🚨 Another EU mass surveillance attempt. Will kill privacy on web. Must not pass. 🚨
“[A]ll web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments.
These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU.”
@aral I am not an expert on these stuffs.
But let's say it passes.
Can a website create an encrypted communication through a JS client using asymmetric cryptography?
@rmanos There’s always stuff that can be done as workarounds, etc., but the issue is that 99.99999% of people will be affected by whatever is the default.
@aral Yes, brilliant move by the EU...... Control the Certificate Autorities, so they can install fake certificates wherever they want to do a mostly undetectable (only certificate change notifications) man-in-the-middle attack to snoop on all traffic they want to.....
@aral Could malicious compliance be an option if this goes through? Like the page loads, but a big banner is displayed in the browser informing the user that an unsafe CA is being used which probably means that the web use is being directly surveilled?
@stephengentle No idea. Given malicious compliance is what companies like Google, etc., have been undertaking with GDPR/cookie notices/right to be forgotten, I don’t see why not. (Then again, things have a way of being implemented differently whenever “national security” enters into the picture… Here’s hoping we don’t have to find out.)
@aral
Wouldn't it be possible to delete these ca certificates? What if my company delete all ca certificates except there trust? Hopefully this law will not pass. Anywise we need bugfixes for any browser, clients etc.
@aral Uh, no. This is some weird tinfoil hat nonsense. eiDAS isn't Clipper Chip, it PKI.
This regulation would require that browsers recognize the certificates of EU government-issued IDs.
It would allow me to use the same hardware token ID I use to file taxes and customs paper to verify my ID with banks, EU agencies, and other governments. It would allow us to use our IDs to sign PDFs, and widely enable passport verification.
@opendna Yep, we’re all tinfoil hat conspiracy theorists here, you really figured us out. Everyone at Mozilla too. They’re the worst! That’s why Google pays them half a billion dollars a year. Because – you guessed it (damn, you’re good) – Google are tinfoil hat conspiracy theorists too! Don’t let their trillion-dollar adtech business fool you, it’s tin foil hat all the way down. Ever wonder why you never see the inside of their propeller hats?… Now you know.
@opendna@aral Do you understand what PKI authorities do and their role in TLS interception?
If the answer to that is no, you might want to cease making a fool of yourself and read up on it first.
No one gives a shit about the keys to be trusted. The problem is the means to achieve that which are also concerned by the same legislation: the certificate authorities.
If you have a compromised root PKI certauth? You own the TLS net. That's it. You can eavesdrop and interfere with everything.
@lispi314@aral I do understand what PKI authorities do. I also understand what eIDAS is, the precusor programs, and the real world risks of document security. I was very good at catching counterfeits before they were digital, and honestly, I'm probably one of the last.
I also understand that neither security agencies nor tyrants ask for permission, so worrying about whether Hungary might get a third CA in the future is many years too late. China has 17 CAs which can do what you fear.
@lispi314@aral And I will just add that if you want to claim that EU governments are more lax with the security of CAs that they use to issue national IDs and passports than the hundreds of unknown commercial CAs which issue SSL certificates for 9.99 plus VAT, reconsider whether that makes any sense.
@aral it's all coming together , the WEF psychopaths are really on fire, but Trudeau and the PM of New Zealand is topping it all, the best WEF servants EVER
I remember reading quite a few years back about how the Dutch Communications Ministry Agentschap Telecom (now the Rijksinspectie voor Digitale Infrastructuur) had started introducing this - (with surprisingly little comment about it across Europe)
@vfrmedia@finlaydag33k The Netherlands is scary in just how much Orwellian legislation/processes they can introduce without anyone batting an eyelid. They embraced body scanners by default at the airports*. They’re also going cash-free at an alarming rate. And few folks seem to be worried.
(An uncomfortable eye opener for me was when I was processed by G4S at one end of my trip and by G4S at the other while traveling to the Netherlands from possibly the UK once.)
@aral@finlaydag33k NL and UK are neighbours and have worked very closely together on surveillance/cop/military tech for decades, alongside East and South East Asian countries as part of the wider electronics industry - its been a thing since the 1970s.. (it was Phillips which initially made CCTV cameras small enough and affordable that they could be deployed just about everywhere)
@aral Yea, I still pay a bunch in cash but indeed it's getting harder and harder to do so.
Places where you can put cash into your bank account are also becoming increasingly rare.
@finlaydag33k@vfrmedia There’s a reason in the prequel to The Handmaid’s Tale, one of the first things a fledgling Gilead does is to freeze the bank accounts of women – rendering them financially dependent on men from one day to the next.
@aral@finlaydag33k I can understand Dutch to about the level of a teenager/youth, and around 2012-4 read a lot of forums that young people in NL hung out on, and even on "alternative" subcultures like the electronic dance music scene I noticed a whole load of toxic attitudes about gender and race from young Dutch men (and these men will now be in their 30s and 40s, and possibly in positions of power) - and its the same problem here in the UK
@aral sometimes I wonder who are the technical people advising the minds that come up with this stuff and why are they so ineffective.
For privacy minded users, there's a whole distribution chain that can remove said certificates from the browser. There's no world in which the existence of the certificates can be guaranteed on a "target"'s computer so that it would be effective against whatever the hell they imagine it to be effective against. Sigh.
@mariusor@aral Those advisors may be good, but when they're confronted with the ignorance and stubbornness of some politicians who only hear what they want to hear there's little they can do. Those politicians will always come up with garbage ideas as they didn't fully listen to the experts to the very end.
@mariusor@aral Abetting authoritarianism in self-delusion and rationalization of one's misdeeds isn't meaningfully differentiable from malice, and that's the only real alternative left.
@lennybacon I'm not sure on what you base your information on, you might even be right, I haven't been around politicians in the EU Commission.
But I know for sure that in the EU Parliament each MP has assistants which do the research/consult with technical people for various topics. There are companies that earn pretty well from this kind of work. It's of them that I was thinking of.
@lennybacon you can actually visit Ms. Jerković's (heh, nominal determinism) page on the commission page and see her full list of assistants and contracted people. They might not be the tech heads themselves, but they are there.
My point was that there are people that present themselves as "specialists" on a given topic and provide their input on the suitability of a piece of legislature. The fact that they are incompetent, or bought for does not detract from my initial statement: what the fuck are they doing? Where is their deontological and ethical integrity?
Add comment