The Council of the European Union this week adopted new language for regulations governing internet systems that may put the security of your browser at greater risk.
The new language affects the EU’s electronic identification, authentication and trust services (eIDAS) rules, which are supposed to enable secure online transactions across countries in the EU. It contained a range of updates that raised privacy concerns for EU citizens about the European Digital Identity Wallet, a government app for storing personal information like drivers’ licenses and bank cards and making electronic payments via smartphones.
But some of the updates also impact web security that could expand beyond the EU, as other governments could choose to follow the EU’s example and adopt similarly flawed frameworks.
In a nutshell, the EU is mandating that browsers accept EU member state-issued Certificate Authorities (CAs) and not remove them even if they are unsafe. If you think this sounds bad, you’re right. Multiple times, EFF, along with other security experts and researchers, urged EU government regulators to reconsider the amended language that fails to provide a way for browsers to act on security incidents. There were several committees that supported amending the language, but the EU council went ahead and adopted this highly flawed language.
Before we jump into the details, here’s some background on safeguarding the web for users. Protecting users on the internet is hard. One remedy that we tried, but moved away from, was something called Extended Validation (EV) certificates. The theory was that these certificates would require the site to go through a strong background check, in the hope that that would make it easier for users to identify a legitimate site. Simply put, It didn’t work.
What has worked is focusing on wide adoption of HTTPS with Domain Validation (DV) certificates—often issued for free—so that you know you are communicating with the website you intend to reach. Browsers choose which CAs meet their security standards and store those in their “root stores,” which are organized to reject inferior or unsafe CAs. Here’s an in-depth explanation on how CAs work.
So it’s astonishing that in a giant step backwards, the EU’s modified eIDAS language, embraces the outdated EV framework. Article 45.2 of the rules not only enforces a framework based on EV certificates, it codifies into law mandated support for “qualified web authentication certificates”(QWACs) issued by designated Qualified Trust Service Providers (QTSPs), which is another name for EU member state CAs. QWACs are not free or easily automated like DV certificates.
On top of that, instead of being approved by browsers, the QTSPs are approved by EU regulation, and browsers are required to trust them—and not remove them—even if they don’t meet the security requirements of their root stores.
Today browsers can act iteratively as security issues arise. As we said above, security issues move fast and need immediate attention and action. Laws that impede action could make future incident response slow. The EU is not immune to members acting outside of the lines of democracy. So creating laws that make the internet more vulnerable to security threats is a problem that cannot be ignored.
Article 45.2 attempts to take away power from Big Tech companies like Google and Apple and give it back to individuals on the web through regulation, and enforce transparency about who owns what sites. But this outdated model will not help people avoid scams and malware across the internet.
As the current eIDAS adoption moves through the last legislative stages in the EU, we are calling out Article 45.2 because it makes web security harder to achieve and enforce, making the internet a less safe place for everyone.