EU’s ‘dangerous’ web authentication scheme threatens to undermine browser-based certification scheme, critics say
Signatories of letter criticizing EU regime share apprehensions with The Daily Swig
An EU proposal to force browsers to accept web certificates created by the bloc risks “disrupting a carefully curated set of rules and technologies that underpin almost all online privacy and security”, according to a leading expert in cybersecurity.
Internet Society Distinguished Technologist Joseph Lorenzo Hall is one of 38 signatories to a open letter addressed to the European Parliament, which criticizes the projects.
Other signatories include academics, security engineers and security researchers in the US, Canada, UK, France and Germany.
Published on March 3, the missive urged European lawmakers to reject a proposed amendment to the eIDAS – or Electronic Identification, Authentication, and Trust Services – regulation adopted in 2014 to facilitate the emergence of a European internal market for trust services.
eIDAS has mandated the creation of Qualified Website Authentication Certificates (QWACs), which essentially guarantee the claimed identity of a website. As such, the program aims to protect users from malicious domains posing as legitimate platforms and therefore malware, surveillance, identity theft, and financial crime.
RECOMMENDED ENISA urges innovation in data handling amid growing wave of healthcare breaches
However, critics point out that QWACs attempt to solve a problem already solved by an existing system – but less efficiently. So far, QWACs have failed to gain traction in the web ecosystem “due to flaws in its technical implementation model,” the open letter states.
Worse still, by requiring web browsers to recognize the authority of QWACs, a controversial European Commission proposal would circumvent the proven security protections offered by existing mechanisms.
Currently, valid website certificates are issued by more than 100 certification authorities (AC), whose suitability for this critical access control role is approved by major browser manufacturers.
Successful websites use the TLS-encrypted HTTPS protocol, which protects communications with the site, and are marked as secure by a padlock icon in the URL address bar.
Google (developer of Chrome), Mozilla (Firefox), Microsoft (Edge and IE), and Apple (Safari) all run “root programs” that validate certificate authorities’ compliance with issuance practices. CAs that do not meet the required standards may be deleted.
In contrast, QWACs are issued by “trusted service providers” (TSPs) that are trusted, not by browsers, but by the governments of EU member states.
This prompted Firefox CTO Eric Rescorla to to inform that the EU scheme may embolden repressive regimes that have already tried and failed to “enhance their surveillance capabilities by forcing browsers to automatically trust their certificate authorities”.
By forcing browser developers to include TSPs in their root programs, many security experts believe the EU is unnecessarily undermining a system deftly run by technically competent experts.
“Simply put, current browser vendors have significant experience with certificate verification,” says Dr. Lukasz Olejnik, independent security researcher and consultant and co-signer of the open letter. The daily sip.
Keep up to date with the latest news on cybersecurity policy and legislation
the impact assessment because the proposed regulation, he added, does not explain how EU policymakers could match that expertise.
The open letter from relevant IT security experts said it “signals a dangerous trend in cybersecurity policy.” It reads:
In the area of cybersecurity in particular, where threats are constantly evolving and where real-time operational responses are essential, regulatory frameworks should not have the effect of preventing publishers from taking security measures in the interest of their users.
“The system is not broken”
The fact that hundreds of millions of users regularly submit payment card details online, often to websites with which they are unfamiliar, no doubt attests to the success of the current system in engendering trust in the web.
Critics believe the EU proposal could undermine that hard-earned trust by increasing the risk of certificates being unwittingly issued to cybercriminals.
“I think we can all understand wanting to have nationally controlled roots of trust and there’s nothing stopping the EU from doing that, and I hope to do that,” said the Internet Society’s Joseph Lorenzo Hall. The daily sip.
“However, these “root programs” that store keys to various aspects of the Internet and the Web are balanced ecosystems where incentives, evolution, auditability and accountability are designed for the sole purpose of protecting and securing billions of transactions and communications every day.
“This is a case where the system is not broken, but changing it to do what the EU wants here is bound to break it.”
Mozilla, the association behind the Firefox browser, expressed its own reluctance via a open consultation on the plans in 2020.
Among othersthe organization said that “the decision to cryptographically bind a QWAC to a TLS connection or certificate” would violate the eIDAS professed principles of prioritizing authentication, interoperability, and technology neutrality.
He also said that Firefox’s technical and policy requirements “are more transparent, have stricter auditing requirements, and allow for better public oversight compared to what eIDAS requires from TSPs.”
Nevertheless, in June 2021, the European Commission proposed to make the recognition of QWACs mandatory under a new digital identity framework (PDF) for eIDAS.
The path to follow
Dr. Olejnik suspects EU policymakers want to be seen as doing “something” when it comes to web security. “So they did exactly that – they did something,” he said. “I imagine that psychologically it is also very difficult to backtrack on proposals where you are organizationally invested. It works the same way in corporate environments.
Lorenzo Hall, however, is “good hope” that common sense will eventually prevail.
“We hope that EU policy makers now understand that imposing these certificates on the existing landscape not only risks failing, as these certificates are unlikely to be of much use, but it also risks completely upsetting a carefully curated set of rules and technologies that underpin almost all online privacy and security,” he said.
Dr. Thyla van der Merwe, another co-signer of the open letter and managing director of the Laboratory for Computing of the Future at ETH in Switzerland, says The daily sip“Browser vendors have a lot of experience with online user security, and verifying digital certificates is an important piece of that puzzle.
“Ideally, the EC should work with browser vendors to find a solution that allows browser policies to remain in place while meeting the objectives of the EU Digital Identity Framework.”
The EU press office did not respond to a request for comment from The daily sip.
READ MORE “Browser within a browser”: Phishing technique simulates pop-ups to exploit users