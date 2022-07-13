Brussels (ots/PRNewswire) -



- Proposed EU legislation poses security threat to internet users

- In the wrong hands, the changes could enable state-sponsored internet

surveillance says Mozilla's Chief Security Officer

- Brussels sees growing criticism of article 45.2 of the eIDAS regulation



There is a serious threat to existing internet security measures stemming from

the European Commission's proposed revision to the eIDAS regulation. If

implemented, experts say it could open individuals browsing online to additional

security risks and set a precedent to allow state-sponsored internet

surveillance. As currently drafted, article 45.2 could undermine the EU's own

ambitions to be the frontrunner of a more secure, responsible and competitive

internet that protects people from illegal activity.





Under the revised article 45.2 of the eIDAS regulation, browsers would bemandated to accept the EU-designed Qualified Web Authentication Certificates(QWACs) even though they have weaker security properties than those mostbrowsers currently allow. Moreover, browsers would be prevented from applyingany of the existing security due diligence checks to the entities which issuethese certificates, thereby bypassing the critical first line of defense againstcybercrime.Article 45.2 is attracting growing attention from parliamentarians andcybersecurity experts alike. In her draft report(https://www.europarl.europa.eu/doceo/document/ITRE-PR-732707_EN.pdf) , MEPRomana Jerkovic, the file's rapporteur, deleted it in order to have more time tofigure out an approach that doesn't compromise security. Meanwhile, in a https://www.politico.eu/wp-content/uploads/2022/03/02/eIDAS-Cybersecurity-community-open-letter-1.pdf sent to MEPs and EU countries, academics said that mandating theuse of QWACs could introduce " significant weaknesses into the globalmulti-stakeholder ecosystem for securing web browsing. " They added that themove could make it " more difficult to protect individuals from cybercriminals."Attempts have been made in the past to forcefully bypass browser security checksfor rights-interfering ends, most notably in Kazakhstan (https://www.zdnet.com/article/apple-google-microsoft-and-mozilla-ban-kazakhstans-mitm-https-certificate/) in 2020 and Mauritius (https://slate.com/technology/2021/05/mauritius-online-speech-government-proxy-servers.html) in 2021. In both cases, the governmentsaimed to use so called "man-in-the-middle" attacks to carry out state-sponsoredsurveillance of internet traffic.Marshall Erwin, Chief Security Officer at Mozilla, said: " While this is not theintent of the EU, the inclusion of article 45.2 in eIDAS will make it moredifficult to push back on these surveillance attempts in future. The EU setsmany global standards and we're concerned that if this is copied elsewhere, theregulation will give the tools to governments to carry out state-sponsoredsurveillance of internet traffic. Such actions present a very real and dangerousunintended consequence of the EU's digital identity plans. "For more information see here (https://bit.ly/3yqhax5) .