Now every government security agency dreams of having complete access to the communications of everyone so they don't go through the trouble of doing their job. First UK, now EU.
Although I'm generally closer to the EU mentality of trusting the governments more than the corporations, this aspiration of the governments is just too much even if the European governments were perfect(they are far from it).
IMHO these are good intentioned ideas by the people who are responsible of providing security, it's just that they are too narrow minded brainchild of incompetent bureaucrats.
"How easy would my job be if I was able to access the communications between terrorists/pedos/spies etc."
Yeah right, we all exist to make your job easier and that's the top priority over everything else.
> EFF warns incoming rules may return web 'to the dark ages of 2011'
I don't want this law to pass, but I have fond memories of some of the communities that existed back then. If it passes, I at the very least hope like-minded people find a reason to congregate and practice fuckery again.
Obviously (for now) this law is easy to "opt out of" as a user - just download your browser from a mirror outside the EU, or remove the EU certs manually on your end. It's also a dumb law because it makes traffic interception trivially detectable by the end user - the EU is telling you that they're going to use these root certs for it! If they think nobody is going to modify their browser to POST not-safe-for-life imagery whenever such a cert is detected, they're probably wrong.
There's ongoing work on this field, but it is now a priority to have it ready.
The first may have the side-effect (or intended ?) to inform US companies which websites you are visiting upon addition of new entries though…
Incidentally there a very similar sounding provision announced in the UK yesterday:
'make tech companies clear security features with the Home Office'
CT logs are just, well, logs. They don't do anything to protect you from having your traffic intercepted via maliciously issued certificate. You might learn later (if somebody bothers to check) that it occurred but at that point the damage is already done.
> HSTS
This just says the connection should only be established via HTTPS, nothing more.
> Cert Pinning
Cert pinning has been removed both from Chromium and Firefox.
https://chromestatus.com/feature/5903385005916160
https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Rel...
Such crypto backdooring failed in the past, so they're trying to go after the weakest link they can think of. In this case, software publishers.
Self-Signed actually is the only trustworthy approach to use certificates. And with QR-Codes or ASCII-Art it is user friendly. Your partner (e.g. bank) would print a hash/fingerprint on the contract and the user MUST check it on first connection.
To complicated? SSH does that always. PGP is built upon the idea of users itself trusting. No end users?
Signal and WhatsApp! Actually you need to check the hash/fingerprint in the profile of your chat or you’ve only an encrypted connection but no security who receives the messages.
I think we should drop the entire approach of Certificates and issuing through “Authorities”. SecureBoot was flawed from the very first moment due its use of Certificates signed by an Authority named Microsoft. And a top-down security enforced from companies isn’t one.
PS: Lenovo turns off SecureBoot when you order a Laptop with Linux. A wise decision. I just miss a note that the password for hardware-disk-encryption and UEFI.
BUT current CA situation is travesty in its own right that is little bit different topic.
Apple can send malicious update to any app.... Do you check hashes thru 3rd party service ? Apple is scanning ALL your photos, documents on your device, with ML AND AGAINST HASH, DO you think they do not scan your photo for face of UBL ?
Important to note is that the main thing everyone is up in arms about, the TLS/HTTPS certificate stuff, already got adjusted after browser makers complained about it; browser makers aren't mandated to trust any certificates for internet traffic and DNS resolution. The only real problem left is QWACs in general being a part of the proposed legislation from what I can tell.
The rest of the bill seems more aimed at providing an easier authentication method to safely export private data. Could (hopefully) be good for dealing with KYC laws.
Digital stores obtain so much information to complain with those laws and it's a giant risk with things like the GDPR. As I understand it, under this law they could just store the absolute minimum (the reference ID for the centralized system in question) and if KYC laws are ever needed by the government, they can supply the ID rather than having to store a lot of Personal Information (which is a big issue with data breaches and the like being what they are.)
See:
This is already possible though, all a state needs to do for that is to bribe Microsoft[1] like Tunisia did ~20 years ago to include a government intelligence agency's root certificate that can then be used for MitM.
[1] and/or Apple and Google, if they want to target mobile devices as well.
> that government can ask its friendly CA for a copy of that certificate
1/ copying/reafing the certificate without the private key is something every TLS client must be able to do, this is a must. It is absolutely not a security concern.
2/ copying the certificate and the private key would be a concern, except s CA never sees the private key and hence cannot have it. The CA signs a CSR which does not contains the private key.
Overall I still agree with the article since the problem is not that the CA can copy the cert but rather that is can issue a new cert for the same URL, enabling MitM attacks.
Also, I garantee this gov CA will be breached in no time. There would be simply too many government agencies with access... Impossible to secure.
Do you seriously think the intent here is to allow, say, Italy to issue a certificate and spying on german citizens? Or maybe it is to make sure italian citizens (regardless of browser vendor) can access the social security website without getting a scary warning message?
As in "what's the worst outcome that can come from this piece of legislation, assuming malicious intent from the person wielding this law in the future". If the answer to that is "uh, not good" then the legislation is bad.
This legislation allows and enables it, regardless of intent.
TLS interception likely was never a seriously intended goal, just a side-effect due to how the law was worded.
Yes, there are too much ill conceived attempts against security that in the end will hurt everyone. It's disappointing to see it coming from EU.
Wouldn't this be very easy to identify?
The problem is that HTTPS is too government-addicted thing while a decent anti-MITM feature might/should be just a Diffie-Hellman without any identity-preserving features, I mean just E2EE. At least for sites like HN (not banks).
Problem solved.
For example, in 2005 I moved next door to someone that a year later was busted for growing hennep. The Dutch government used/abused the neighbour on the other side to spy and harrass him. Even after he was arrested and convicted. Then I was harrassed in serious illegal ways because I was in the way, I lived literally between these two.
Then went on for more than 10 years!!! And the government and told the police never to respond to my calls and the justice department binned all of my police reports. And this guy was stealing from me and vandalizing things!
I forced it to court and the prosecutor deliberately made the case fail by excluding enormous amounts of evidence and lying to the judge. I member of the board of directors of the court was involved behind the scenes obstructing justice from there and that person is now the president of a Dutch court!!
These people illegally facilitated crimes against a third party innocent victim and then obstructed justice to prevent their crimes coming to light.
These people in the Dutch government would have access to the power needed to intercept my mail and would have an immoral motivation to do so.
How is that capability a good thing given this context?
Also I certainly don't trust Hungary under their current government even if I trusted my own government.
Was that a joke?
In reality, people don’t have the time to read up on these issues to build an opinion in the first place. The most potent media corporations that could’ve amplified this issue for the general public are effectively propaganda machines for whoever pays the most or has the biggest guns to their heads.
It’s a sad state of affairs. Most of the public are unaware that a cage is being built around them.
But those who do have some understanding about these threats, they certainly are increasingly more distrustful.
They may have good intentions today, but politicians and intentions can change while the new government powers are likely never removed.
It’s very logical that Europe wants to do the same.
This essentially gives a a free hand to NSA to spy non only on Belgians but also EU Institutions, NATO HQ, SWIFT and many more essential but not very public organizations headquartered in Belgium (ever heard of IPC? ENTSO-E?)
