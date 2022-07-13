MOZILLA EU's eIDAS PROPOSAL THREATENS ONLINE CYBERSECURITY AND ATTRACTS GROWING CRITICISM
- Proposed EU legislation poses security threat to internet users
- In the wrong hands, the changes could enable state-sponsored internet
surveillance says Mozilla's Chief Security Officer
- Brussels sees growing criticism of article 45.2 of the eIDAS regulation
There is a serious threat to existing internet security measures stemming from
the European Commission's proposed revision to the eIDAS regulation. If
implemented, experts say it could open individuals browsing online to additional
security risks and set a precedent to allow state-sponsored internet
surveillance. As currently drafted, article 45.2 could undermine the EU's own
ambitions to be the frontrunner of a more secure, responsible and competitive
internet that protects people from illegal activity.
Under the revised article 45.2 of the eIDAS regulation, browsers would be
mandated to accept the EU-designed Qualified Web Authentication Certificates
(QWACs) even though they have weaker security properties than those most
browsers currently allow. Moreover, browsers would be prevented from applying
any of the existing security due diligence checks to the entities which issue
these certificates, thereby bypassing the critical first line of defense against
cybercrime.
Article 45.2 is attracting growing attention from parliamentarians and
cybersecurity experts alike. In her draft report
(https://www.europarl.europa.eu/doceo/document/ITRE-PR-732707_EN.pdf) , MEP
Romana Jerkovic, the file's rapporteur, deleted it in order to have more time to
figure out an approach that doesn't compromise security. Meanwhile, in a https:/
/www.politico.eu/wp-content/uploads/2022/03/02/eIDAS-Cybersecurity-community-ope
n-letter-1.pdf sent to MEPs and EU countries, academics said that mandating the
use of QWACs could introduce " significant weaknesses into the global
multi-stakeholder ecosystem for securing web browsing. " They added that the
move could make it " more difficult to protect individuals from cybercriminals
."
Attempts have been made in the past to forcefully bypass browser security checks
for rights-interfering ends, most notably in Kazakhstan (https://www.zdnet.com/a
rticle/apple-google-microsoft-and-mozilla-ban-kazakhstans-mitm-https-certificate
/) in 2020 and Mauritius (https://slate.com/technology/2021/05/mauritius-online-
speech-government-proxy-servers.html) in 2021. In both cases, the governments
aimed to use so called "man-in-the-middle" attacks to carry out state-sponsored
surveillance of internet traffic.
Marshall Erwin, Chief Security Officer at Mozilla, said: " While this is not the
intent of the EU, the inclusion of article 45.2 in eIDAS will make it more
difficult to push back on these surveillance attempts in future. The EU sets
many global standards and we're concerned that if this is copied elsewhere, the
regulation will give the tools to governments to carry out state-sponsored
surveillance of internet traffic. Such actions present a very real and dangerous
unintended consequence of the EU's digital identity plans. "
For more information see here (https://bit.ly/3yqhax5) .
