• TCB13@lemmy.world
    link
    fedilink
    English
    arrow-up
    20
    ·
    1 year ago

    This is a shit show. People complain a lot about the UK breaking encryption and meanwhile the EU is doing the same, at a higher level without people even noticing.

    Here the TL:DR; for anyone unfamiliar with the subject: eIDAS includes a lot of useful stuff but also requires browser to include CA designed by member states. Including a CA means that entity can issue SSL certificates that will be accepted / valid on those browser > this means the countries controlling those CA’s can simply argue “national security” and have those CA’s issue SSL certificates for ANY domain they would like and then use them to launch a man-in-the-middle attack against anyone they would like to. :)

      • TCB13@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        The proposed legislation says that browsers “can’t do adicional validations on the certificates from the CA” (more or less this wording) meaning a simple check CAA DNS check from a browser would be against said legislation.

        • SheeEttin@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Does a “warning, cert issued by a government agency” count as additional validation?

          Or maybe everyone is going to use cert pinning now. Or Firefox is going to stop trusting all CAs and make you verify each CA yourself. Which is a terrible idea for the average user.

          • TCB13@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Does a “warning, cert issued by a government agency” count as additional validation?

            From what I gather they can’t do that either.

            Or maybe everyone is going to use cert pinning now.

            Same as above. This would be effectively “adicional validations on the certificates”.

            Or Firefox is going to stop trusting all CAs and make you verify each CA yourself. Which is a terrible idea for the average user.

            Would be legal but annoying. Bet they would legislate to force their CAs / be exempt from that user verification.