[agarsev]

Just adding a perspective (not necessarily mine, I'm still on the fence) supporting this legislation from a tech-literate person in the EU.

The digital administration in my country has made my life so much easier. We all have mandatory ID cards since decades ago, but now they have a chip with some certs for auth, signing, etc. I can check my taxes, fill government forms, see any traffic tickets, sign official documents from my home thanks to this. However, as far as I understand, this relies on my user agent accepting some particular CAs. This is critical, to the point of my browser preventing me access to some parts of the administration if the CA is not up to date or recognised or whatever.

What this legislation proposes, if I understand it correctly, is putting in the hands of the government the power to administer (part of) this CA infrastructure. As with many EU-related legislation, this forcefully transfers power from private (often American) entities to EU governments. I guess when trust in your government is higher or equal to trust on private firms, this doesn't sound so bad.

Not saying this is right or wrong, but maybe this helps understand why many people in the EU may not be so against this type of legislation.

[whelp_24]

You should read the letter, it's worse than that. It makes these gov CA's unrejectable, along with providing a means of tracking your activity. Essentially, it's like giving your least trusted eu country access to your browsing history and some of your decrypted traffic.

They could have reduced scope, but looking at effects perhaps that's not what they actual want.

[stinos]

It makes these gov CA's unrejectable

That part I understood

along with providing a means of tracking your activity. Essentially, it's like giving your least trusted eu country access to your browsing history and some of your decrypted traffic.

This one though, not quite. Can you explain in layman terms, maybe by means of a practical example, how this would work exactly and what is needed for it?

[vorpalhex]

You are sending letters to your friend and getting their replies back in the mail.

You know your government delivers your letters and they could open them and read them, but you trust your government to keep your info private and use this power well.

The current regulation would mean any government can peek at your letters, and even if they got caught peeking or letting their friends read your letters, your mail carrier can't do anything. They aren't even allowed to ban the other governments friend from reading your mail.

If you had a friend who tried to help you write in secret code to avoid these other governments or strangers from reading your mail, they would be risking jail time.

Not only do you have to trust your government, but you must trust every government in the EU and if they get caught misbehaving, nobody can do anything about it.

(Practically, any government can MITM any ssl connection and read or alter things at will.)

[stinos]

Thanks, but I wasn't actually looking for an analogy. I'm trying to understand things like how the government (or whatever actor) would gain access to browser history via a MITM attack for instance.

[judge2020]

They wouldn't gain access to previous browser history, but as soon as they issue a certificate for a website they can get ISPs to use that certificate for MITM.

[vorpalhex]

Any MITM attack is always going to be going forward, not in reverse, at least to capture authentication sessions (and then you can root around in someone's account).

1. Compromised WiFi networks ("McDonald's Free Wifi")

2. BGP Hijacks (these tend to get noticed)

3. Malware running a local proxy (Malware can try to inject it's own cert into the store too but that cert would be compromised by CT/AV/etc. A proxy with a valid gov cert would be much harder to detect.)

4. Compromised cell sites (stingray type devices)

5. Mistyped urls, often in combo with spear phishing.

[repelsteeltje]

> Not saying this is right or wrong, but maybe this helps understand why many people in the EU may not be so against this type of legislation.

I'm with you. I think most of the fuzz is about forcefully involving government into the CA infrastructure and the fact that this affects rest of the world.

As to the latter, I've always found it weird that by default all root stores contain hundreds of CAs from over the world. By default, anyone is assumed to trust large companies (Google, Amazon) equally as nation states (Staat der Nerderlanden) shady entities (Hongkong Post office). So it's not surprising to have everyone up in arms if the EU adds yet another chair to this table.

Wouldn't it make much more sense if users took more control and responsibility of the certs in their root store? Wouldn't it make more sense to restrict CAs to certain domains? I would be okay with a EU sanctioned CA if it could only assert authenticity of EU services, but not shops or whitehouse.gov. I've always felt that it would make much more sense if CAs were much more restricted to specific "trust use cases".

[galangalalgol]

This isn't adding a few CAs s your browser trusts the tax website. This appears to be replacing all of them so the eu can see the contents of all traffic that is proxied in and out of the country. None of that seems likely to work for actual bad people.

[kreetx]

If the root CA is installed in my browser then the government can MITM any connection at will.

[kreetx]

The things that get me thinking are:

- for a CA that is business (or a non-profit), trust is their product, and if Let's Encrypt fails at it's job then clients can go elsewhere

- not sure but in EU I would assume they are going to install all member states' CA certificates into all browsers, so then EU member state government A can MITM a connection for a citizen of member state B

- even if a website has a certificate from any current provider, any EU government can still MITM a user without the company knowing

Also, as it's technically possible to combat the legislation then how much would it actually help, wouldn't any "criminal" pay attention to it too, e.g by using an appropriate browser?

[g-b-r]

No, there's no need for your browser to accept particular CAs

If some government sites want to use their CA that's one thing but what matters to identify you is the key stored in your ID card