[no_time]

If "e2echat.com" has no method to explicitly forbid your browser from accepting eIDAS certs (via a DNS record or something) then your browser will just blindly accept the compromised cert when attacked.

This is still very bad.

[gallexme]

Wouldn't a client certificate from e2echat protect that kind of attack ? Since even when a man in the middle offers u a server cert u accept, the e2echat servers can't validate the client certificate from you anymore

(Still bad but would at least protect connections from ever talking to e2echats servers)

[Filligree]

Nobody uses client certs.

[Jensson]

> This is still very bad.

Yes, potentially, but it isn't "another kind of chat control".

[g-b-r]

It's another side of the efforts of going around encryption, chat controls deals with communication services, this one with browsers

[Jensson]

But this doesn't force browsers and sites to use weak encryption. It is very different.

[g-b-r]

This forces browsers to accept all the CAs approved by the EU states, and you can be certain that some of them will be used for decrypting (and if needed modifying) the traffic

[Jensson]

And then you can just tell the browser to not trust those CAs and you are safe. This is nothing like "chat control". This only lets the government spy on people who don't care if the government spies on them.

[yaris]

IIRC one cannot tell the browser to not trust root CAs, that's why all the fuss.

[no_time]

Luckily, I never said anything like this anywhere.

[raverbashing]

Yes, I agree. The crying wolf is too much sometimes.

Accepting certificates from a given issuer does not give them the issuer the right to impersonate others

[g-b-r]

All root CAs can issue certificates for any site (except those with CAA records etc.)