EU Article 45 requires that browsers trust certificate authorities appointed by governments::The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from…
Great and in 2 -3 years we find out, that someone has actively abused this security hole for years and stole whatever master key is required, to create their own fake government CA and has been spying on everyone for years. Or political opposition was imprisoned before they could act. Best is, such man in the middle attacks allow for all sorts of things, including putting fake evidence on your computer.
Oh yes, no one would ever do that every, totally never happened and won’t. Nazis will also never come back. What, they soon are the biggest party in Germany, in other countries too? And will dictate rules in the EU? No one could see that happening…
Where there’s honey, there will be bears.
I just hope we can create a browser plugin to deny gov CAs automatically or a browser from outside EU to block that shit. …until your ISP is forced by law to block traffic from these.
One step closer to a great EU firewall and it sucks. Good old salami tactics. Because at some point it doesn’t even matter if there are ways to mitigate this spying, if the alternative are so complicated and uncomfortable to use, that 99,999% of the people won’t bother.
Commercial CAs are not that better either
Companies always have a name and money to lose and are a hurdle for overreaching hands. The government has no reputation nor money to lose and a simple agreement opens all doors if it’s already government owned. A big difference to me personally.
The government should only ever own things that would fail or be worse, if in public hands. Like infrastructure for instance.
Absolutely don’t agree that companies are more trustworthy than governments.
My guess is that you have an awful government in your home country, but not here. And yes that could change, but they are at least voteable.
Companies are NEVER your friend.
Companies are ALWAYS your friend. The government - not so much.
Please tell me how Philip Morris and other big tobacco is my friend.
https://www.cbsnews.com/news/big-tobacco-kept-cancer-risk-in-cigarettes-secret-study/
Companies always have a name and money to lose and are a hurdle for overreaching hands.
Doesn’t work.
Government too have name, money and people to loose.
The government has no reputation nor money
Ok, in some sense they do not have money, but they definetly have reputation.
Can someone tldr about the issue? I’m dumb?
Me too. This video helped a lot: https://www.youtube.com/watch?v=T4Df5_cojAs
What a fucking nightmare. And I thought the US was bad about trying to encroach more on privacy.
deleted by creator
There’s literally zero reason for this that isn’t shady.
deleted by creator
Such as?
deleted by creator
Yeah that argument holds zero water. Forcing browsers to trust these roots means not only pre-trusting them, but disallowing removal of trust. This is completely intended for surveillance purposes.
deleted by creator
Can we at least admit that requiring CAs is not how ecryption in Internet should work? Just FYI there is already distributed public key infrastructure: DNS(DNSSEC).
Surely they can’t force say US browser companies to do this to browsers downloaded from the USA?
Seems great, if they achieve the same security standards as a private company I don’t see why we cannot have public CAs.
And how long will it take for intelligence agencies to start issuing fake but trusted certificates for surveillance?
They don’t already?
They do.
Yes, private companies are invulnerable to this ploy
They already do it.
Just a heads up: new wording has killed this.
Fuck the EU. Fuck ruining my built in phone batteries too.
