eIDAS, European certificates could make communications insecure

When the scuttling of the Chat Control 2.0 bill seemed like a done deal, another threat looms on the horizon. Once again, everything starts from a bill presented in Europe, that Old Continent which “by definition” should protect the rights of individual citizens and protect their privacy. And, once again, it seems that the “brilliant idea” – included in the eIDAS proposal (see below) – popped into the head of someone who didn’t ask himself too many questions and, probably, doesn’t have the necessary technical skills.

With the declared aim of countering the predominant presence on the Web of non-European services, considered “monopolistic”, the European Union is introducing a system that aims to encourage the activities of “homegrown” startups and offer wider choice options to consumers .

As part of the program eIDAS (Electronic IDentification And trust Services), which will introduce the use of a European Digital Identity Wallet, a proposal has emerged (articles 45 and 45a) which – if approved – could compromise safety and the privacy of millions, if not billions, of people.

What do articles 45 and 45a of the eIDAS proposal contain

Some of the main companies that provide tools for security of the transferred data via the Internet they addressed, with an open letter, the members of the European Parliament and of the Council of the European Union to express their concern about the eIDAS legislative proposal, underlining the risk that some of its aspects could weaken security solutions widely used online.

Articles 45 and 45a of the eIDAS proposal, in fact, require all web browsers to recognize a new type of digital certificate to authenticate sites. This would result in browsers recognizing the Certification Authority (CA) that each Member State of the Union will nominate.

The organizations that signed the document underline that the lists root store managed by browsers and operating systems, they constitute the beating heart of Internet security. The recognized CAs included in these lists attest to theauthenticity of domain names used to “serve” websites, thereby contributing to the security of communications globally, including commerce, email, voice and video communications, messaging and other modes of communication used by businesses.

What is the root store and why you need to be careful about reckless modifications

The term root store refers to a key component of cryptography-based cybersecurity system, particularly as it pertains to the security of Internet communications. The root store collects a set of digital certificates of trusted certificate authoritiesknown as “root authorities” or “root certificate authorities“, which come pre-installed and stored in web browsers, operating systems and other applications that require data encryption.

The current system works, but it is delicate. Failure of any certifying authority could compromise communications with any website or service. There resilience of this system depends on several interdependent systems working together. Therefore, any intervention on the system requires careful consideration and extensive consultation.

European certification authorities appointed by Member States: what are the consequences

The main concerns are that Articles 45 and 45a of eIDAS will force browsers to recognize entities named by European Member States, even if they do not comply with the safety standards defined by CA/Browser Forum. Browsers will not be able to specify additional conditions for certified authorities, and all requirements shall be established byEuropean Telecommunications Standards Institute (ETSI).

The certified authorities listed by individual member states will be recognized throughout the European Union: a mistake or deliberate action by one member state could affect citizens of all other countries. Users and companies outside of Europe may also choose to use a separate list of certified authorities without the additional entries required within the EU. The result is a potential Web fragmentationsomething we have always tried to avoid.

Instead, the online trust concept it must not be the subject of a monopoly, a topic that is very dear to the legislator. On the other hand, it is important that it is based on a standard mechanism, universally approved and shared.

Because the eIDAS solution could compromise security and introduce user surveillance

Con Chat Control 2.0 the personal communications of users, of any citizen, could have been subject to verification. Even without the order of a judge and on a massive scale, therefore on all the individual devices of each European user.

The European management of “non-standard” certificates could lead to the introduction of a form of passive espionage. If certification authorities appointed by member states have extensive powers or lack of transparency, they could use the tools at their disposal to monitor and intercept user communications, compromising online privacy.

Not to mention the possible introduction of vulnerability, with the spread of untrusted or compromised certificates. Cybercriminals everywhere would be grateful.

Molea well-known provider of VPN solutions, notes that the solution proposed in the eIDAS regulation effectively “intrudes” on the digital certificate process and will undermine the independence and security guarantees underlying website security:

  • A certificate contains the website’s identity and yours public key for encryption and signing. It is approved by trusted organizations that undergo regular checks. This process allows browsers to verify that the site visited is authentic or corresponds to who it claims to be. In this way attacks are avoided.man-in-the-middle” and an encrypted connection is established.
  • Articles 45 and 45a establish that web browsers must recognize a new form of certificate issued by any State member of the EU, potentially compromising encryption and above all the reliability and general security of the Web.
  • The proposed scheme implies that the authorities could act as intermediaries on all trafficdecrypting the communications sent using the certificates in question.

Who are the signatories of the letter and what are QWAC certificates?

The open letter addressed to the European Parliament and Council is signed by names such as Bytecode Alliance, Cloudflare, DNS0.EU, Fastly, Internet Security Research Group, Linux Foundation, Mozilla, Mullvad, OpenSSF e Sigstore.

The Security Risk Ahead site, developed by Mozilla, summarizes the risks of the new regulation and presents the QWAC certified (Qualified Web Authentication Certificate). This is a type of digital certificate used under European legislation on electronic signature and online identification.

Mozilla defines QWAC certificates as objects that provide a lower level of protection. Browsers, for example, will be required to support vendors that issue them without independently verifying their security practices. This means that QWAC certificates could appear secure, even if they were compromised in some way.


Please enter your comment!
Please enter your name here