This is a complicated and technical post so most people will yawn and may move to something else. It would be a mistake because it is important.
There is a clear effort in Europe to take back control of the narrative. The first wave concerned platforms and their ability to remove posts. It would have been difficult 10 years ago but has become over time an easy shot. But likewise, people have become more sophisticated and the information is now becoming more diffuse and distributed to the great dismay of most Eurocrats.
The only way to fight this is to insert a "man-in-the-middle" in the Internet so that you can actually identify nodes of information such as this blog and suppress them before the erroneous, extremist, misinformation (pick your choice) spreads. Never mind that you made "one" mistake among hundreds of articles, the mere fact that you contradict the official version will eventually get you cancelled. Imagine such a system monitored in real time by AI and lo, the Chinese system is here. So much for democratic principles. In the end the goal of any bureaucracy is total control. No exception. We are getting closer.
Authored by Robert Blumen via The Brownstone Institute,
The European Commission is
an EU legislative body with regulatory authority over digital
technology. The EC’s eIDAS Article 45, a proposed regulation, would
deliberately weaken areas of internet security that the industry has
carefully evolved and hardened for over 25 years. The Article would
effectively grant the 27 EU governments vastly expanded surveillance
powers over internet use.
The
rule would require all internet browsers to trust an additional root
certificate from an agency (or a regulated entity) from each of the
national governments of each one of the EU member states. For
the non-technical readers, I will explain what a root certificate is,
how internet trust has evolved, and what Article 45 does to this. And
then I will highlight some of the commentary from the tech community on
this matter.
The next section of this article will explain how the trust infrastructure of the internet works. This
background is necessary in order to understand how radical the proposed
Article is. The explanation is intended to be accessible to a
non-technical reader.
The regulation in question addresses
internet security. Here, “internet” means, largely, browsers visiting
websites. Internet security consists of many distinct aspects. Article
45 intends to modify public key infrastructure (PKI),
a part of internet security since the mid-90s. PKI has been at first
adopted, and then improved over a 25-year period, to give users and
publishers the following assurances:
Privacy of the conversation between the browser and the website: Browsers and websites converse over the internet, a network of networks operated by Internet Service Providers, and Tier 1 carriers; or cellular carriers if the device is mobile. The network itself is not inherently safe nor trustworthy. Your nosy home ISP, a traveler in the airport lounge where you are waiting for your flight, or a data vendor looking to sell leads to advertisers might
want to spy on you. Without any protection, a bad actor could view
confidential data such as a password, credit card balance, or health
information.
Guarantee that you view the page exactly the way the website sent it to you:
When you view a web page, could it have been tampered with between the
publisher and your browser? A censor might want to remove content that
they don’t want you to see. Content labeled as “misinformation” was
widely suppressed during covid hysteria. A hacker who had stolen your
credit card might want to remove evidence of their fraudulent charges.
Guarantee that the website you see is really the one in the browser’s location bar:
When you connect to a bank how do you know that you are seeing the
website of that bank, not a fake version that looks identical? You check
the location bar in your browser. Could your browser be tricked into
showing you a fake website that appears identical to the real one? How
does your browser know – for sure – that it is connected to the correct
site?
In the early days of the internet, none of these assurances existed. In 2010, a browser plugin available in the add-on store enabled
the user to participate in someone else’s Facebook group chat in a cafe
hotspot. Now – thanks to PKI, you can be pretty sure of these things.
These security features are protected with a system based on digital certificates.
Digital certificates are a form of ID – the internet version of a
drivers’ license. When a browser connects to a site, the site presents a
certificate to the browser. The certificate contains a cryptographic
key. The browser and the website work together with a series of
cryptographic calculations to set up secure communication.
Together, the browser and the website provide the three security guarantees:
privacy: by encrypting the conversation.
cryptographic digital signatures: to ensure that the content is not modified in flight.
verification of the publisher: through the chain of trust provided by PKI, that I will explain in more detail below.
A good identity should be difficult to counterfeit. In the ancient world, a wax casting of a seal served
this purpose. Identities for humans have relied on biometrics. Your
face is one of the oldest forms. In the non-digital world, when you need
to access an age-restricted setting, such as ordering an alcoholic
beverage, you will be asked for a photo ID.
Another biometric from
before the digital era was to match your fresh pen-and-ink signature
against your original signature on the back of your ID. As these older
types of biometrics become easier to counterfeit, human identity
verification has adapted. Now, it is common for a bank to send you a
validation code on your mobile. The app requires you to pass a biometric
identity check on your mobile phone to view the code such as face
recognition or your fingerprint.
In addition to a biometric, the
second factor that makes an ID trustworthy is the issuer. IDs that are
widely accepted depend on the ability of the issuer to verify that the
person applying for an ID is who they say they are. Most of the more
widely accepted forms of ID are issued by government agencies, such as
the Department of Motor Vehicles. If the issuing agency has reliable
means to track who and where its subjects are, such as tax payments,
employment records, or the use of water utility services, then there is a
good chance the agency can verify that the person named on the ID is
that person.
In the online world, governments have, for the most part, not involved themselves in identity verification. Certificates are issued by private sector firms known as certificate authorities (CAs). While certificates used to be quite expensive, fees have come down considerably to the point where some are free. The best known CAs are Verisign, DigiCert and GoDaddy. Ryan Hurst shows the seven major CAs (ISRG, DigiCert, Sectigo, Google, GoDaddy, Microsoft, and IdenTrust) issue 99% of all certificates.
The
browser will accept a certificate as proof of identity only if the name
field on the certificate matches the domain name, which the browser
shows in the location bar. Even if the names match, does that provide
that a certificate saying “apple.com” belongs to the consumer
electronics business known as Apple, Inc.? Identity systems are not
bulletproof. Underage drinkers can get fake IDs.
Like human IDs, digital certificates can also be fake, or invalid for
other reasons. A software engineer using free open source tools can
create a digital certificate named “apple.com” with a few Linux commands.
The
PKI system relies on CAs to issue any certificate only to the owner of
the website. The workflow to acquire a certificate goes like this:
The publisher of a website applies to their preferred CA for a certificate, for a domain.
The
CA verifies that the certificate request comes from the actual owner of
that site. How does the CA establish this? The CA demands that the
entity making the request publish a specific piece of content on a
specific URL. The ability to do this proves that the entity has control
over the website.
Once the website has proven ownership of the domain, the CA appends a cryptographic digital signature to the certificate usings its own private cryptographic key. The signature identifies the CA as the issuer.
The signed certificate is conveyed to the person or entity making the request.
The publisher installs their certificate on their website, so it may be presented to browsers.
Cryptographic
digital signatures are “a mathematical scheme for verifying the
authenticity of digital messages or documents.” They are not the same
thing as the online document signing provided by DocuSign and similar
vendors. If the signature could be forged, then the
certificates would not be trustworthy. Over time the size of the
cryptographic keys has increased with the aim of making forgery more
difficult. Cryptography researchers believe that current signatures, in
practical terms, are impossible to forge. Another vulnerability is when
the CA has its secret keys stolen. The thief could then produce valid
signatures of that CA.
Once the certificate has been installed, then it is used during the setup of a web conversation. The Register explains how that goes:
If
the certificate was issued by a known good CA, and all the details are
correct, then the site is trusted, and the browser will try to establish
a secure, encrypted connection with the website so that your activity
with the site isn’t visible to an eavesdropper on the network. If the
cert was issued by a non-trusted CA, or the certificate doesn’t match
the website’s address, or some details are wrong, the browser will
reject the website out of a concern that it’s not connecting to the
actual website the user wants, and may be talking to an impersonator.
We
can trust the browser because the browser trusts the website. The
browser trusts the website because the certificate was issued by a
“known good” CA. But what is a “known good CA?” Most browsers rely on
the CAs provided by the operating system. The list of trustworthy CAs is
decided by device and software vendors. The major computer and device
vendors – Microsoft, Apple, Android phone manufacturers, and the open
source Linux distributors – preload the operating system on their
devices with a set of root certificates.
These certificates
identify the CAs they have vetted and consider to be reliable. This
collection of root certificates is called the “trust store.” To take an
example close to me, the Windows PC that I am using to write this piece
has 70 root certificates in its Trusted Root Certificate Store. Apple’s
support site lists all of the roots trusted by the Sierra version of MacOS.
How
do the computer and phone vendors decide which CAs are trustworthy?
They have audit and compliance programs to evaluate the quality of CAs.
Only the ones that pass are included. See for example, the Chrome browser (which provides its own trust store rather than using the one on the device). The EFF (which describes itself as “the leading nonprofit organization defending civil liberties in the digital world”) explains:
Browsers
operate “root programs” to monitor the security and trustworthiness of
CAs they trust. Those root programs impose a number of requirements
varying from “how must key material be secured” to “how must validation
of domain name control be performed” to “what algorithms must be used
for certificate signing.”
After a CA has been
accepted by a vendor, the vendor continues to monitor it. Vendors will
remove CAs from the trust store should the CA fail to uphold the
necessary security standards. Certificate authorities can, and do, go
rogue, or fail for other reasons. The Register reports:
Certificates
and the CAs that issue them are not always trustworthy and browser
makers over the years have removed CA root certificates from CAs based
in Turkey, France, China, Kazakhstan, and elsewhere when the issuing
entity or an associated party was found to be intercepting web traffic.
In 2022, researcher Ian Carroll reported Security concerns with the e-Tugra certificate authority.
Carroll “found a number of alarming issues that worry me as to the
security practices inside their company,” such as weak credentials.
Carroll’s reports were verified by the major software vendors. As a
result, e-Tugra was removed from their trusted certificate stores.
The Timeline of Certificate Authority Failures tells of other such incidents.
There
are still some known holes in PKI as it currently exists. Because one
particular issue is important to an understanding of eIDAS Article 45, I
will explain that next. A CA’s trust is not scoped to those websites
that conduct their business with that CA. A browser will accept a
certificate from any trusted CA for any website. There is nothing
preventing the CA from issuing a website to a bad actor that was not
requested by the owner of the site. Such a certificate would be
fraudulent in the legal sense because of who it was issued to. But the
contents of the certificate would be technically valid from the
browser’s viewpoint.
If there was a way to associate each website
with its preferred CA, then any certificate for that site from any
other CA would be immediately recognized as fraudulent. Certificate pinning is
another standard that takes a step in this direction. But how would
that association be published and how would that publisher be trusted?
At each layer of this process, the technical solution relies on an external source of trust. But how is that trust established? By relying on an even more trusted source on the next higher plane? This question illustrates the “turtles, all the way down”
nature of the problem. PKI does have a turtle at the bottom: the
reputation, visibility, and transparency of the security industry and
its customers. Trust is built at this level through constant monitoring,
open standards, the software developers, and the CAs.
Fraudulent certificates have been issued. In 2013, ArsTechnica reported French agency caught minting SSL certificates impersonating Google:
In 2011…security researchers spotted a bogus certificate for Google.com that
gave attackers the ability to impersonate the website’s mail service
and other offerings. The counterfeit certificate was minted after
attackers pierced the security of Netherlands-based DigiNotar and gained
control of its certificate-issuing systems.
The secure sockets
layer (SSL) credentials were digitally signed by a valid certificate
authority…In fact, the certificates were unauthorized duplicates that
were issued in violation of rules established by browser manufacturers
and certificate authority services.
Fraudulent
certificate issuance can happen. A rogue CA can issue one, but they
won’t get far. The bad certificate will be detected. The bad CA will
fail compliance programs and be removed from trust stores. Without
acceptance, the CA will go out of business. Certificate Transparency, a more recent standard, enables more rapid detection of fraudulent certificates.
Why would a CA go rogue? What
advantage can the bad guy gain from an unauthorized certificate? With
the certificate alone, not much, even when signed by a trusted CA. But
if the bad guy can team up with an ISP, or otherwise access the network
that the browser uses, the certificate gives the bad actor the ability
to break all of PKI’s security guarantees.
The hacker could mount a man-in-the-middle attack (MITM) on
the conversation. The attacker could insert himself in between the
browser and the real website. In this scenario, the user would be
talking directly to the attacker, and the attacker would relay the
contents back and forth with the real website. The attacker would
present the fraudulent certificate to the browser. Because it was signed
by a trusted CA, the browser would accept it. The attacker could view
and even modify what either party sent before the other side received
it.
Now we come to the EU’s sinister eIDAS, Article 45. This
proposed regulation requires all browsers to trust a basket of
certificates from CAs designated by the EU. Twenty-seven to be exact:
one for each member nation. These certificates are to be called Qualified Website Authentication Certificates. The acronym “QWAC” has an unfortunate homophone to quackery – or perhaps the EC is trolling us.
The QWACs would be issued either by either government agencies, or what Michael Rectenwald calls governmentalities:
“corporations and companies and other adjuncts of the state who are
otherwise called ‘private,’ but really are operating as state
apparatuses, in that they’re enforcing state narratives and dictates.”
This
scheme would bring EU member governments one step closer to the point
where they could man-in-the-middle attack against their own citizens.
They would also need to access the networks. Governments are in a
position to do that. If the ISP is run as a state-owned enterprise, then
they would already have it. If ISPs are private firms, then local authorities could use police powers to gain access.
One
point which has not been emphasized in the public conversation is that a
browser in any of the 27 EU member nations would be required to accept
every single QWAC, one from each EU member.
This means that a browser in, for example, Spain, would have to trust a
QWAC from entities in Croatia, Finland, and Austria. The Spanish user
visiting an Austrian website would have to transit over Austrian
portions of the internet. The issues raised above would all apply across
countries within the EU.
The Register, in a piece titled Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections explains one way this might work:
[T]hat
government can ask its friendly CA for a copy of [the QWAC] certificate
so that the government can impersonate the website – or ask for some
other certificate browsers will trust and accept for the site. Thus,
using a man-in-the-middle attack, that government can intercept and
decrypt the encrypted HTTPS traffic between the website and its users,
allowing the regime to monitor exactly what people are doing with that
site at any time.
Having penetrated the shield of
encryption, monitoring could include saving users’ passwords, and then
using them at another time to access citizens’ email accounts. In
addition to monitoring, governments could modify content inline. For
example, they could remove the narratives they want to censor. They
could attach annoying nanny state fact checks and content warnings to dissenting opinions.
As
things currently stand, CAs must maintain the trust of the browser
community. Browsers currently warn the user if a site presents an
expired or otherwise untrusted certificate. Under Article 45, warnings
or the ejection of trust abusers would be forbidden. Not only are
browsers mandated to trust the QWACs, but Article 45 prohibits browsers
from showing a warning that a certificate signed by a QWAC.
Last Chance for eIDAS (a website displaying the Mozilla logo) advocates against Article 45:
Any
EU member state has the ability to designate cryptographic keys for
distribution in web browsers and browsers are forbidden from revoking
trust in these keys without government permission.
…There
is no independent check or balance on the decisions made by member
states with respect to the keys they authorize and the use they put them
to. This is particularly troubling given that adherence to the rule of law has not been uniform across all member states, with documented instances of coercion by secret police for political purposes.
In an open letter signed by several hundred security researchers and computer scientists:
Article
45 also bans security checks on EU web certificates unless expressly
permitted by regulation when establishing encrypted web traffic
connections. Instead of specifying a set of minimum security measures
which must be enforced as a baseline, it effectively specifies an upper
bound on the security measures which cannot be improved upon without the
permission of ETSI. This runs counter to well established global norms
where new cybersecurity technologies are developed and deployed in
response to fast moving developments in technology.
Most
of us rely on our vendors to curate the list of trusted CAs. However,
as a user, you may add or remove certificates as you please on your own
devices. Microsoft Windows has a tool to do this.
On Linux, the root certificates are files located in a single
directory. A CA may be untrusted simply by deleting the file. Will this
also be forbidden? Steve Gibson, noted security pundit, columnist, and host of the long-running Security Now podcast asks:
But
the EU is stating that browsers will be required to honor these new,
unproven and untested certificate authorities and thus any certificates
they issue, without exception and without recourse. Does that mean that
my instance of Firefox will be legally bound to refuse my attempt to
remove those certificates?
Gibson notes that some
corporations implement similar surveillance of their employees within
their own private network. Whatever your opinion about those working
conditions, some industries have legitimate audit and compliance reasons
to track and record what their employees are doing with company
resources. But, as Gibson continues,
The
trouble is that the EU and its member nations are very different from
the employees of a private organization. Any time an employee doesn’t
want to be spied upon, they can use their own smartphone to circumvent
their employer’s network. And of course an employer’s private network is
just that, a private network. The EU wants to do this for the entire
public Internet from which there would be no escape.
Now
we have established the radical nature of this proposal. It is time to
ask, what reasons does the EC offer to motivate this change? The EC says
that identity verification under PKI is not adequate. And that these
changes are needed to improve it.
Is there any truth to
the EC’s claims? Current PKI in most cases only requires the request to
prove control of the website. While that is something, it does not
guarantee, for example, that the web property “apple.com” is owned by
the consumer electronics company known as Apple Inc, headquartered in
Cupertino, California. A malicious user might obtain a valid certificate
for a domain similar name to that of a well-known business. The valid
certificate could be used in an attack that relied on some users not
looking hard enough to notice that the name does not quite match. This
happened to payment processor Stripe.
For publishers who would like to prove to the world that they are truly the same corporate entity, some CAs have offered Extended Validation (EV) Certificates.
The “extended” part consists of additional validations against the
business itself, such as the business address, a working phone number, a
business license or incorporation, and other attributes typical of a
going concern. EVs are listed at a higher price point because they
require more work by the CA.
Browsers used to show highlighted
visual feedback for an EV, such as a different color or a more sturdy
lock icon. In recent years, EVs have not been particularly popular in
the marketplace. They have mostly died off. Many browsers no longer show
the differential feedback.
In spite of the weaknesses that still
exist, PKI has improved markedly over time. As flaws have become
understood, they have been addressed. Cryptographic algorithms have been
strengthened, governance has improved, and vulnerabilities have been
blocked. Governance by a consensus of industry players has worked quite
well. The system will continue to evolve, both technologically and
institutionally. Other than meddling by regulators, there is no reason
to expect otherwise.
We have learned from the lackluster history
of EVs that the marketplace does not care so much about corporate
identity verification. However, if internet users did want that, it
would not require breaking existing PKI to give it to them. Some small
tweaks to existing workflows would suffice. Some commenters have
proposed modifying the TLS handshake;
the website would present one additional certificate. The primary
certificate would work as it does now. The secondary certificate, signed
by a QWAC, would implement the additional identity standards that the
EC says it wants.
The EC’s purported reasons for eIDAS are simply
not credible. Not only are the reasons given implausible, the EC does
not even bother with the usual sanctimonious whining about how we must
sacrifice important freedoms in the name of safety because we face the
grave threat of [pick one] human trafficking, child safety, money
laundering, tax evasion, or (my personal favorite) climate change. There is no denying that the EU is gaslighting us.
If the EC is not honest about their true motives, then what are they after?
Gibson sees a nefarious intent:
And there’s only one possible reason for them wanting [to enforce browsers to trust QWACs], which is to allow for on-the-fly Internet web traffic interception, exactly as happens inside of corporations. And that’s acknowledged.
(What
Gibson means by “web traffic interception” is the MITM attack described
above.)Other commentary has highlighted the sinister implications for
free speech and political protest. Hurst in a long-form essay makes a slippery slope argument:
When
a liberal democracy establishes this kind of control over technology on
the web, despite its consequences, it lays the groundwork for more
authoritarian governments to follow suit with impunity.
Mozilla quoted in techdirt (with no link to the original) says more or less the same:
[F]orcing
browsers to automatically trust government-backed certificate
authorities is a key tactic used by authoritarian regimes, and these
actors would be emboldened by the legitimising effect of the EU’s
actions…
Gibson makes a similar observation:
And
then there’s the very real specter of what other doors this opens: If
the EU shows the rest of the world that it can successfully dictate the
terms of trust for the independent web browsers used by its citizens,
what other countries will follow with similar laws? Now everyone gets to
simply require that their own country’s certificates get added. This
takes us in exactly the wrong direction.
This proposed Article 45 is an attack on user privacy in the EU nations.
If adopted, it would be a massive setback not only in internet
security, but in the evolved system of governance. I agree with Steve
Gibson that:
What’s completely unclear, and what I
haven’t encountered anywhere, is an explanation of the authority by
which the EU imagines it’s able to dictate the design of other
organization’s software. Because that’s what this comes down to.
Response to the proposed Article 45 has been massively negative. The EFF in Article 45 Will Roll Back Web Security by 12 Years writes,
“This is a catastrophe for the privacy of everyone who uses the
internet, but particularly for those who use the internet in the EU.”
The
eIDAS effort is a four-alarm fire for the security community. Mozilla –
maker of the open source Firefox web browser – posted an Industry Joint Statement opposing
it. The statement is signed by an all-star roster of internet
infrastructure companies including Mozilla itself, Cloudflare, Fastly,
and the Linux Foundation.
From the the open letter mentioned above:
After
reading the near-final text, we are deeply concerned by the proposed
text for Article 45. The current proposal radically expands the ability
of governments to surveil both their own citizens and residents across
the EU by providing them with the technical means to intercept encrypted
web traffic, as well as undermining the existing oversight mechanisms
relied on by European citizens.
Where does
this go? The regulation has been proposed for some time. A final
decision was scheduled for November of 2023. Web searches show no new
information on this topic since that time.
In these past
few years, outright censorship in all its forms has increased. During
the covid lunacy, government and industry partnered to create a censorship-industrial complex to
more efficiently promote false narratives and suppress dissidents. In
these past few years, skeptics and independent voices have fought back, in courts, and by creating viewpoint-neutral platforms.
While
censorship of speech continues to be a great danger, the rights of
writers and journalists are better protected than many other rights. In
the US, the First Amendment has
an explicit protection of speech and the freedom to criticize the
government. Courts may be of the opinion that any rights or freedoms not
protected by highly specific statutory language is fair game. This may
be the reason that the resistance has had more success on speech than
other efforts to stop other abuses of power such as quarantines and population lockdowns.
Rather
than a well-defended foe, governments are shifting their attacks to
other layers of the internet infrastructure. These services, such as
domain registration, DNS, certificates, payment processors, hosting, and
app stores, consist largely of private marketplace transactions. These
services are much less well protected than speech because there is, for
the most part, no right for anyone to purchase a specific service from a
particular business. And the more technical services such as DNS and
PKI are less well understood by the public than web publishing.
The
PKI system is particularly vulnerable to attack because it works by
reputation and consensus. There is no single authority that rules the
entire system. The players must earn a reputation through
transparency, compliance, and honest reporting of failures. And that
makes it vulnerable to this type of disruptive attack. If EU PKI falls
to the regulators, I expect other countries to follow. Not only is PKI
at risk. Once proven that other layers of the stack can be attacked by
regulators, they will be targeted as well.
