Browsers like Google Chrome could be forced to trust government-designated third parties without requisite security guarantees, in a proposed amendment to eIDAS.
The proposed amendment to Article 45 in eIDAS would result in a significant, negative impact on web users’ security.
EU lawmakers have been urged by leading cyber security experts, advocates and practitioners alike, to not implement the proposed changes for securing online transactions, as there is too much jeopardy involved for the safety of internet users’ security and privacy.
In a letter to Members of the European Parliament on 3rd March, the Electronic Frontier Foundation (EFF) and others suggested that lawmakers reject a proposed amendment to Article 45 in the EU’s Digital Identity Framework (eIDAS). The reason for the rejection is that the amendment would require browsers to accept faulty website certificates, which could bypass the security measures modern browsers use to prevent cyber criminals from intercepting and stealing users’ data.
Among the signatories are Alexis Hancock, EFF director of engineering; David Awad, faculty instructional associate of computer science at Georgia Tech; Andrew Ayer of SSLMate; and other security experts from Canada, France, Germany, Belgium, Taiwan, the UK and the USA.
The signatories argue that the proposed changes to Article 45 would result in severely negative security consequences for millions of web users.
Google, Firefox and Safari are some of the biggest browsers out there, and they could be forced to trust government-designated third parties without the requisite security guarantees, leaving billions of web users’ vulnerable.
Browsers would be required to accept Qualified Website Authentication Certificates (QWACs), a type of EU website certificate which has been criticised in the past for its lack of effectiveness as a way of protecting users, due to implementation issues.
QWACs follow the same standards as Extended Validation (EV) certificates. They’re both digital certificates provided to domain owners, with an additional mechanism that verifies the domain owner’s identity – but the onus us squarely on the user. It’s been shown that this approach has been ineffective in the past.
The ramifications could be that, after trusting a third party who turns out to be irresponsible or unsecure, user privacy could jeopardised, personal or financial information leaked, or the user could become the target for malware.
This decision could impact web users from all over, not just those within the EU, according to the EFF. The approach to require browsers to trust certificates issued by EU government-mandated Certificate Authorities (CAs) would force the incorporation of a security-hindering feature into the web user’s experiences both inside and outside the EU.
With the letter, the signatories state that the amendment to Article 45 would undo all the work that has been done during the last decade to strengthen internet security. It would be in everyone’s best interest if it were withdrawn, and instead CAs should be urged to meet security, transparency and incident response criteria.