EU Article 45 requires that browsers trust certificate authorities appointed by governments::The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from…

  • ExLisper@linux.community
    link
    fedilink
    English
    arrow-up
    23
    ·
    1 year ago

    Jesus, this is not about spaying. This is because browsers have history of sucking at trusting new certificate authorities.

    In Spain you get private certificate on your ID. You can use this ID to sing documents and access government pages. Those certificates are signed and provided by the government institution responsible for printing money (Royal Mint). It took them like 10 years to get the root cert added to the main browsers so that people could authenticate using those certs on government pages. It still doesn’t work very well and I have to manually trust certs on Linux. I think I don’t have to explain why being able to identify yourself on govt pages would be great.

    What’s the security risk here? People really think that the Spanish spy agency would request certs signed by the Royal Mint for 3rd party domain and use those for MITM attack? When they are caught this would raise huuuuge stink, Spanish govt certs would get banned and Royal Mint would lose all credibility. I’m not saying they are definitely not stupid enough to try it but they would only be able to do it once.

    • I_like_cats@lemmy.one
      link
      fedilink
      English
      arrow-up
      19
      ·
      1 year ago

      They wouldn’t get banned. That’s the problem. The article mandates that these certificates are exempt from the usual repercussions for acting out

      • ExLisper@linux.community
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        You would get warnings from the browser, plugins removing those certs and versions of browsers without them (EU version and non-EU version). I

        • serial_crusher@lemmy.basedcount.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          You just went from complaining about having to manually trust certificates, to acting like you’d be ok having to install a browser plugin that tells you which certs to trust….

          Why did you need government regulation to solve the original problem? Couldn’t you have just installed a plugin for it?

    • silencioso@lemmy.world
      link
      fedilink
      English
      arrow-up
      12
      ·
      edit-2
      1 year ago

      I’m not saying they are definitely not stupid enough to try it but they would only be able to do it once.

      They will the be caught and they will do it again and again. Normies they don’t give a fuck about privacy or certificates.

    • Slotos@feddit.nl
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      When it comes to regulations, intent doesn’t matter when they enable abuse of power.

      I don’t give a fuck if this is not aimed at spying. It trivially allows it, and that’s what matters.

    • vimdiesel@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Whatever their “intent” it fucking dumb and an invasion of privacy with no real justification. Governments don’t need to see what I’m doing on the internet.