1. 31
  1. 27

    (Original) headline is misleading.

    “Mandate less secure” makes it sound like they want to downgrade the algorithm selection. Actual article text says that they want to mandate certain CAs for better security, but that their plan happens to be bad.

    I’d flag this as “incorrect” but that flag isn’t available anymore. 🤷

    1. 7

      They article says it will force browsers to accept CAs that do not currently meet the requirements for their root programs.

      How is that not making them less secure?

      1. 7

        Goals vs. outcomes. There have been actual efforts to make TLS less secure—that is, with the stated goal of making TLS less secure—and this is not one of them.

        If the title were “EU proposal would force browsers to accept less secure certificates” then the title would not be implying intent. But using the phrase “plans to” speaks to intent, which makes it incorrect.

        1. 7

          No. This legislation would mandate less secure certificates. The point of a certificate is solely proving identity, and this legislation mandates browsers accept a substantially less secure CA’s certificates.

          Hence the certificates are less secure. It would matter if they used 16bit key, they would still be less secure for their one purpose.

          1. 2

            Again, I’m speaking about goals vs. outcomes and the wording of the title. You seem to be arguing about the outcome, even though I don’t necessarily disagree with you about that.

            1. 5

              The title is “EU plans to mandate less secure certificates in browsers”. That is the correct title.

              The EU’s intent is to improve security (debatable), but the mandate isn’t “browsers must make PKI safer”, the mandate is that browsers must support certificates from unsafe/insecure CAs. Which is what the title says.

              1. 4

                Scenario: Olliej wants to go out to get some groceries. Olliej gets the keys to his petroleum fuel burning transportation device.

                Two headline options:

                1. Olliej plans to burn petroleum fuel and release toxic gases in the environment.
                2. Olliej’s ride to grocery shopping will burn petroleum fuel and release toxic gases in the environment.

                Which one would you say is more accurate?

                1. 2

                  Not a reasonable analogy as it assumes the person making the action is the person making the decision.

                  A better equivalent would be:

                  People drive to grocery stores

                  In order to prevent traffic jams due to cars running out of gas, a law is planned that requires people to have 20kms of gas in the car.

                  People now have to buy a gas can for their electric cars.

                  The goal: stopping people running out of gas

                  The solution: require people have a gas buffer

                  The plan: require every car to have a gas tank

      2. 3

        Yeah, title is misleading. Though things like that are common in journalism, but of course on here rules are more strict with that kind of thing. I don’t really see the point of mandating certain ones for better security rather than all, would there even be a benefit to that besides slightly stricter/more secure authority on certs?

        1. 1

          The title should probably be changed to “EU plans to mandate less secure certificate authorities in browsers “

        2. 5

          From this article, browsers would be required to accept certs from an EU-mandated list of CAs and to present special kinds of cert in a distinct way in the UI. It is very difficult to write a law that mandates how a compliant implementation could display them and so it may be possible to comply with the letter of the regulation by putting a red warning icon in the address bar and popping up a warning that the site uses an insecure certificate…

          1. 8

            What they want is the old EV mechanism, and they want it to be legally required, and that each state can specify which CAs a browser must accept, regardless of the security of that CA.

            The reason CAs want it is the same reason they wanted EV certs: to make obscene profit off a mandatory service.

            The reason for states being able to specify the CAs that must be supported is twofold:

            • mandatory payments to a company (or government agency) in that country

            • they can compel their local CA to misissuance certificates, and browsers would still be required to recognize certs from that CA

            Under current root programs CAs are removed for repeated accidental issuance, they’re removed for improper authentication, they’re removed for failing to revoke certs as appropriate, etc

            This law would mean not only would those action be allowed, it would mean intentional misissuance would be allowed.

          2. 4

            Oh wow, and they seem intent on bringing back OCSP again, despite OCSP making TLS significantly slower, routinely breaking, and leaking what sites users are visiting.

            It’s like they took a look at every step browsers have made to improve connection security in the last ten years and said “lets do the exact opposite of that”

            It is perhaps unsurprising that this is being pushed by CAs, and they’re providing “conferences” filled with nothing but powerpoint slides arguing that people prefer paying money for certificates. I would not be remotely surprised if these meetings are fully hosted/paid for by the CAs.

            1. 4

              What is the interest of the EU to get involved in certificate issuance? Is it bureaucracy overreach or is there something else behind this effort?

              1. 24

                My guess would be a genuine feeling that it’s not good for EU people that an American advertising company, an American browser vendor, an American computer company, and an American software company functionally control who’s allowed to issue acceptable certificates worldwide.

                1. 5

                  Sure, but then the answer is that the EU should make Mozilla open an office in Brussels or somewhere and then shovel money at FireFox, so that they have their own player in the browser wars. Tons of problems are created for users by the fact that Google and Apple have perverse incentives for their browser (and that Mozilla’s incentive is just to figure out some source, any source of funding). Funding Mozilla directly would give EU citizens a voice in the browser wars and provide an important counterbalance to the American browsers.

                  1. 4

                    Directly funding a commercial entity tasked with competing with foreign commercial entities is a huge problem; Airbus and Boeing have had disputes about that for a long time: https://en.wikipedia.org/wiki/Competition_between_Airbus_and_Boeing#World_Trade_Organization_litigation

                    On the other side, passing laws that require compliance from foreign firms operating in the EU has been successful; for as much as it sucks and is annoying to both comply with and use websites that claim to comply with it, the GDPR has been mostly complied with.

                    1. 5

                      A) In an EU context, it’s hard to argue that Aerobus hasn’t been successful for promoting European values. If the WTO disagrees, that’s because the WTO’s job is not to promote European values. I can’t really imagine how Google or Apple could win a lawsuit against the EU for funding a browser since they give their browsers away for free, but anyone can file a lawsuit about anything, I suppose.

                      B) I don’t see how anyone can spend all day clicking through pointless banners and argue that the current regulatory approach is successfully promoting EU values. The current approach sucks and is not successful. Arguably China did more to promote its Chinese values with Tiktok than all the cookie banners of the last six years have done for the EU’s goals.

                      1. 4

                        None of this is about “promoting EU values.”

                        The EU government’s goal for Airbus is to take money from the rest of the world and put it in European paychecks.

                        The goal of the GDPR is to allow people in Europe a level of consent and control over how private surveillance systems watch them. The GDPR isn’t just the cookie banners; it’s the idea that you can get your shit out of facebook and get your shit off facebook, and that facebook will face consequences when it comes to light that they’ve fucked that up.

                        Google could absolutely come up with a lawsuit if the EU subsidizes Mozilla enough to let Mozilla disentangle from Google and start attacking Google’s business by implementing the same privacy features that Apple does.

                        1. 2

                          The goal of the GDPR is to allow people in Europe a level of consent and control over how private surveillance systems watch them.

                          Yes, and it’s a failure because everyone just clicks agree, since the don’t track me button is hidden.

                    2. 1

                      That’s one answer, but what does it have to be “the” answer?

                  2. 8

                    A trusted and secure European e-ID - Regulation, linked to in the article’s opening, is a revision of existing eIDAS regulation aiming to facilitate interoperable eID schemes in Member States. eIDAS is heavily reliant on X.509 (often through smartcards in national ID cards) to provide a cryptographic identity.

                    The EU’s interest in browser Certificate Authorities stems from the following objective in the draft regulation:

                    1. They should recognise and display Qualified certificates for website authentication to provide a high level of assurance, allowing website owners to assert their identity as owners of a website and users to identify the website owners with a high degree of certainty.

                    … to be implemented through a replacement to Article 45:

                    1. Qualified certificates for website authentication referred to in paragraph 1 shall be recognised by web-browsers. For those purposes web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user friendly manner.

                    Mozilla’s November 2021 eIDAS Position Paper, also linked in the original article, goes into more detail about the incompatibilities with the ‘Qualified Website Authentication Certificates’ scheme and the CA/Browser Forum’s policies.

                  3. 2

                    It might not be a problem - if browser vendors take the pragmatic approach and use the current rules for determining whether a certificate is to be trusted first, and only if trusted show it as “moar safe” because it happens to be a QWAC-certified one.

                    This is just going to be another stupid way to funnel away more money from web site owners towards snake oil vendors, like the old EV certificates were.

                    1. 2

                      The legislation requires browsers to recognize the CAs specified by the member states, and the list they use include numerous CAs that do not meet the existing root store requirements.

                      The article literally quotes Mozilla on this point

                    2. 1

                      I literally don’t see a problem with this proposal, the certificates they’re talking about seem to be at least as secure as the certificates we use now. And I would love if browsers could improve security somewhat by warning me if I for example enter a credit card number on a site without such a QWAC certificate, same way as http:// sites are marked when you try to enter a password.

                      Only critisism I have is the name. QWAC sounds like quack, as in charlatan, expect puns from the security community in 3.. 2.. 1..

                      1. 16

                        Not really, some of the CAs failed to pass basic sanity checks by Mozilla to be included in the past.

                        There should have been a discussion with the browser vendors and they should have been much more involved.

                        Frankly, EU should just fund Firefox development directly for the geopolitical reasons and in turn, Mozilla should get involved in EU security.

                        1. 9

                          Strong agree that EU should fund Firefox development, I’d take it one step further and say that Mozilla should be allowed to function on EU money alone; their stated goals seem very compatible, and it would allow Mozilla to get out from Google’s grasp, and allow the EU less dependence on American tech.

                          But I think this is also why we should be supportive about an initiative like this; instead of saying “EU is coming with stupid plans to make our computer insecure”, we should say “Fantastic you want to look into this, did you know there’s an American nonprofit that already does this, they have a lot of experience with it already, and they could really use some funding, you should talk!”

                        2. 16

                          I literally don’t see a problem with this proposal, the certificates they’re talking about seem to be at least as secure as the certificates we use now.

                          Erh… no. That’s literally half of the article.

                          Browser vendors have minimum security requirements for CAs. Issuers for QWACs would not have to follow those, but much weaker requirements. There’s even a specific example where exactly that happened.

                          1. 4

                            QWAC is the European equivalent of EV certs and has all of the same problems. EV demonstrated very clearly that such notices do not work, and actively undermine security.

                            They do however make certificates more expensive (no chance you’re getting a free one), and break automation (can’t issue without real authentication of identity), both running counter to our established understanding of how to ensure a secure PKI.

                            You’re also assuming the CAs don’t mis-issue certificates but browser would be required to accept certificates from CAs that fail even the most basic sanity checks, let alone the full security and correctness requirements of the existing root stores.

                            1. 4

                              I think the idea behind QWAC, that every cert is tied to a legal entity is not necessarily a terrible one. The implementation however, well obviously they screwed that up, by allowing companies like Camerfirma who can’t figure out basic TLS certs. They are literally solving the symptom and not the actual problem.

                              Perhaps the current govt business licensing process could be amended to also generate a way that then current CA’s can link a business license to a cert. Obviously that’s a big complicated mess, since business licenses are distributed across cities and counties in the USA at least, though I imagine the EU and others operate similarly.

                              But that is the only way to do this properly, If we really want a strong link between entities and TLS certs, the existing business licensing process needs to get amended to include domains and TLS certs. Perhaps the laziest implementation would just be amending the business license application form(s) to include domain names along with phone #’s and addresses.

                              1. 7

                                It is a terrible idea. It has literally already existed. It was called Extended Validation.

                                Things it did: made certificates much more expensive (>$100, initially >$1000) making people want longer loved certs, the identity authentication breaks automation, making it harder to automate rolling, further complicating renewal. So EV certs cause problems for actually maintaining a sites PKI.

                                For the benefits: none. I mean that seriously, browsers did multiple studies and just like the old padlock they found that a positive indicator carries negligible information as it is generally ignored. It gets even worse though: a company’s public name does not necessarily match their legal name, which confuses users so they don’t trust legitimate sites. Then for a double whammy: legal names are not unique, so you can make a fraudulent site with the EV (or QWAC this time round) have a “legitimate” name on any url you like.

                                That’s why browsers dropped EV certs: they make it harder to run secure sites well, and at best they don’t do anything to help make users safer, and at worse confuse and mislead them.

                                1. 1

                                  QWAC and EV are both stupid, I’m 100% with you here. Nobody thought about the problem very hard coming up with these solutions, as they both suck.

                                  The idea of having some way to know that example.com is tied to business entity Example, Inc in this jurisdiction is not a bad idea. Of course there can be 500 Example Inc’s, but there can only be 1 Example inc in Olliejville, NC USA. i.e. local jurisdictions already know how to distinguish different businesses within their control.

                                  Most jurisdictions require a license to do business in Olliejville. If every city, county, state, etc just added a domains field to their applications and forms, we could then create larger indexes easily enough and have this information. That’s enough. Governments already know how to handle business licenses and having them add 1 more field is not a big deal. Of course it’s not perfect and it would take considerably longer, but it’s arguably a way better solution than QWAC or EV. Centralizing this is mostly idiotic. Once this is deployed to some reasonable amount of areas and indexes get made, perhaps it makes sense for CA’s to create TLS certs with this information, basically filling out the city, town and name fields for the domain in question for you. No verification needed, they just need to trust local govt X and Y to get the information correct.

                                  Note, this “solution” I just created off the top of my head, I’m sure better ones exist if someone thought about it harder than I did.

                                  The idea of having a legal entitity <-> domain is not a bad one. Obviously our past and proposed implementations where some crappy company is supposed to verify all this is idiotic, they have ZERO incentive to get any of this correct and will just do the bare minimum until it’s useless information, just like EV certs were. I agree with you there. Local Govts are not in the same boat, they have incentives to get the data right.

                                  1. 3

                                    Your legal entitity <-> domain mapping cannot be done in a way that helps users.

                                    The researcher who got an EV cert for their local stripe, inc could have turned around and got strípe.com, and a local government’s records will be able to say stripe, inc <-> strípe.com. A user will see strípe.com and the big “you can trust this” UI the browser is forced to show will even say “the government agrees, this site definitely belongs to Stripe, inc”.

                                    Similarly if a user is shown a company name “Foo” on bar.com, what are they meant to think? It is exceedingly common for the legal name of a company to be completely different from the brand name. So users are have to decide which one to trust.

                                    The only field that actually demonstrate the identity of a website is the url. Anything else is irrelevant.

                                    There is nothing you can add to a certificate, and no field you can require the UI to display, that is more trustworthy than the domain.

                                    It isn’t even a matter of local governments having a interest in keeping those records accurate. A local shop selling painting supplies called Stripe, can register their domain as being str1pe.com, and should be able to get the magic certificate flag. I’m going to go out on a limb and say that their security doesn’t match the security of the american Stripe, Inc

                                    You’re also making an assumption about what the “best interests” of such an organization is: Plenty of counties, states, or even countries, make significant income from business registrations, for companies that do not in any meaningful sense exist in those locations. Their interest is in having companies be registered, and making that as painfree for the companies as possible, that means accepting the urls they use.

                                    You’re assuming that these CAs are really doing any serious validation, which even when EV was restricted to the high end CAs they were not, and were happily issuing EV certs with obvious incorrect information (https://scotthelme.co.uk/extended-validation-not-so-extended/).

                                    The find question is what happens when a CA encounters an EV cert for a company whose name matches another more “famous”/important company? Because past research says they’ll blindly revoke the 100% compliant, correct, and accurate certificate and keep the money.

                                    There is no certificate identity <-> domain mapping that adds security, as the only thing that matters is the url.

                                    1. 1

                                      In every single comment I have said EV is bad, yet you haven’t seemed to grasp that I said that. let’s try again: EV CERTS ARE STUPID. Can we move on from all of that now? You seem to have not listened at all to what I said. Stop thinking about browser UI or web security, that’s not remotely my point.

                                      It should be relatively easy to track down out in the physical real world the person/persons responsible for example.com. This really only matters when an entity is doing business via example.com, so it really only needs to apply to business entities. Hence adding a domain field to existing business licenses solves the problem. It’s the same as a telephone # or an address.

                                      1. 1

                                        Ok, I’ve re-read, so I want to clarify. Are you saying it is reasonable for a local government’s company listings to include a url? e.g identity->url (I honestly assumed most would have that now in contact info sections, but governments are slow), in that case I agree it seems useful.

                                        You use <-> which I assumed meant the cert would also have a legal name style entry that was somehow “special” and get UI treatment that would make it seem trustworthy (vs the already present subject organization name, which is intentionally not distinguished from any other field in most cert viewers)

                                        1. 1

                                          Are you saying it is reasonable for a local government’s company listings to include a url?

                                          Yes. I can’t say with any certainty about most business license forms, but all the ones I’ve ever filled out have never asked for this information. I’ve occasionally seen an email address field though. :)

                                          You use <-> which I assumed meant the cert would also have a legal name style entry that was somehow “special” and get UI treatment that would make it seem trustworthy (vs the already present subject organization name, which is intentionally not distinguished from any other field in most cert viewers)

                                          No, we already know this is stupid and would be a terrible way to do it.

                                          If one wanted to do something like this, arguably a better way to do this would have the local city/etc govt cross-sign an existing TLS cert(say from lets encrypt) with their own, saying, we attest(sign) that this cert belongs to this company. This can all be done with ACME (I’m pretty sure, it’s been a while since I’ve read the spec, but I think I remember it’s fine) in an automated fashion so it’s not a big deal to add to the existing workflow. This doesn’t change the security at all, and doesn’t require any UI changes.

                                          1. 1

                                            Ok, so we do agree - I just misinterpreted <-> as meaning you wanted a bidirectional relationship :)

                                            1. 1

                                              Well I do, but it can require some work, again the point isn’t that it be all up in your face, the point is, the mapping exists, so if one needs the mapping for some purpose(law enforcement, or research or whatever), it can be done reasonably. If for some reason their exists a valid use-case to make it easy and all up in your face, like a WEB UI change, it could be added eventually, but that use-case is far from certain or clear at this point in time. We know from the EV debacle that it’s probably a disaster to just assume it’s useful from day one. I for one am not advocating for any UI changes.