfD Nazis is an exaggeration watering down the term.

      I’m not saying actual honest-to-God Nazis are not coming back. In fact, I’m sure they are, no evil is ever defeated forever. Time to cast away stones and time to collect stones.

      • yetAnotherUser@feddit.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        1 year ago

        A party tolerating Nazis in their ranks is not worth differentiating from a party made entirely out of Nazis.

        Ya know, if politicians have Himmler’s instruction to produce more “aryan” babies hanging in their bedroom as a poster, it is safe to say it’s a Nazi party.

      • Zacryon@feddit.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        1 year ago

        Calling AfD Nazis is an exaggeration watering down the term.

        The Verfassungsschutz (Office for Protection of the Constitution) classified the AfD in Saxony-Anhalt as right-wing extremists just last Tuseday. A year before that the AfD Thuringia was classified similarly by the respective Landesverfassungsschutz (State’s Office for Protection of the Cnstitution), but was reclassified a level just before that as a suspected extremist right-wing party by the federal constitution protection office. The AfD-Juniors (“Junge Alternative”) were classified as right-wing extremists last April by the Verfassungsschutz.

        They regularly catch ones attention with antisemitic, xenophobic statements at best and inhumane, anti-democratic sentiments at worst.

        Considering that they start to get more and more political posts on a communal level, and remembering that the communal political landscape played a pivotal role for the rise of the NSDAP (I would provide a source, but it’s in German) I would certainly say that’s something to be very worried about.

        I don’t know what else you need. They speak like Nazis, they act like Nazis. They are Nazis. Just because they haven’t reached that level of political power to set Jews and foreigners on fire again, doesn’t mean they are harmless or that calling them out for what they are would “water down the term ‘Nazi’”.

        • vacuumflower@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          0
          ·
          1 year ago

          AfD in Saxony-Anhalt

          Yes, I’ve heard of that. I’ve also heard that they vary much in, eh, ideological climate in different states. So - it may be just a result of them being a populist party.

          I would provide a source, but it’s in German

          That’d be fine, I can’t write and speak in German, but a wee bit better at understanding texts.

          They speak like Nazis,

          Not really, I’ve actually took a lot of interest in how Nazis really spoke when I was 15 years old. It was a weird time in my life, so wanted to know more closely things surely known to be evil and good to recognize evil and good in my surroundings.

          (Thinking of Klemperer’s book.)

          “Antisemitic and xenophobic” statements are not limited to Nazis, while some specifically Nazi traits of speech I can see being more popular, but really not limited to AfD and the likes. Even here one can encounter such.

          they act like Nazis.

          I don’t think they’ve started killing their opponents on the streets yet, or forming paramilitary groups.

          doesn’t mean they are harmless or that calling them out for what they are would “water down the term ‘Nazi’”

          You may be right, but parties and entities more similar to Nazis in other parts of the world usually were pretty open about their intentions from the very beginning, while AfD doesn’t send the same signals.

          • Zacryon@feddit.de
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            1 year ago

            So - it may be just a result of them being a populist party.

            As far as I can see it, this is spreading.

            Regarding the source, here is one I was thinking about earlier:

            Eine besagt, daß vor 1933 sowohl im Deutschen Reich als auch in Thüringen für alle Bemühungen der Nazis gerade die kommunale Ebene eine bedeutsame Rolle gespielt hat.

            From: https://www.rosalux.de/fileadmin/ls_thueringen/2007_Weißbecker_Kommunalpolitik_NSDAP.pdf page 2.

            Regarding the remaining part of your reply:
            It seems that you understand Nazis in a form when they were already at a state of having considerable amount of power. I understand Nazis already on a mere ideological level, that’s why I see a lot of similarities between Nazis back then when they were just starting out, and those Neo-Nazis now who come in several colours and shapes. And especially the AfD seems to be a magnet for those extremists.

            “Antisemitic and xenophobic” statements are not limited to Nazis

            Yes of course not. This is just another exemplary piece of the whole image.

            I don’t think they’ve started killing their opponents on the streets yet, or forming paramilitary groups.

            As I said before, they haven’t reached that level of power yet. Besides that:
            The politician Wolfgang Lübcke was killed by a right-wing extremist who had ties to the AfD. Even though - in all macabre “fairness” - the party is not responsible for that, this again shows a severe lack of distancing from right-wing extremism within the party.
            Then there is the “Reichsbürger” (citizen of the Reich) milieu, against whom police raids were conducted where plans to overthrow the government were revealed and a over 100 weapons were confiscated. This is not the AfD, yes. But here again, a lot of AfD members seem to tolerate or even downplay this (see for example this article). And let’s not forget how a AfD politician gave tours to Reichsbürger-members through the government disctrict in preparation of them planning to storm the Bundestag.
            Even (former) AfD members criticize their (former) party and make comparisons with the NSDAP, like a former AfD city councillor.

            Let’s deal with this here:

            They speak like Nazis,

            Not really

            Oh boy, I can give you many many many examples. But let’s take one promiment one, since I’ve already written a lot: The floor leader of the AfD Thuringia, Björn Höcke, got his immunity lifted several times and against whom a criminal process is currently running for demagoguery and using the SA (Sturmabteilung of the NSDAP) slogan “Alles für Deutschland”. (Since there are several articles about that and is also listed on wikipedia, you can easily find according sources yourself, but I’ll leave you one article on that here for your convenience: Björn Höckes Immunität erneut aufgehoben .) There is so much more regarding his views and what he said, which makes it hard for me to not see him as a Nazi.

            Nazis in other parts of the world usually were pretty open about their intentions from the very beginning, while AfD doesn’t send the same signals

            Maybe a slightly deeper dive into AfD talk might change your mind ( https://www.youtube.com/watch?v=--UWifFi978 https://www.youtube.com/watch?v=2YCScM7qd8g ). That’s were our experiences seem to differ. It’s a slow process, but there are many problematic signals (and as time goes on we get more and more of them) which show that the AfD are becoming a serious problem if they don’t start to fight against extremists within their own party. The NSDAP didn’t start sterilizing disabled people from day one either.

      • Send_me_nude_girls@feddit.de
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        1 year ago

        Companies always have a name and money to lose and are a hurdle for overreaching hands. The government has no reputation nor money to lose and a simple agreement opens all doors if it’s already government owned. A big difference to me personally.

        The government should only ever own things that would fail or be worse, if in public hands. Like infrastructure for instance.