[isilofi]

There is no way for e2echat.com to make sure that the client will insist on a certain safe CA. Sure, in case e2echat.com controls all clients this would be possible, but this is a rare case.

In the general case, any CA can sign any website certificate. So all those new government CAs can sign all the man-in-the-middle certificates they like, and browsers are obliged to accept them. Nothing the website can do about that.

There are ways to pin certain CAs via DNSSEC and TLSA resource records in DNS. But browsers ignore those, and even if they didn't, the same EU proposal also specifies government DNS manipulation.

So the gist is: EIDAS must die.

[Jensson]

You still wont be able to break the end to end encryption of a site. You can only intercept traffic that the server can read, you can't intercept traffic that are encrypted end to end.

And if the site can see your data assume the government can see it as well, they can get it with a warrant.

[isilofi]

Website-based end-to-end encryption isn't usually. In most cases, the "e2e-encrypting" website will deliver the Javascript that does the "e2e-encryption", which can easily be manipulated to provide a copy of all messages to some convenient third location.

A warrant will maybe warn the site and the user that something is going on.

A man-in-the-middle attack without a warrant delivered to either party is more likely to go undetected.

[Jensson]

> which can easily be manipulated to provide a copy of all messages to some convenient third location.

Updating others javascript as a proxy isn't "easily".

Also if the government goes all this way to tell each internet provider to spy on people, why do you think they couldn't tell certificate authorities to spy on people? It is the same level. I wouldn't be surprised if many CA's in USA already does this.

[isilofi]

It is "easily", because current commercially available "firewall" appliances include that kind of capabilities. Just a few clicks, install a CA certificate, add a logging endpoint, done. Certain regulated industries like finance and medicine are required to use those. All chats are instantly intercepted and logged.

And the way to spy on people via a certificate authority is exactly as described, you get a CA that signs your man-in-the-middle certificate for a website you do not own. Then you MitM that traffic using that certificate, while still getting a green "lock" icon.

With current WebCA certificates, certificate transparency does help a little to detect such MitM certificates, and some CAs have actually been caught red-handed. There are processes to punish or remove such CAs. However, this law would also prevent such actions, thus making it impossible to prevent any future malfeasant CAs.

About an example MitM certificate case and removal, see the DigiNotar case: https://blog.mozilla.org/security/2011/08/29/fraudulent-goog...

For more about how certificate transparency works see http://nil.lcs.mit.edu/6.824/2020/papers/ct-faq.txt

[Jensson]

Maybe browsers shouldn't hardcode those things? If they let you blacklist CAs you could do that yourself or via a plugin. There is nothing preventing browsers from implementing that, and have a one click button "don't trust compromised CAs". Could even had that during install as a toggle, would satisfy every legal requirement.

If this means users gets more power over what CAs to trust then that is a good thing.

[isilofi]

You can manually distrust hardcoded CAs in all common browsers. But even now, this is rarely used because it is tedious, there are roughly a hundred active CAs.

And depending on how that law will be interpreted by courts, manually distrusting might be considered illegal.

[nulld3v]

> If this means users gets more power over what CAs to trust then that is a good thing.

Do you really think your average user is going to go into the browser and manually distrust root CAs? We have learned again and again that good security is "secure by default", not "secure after arcane configuration".