A group of 38 cybersecurity professors and IT experts from around the world, along with the Electronic Frontier Foundation (EFF), have co-signed a letter to EU regulators warning against a proposal that could expose internet users to cybercriminality.
Specifically, experts highlight problems in the project amendment to section 45 concerning the establishment of a framework for a European digital identity.
The particular provision requires web browsers such as Chrome, Safari, and Firefox to accept QWAC (Qualified Website Authentication Certificates), which practically forces browser developers and security advocates to soften their security stance.
Website TLS certificates
Websites that use TLS certificates provide security guarantees by encrypting communication between a user’s computer and the server hosting the site and proving the owner’s identity in many cases.
Signs of valid certificates appear as a padlock on the URL address bar, and the URL begins with “https://” instead of “http://”.
These certificates are signed by a trusted authority that has verified the identity of the organization connected to a domain and has expiration dates, after which the owner must acquire a new one.
TLS certificates are essential for the online exchange of sensitive information with websites such as passwords, sensitive downloads or payment details.
Without them, any bad actor would be able to spoof a website and pretend they are any organization they need to exploit internet users.
A risky proposition
As part of the Article 45 amendment, EU lawmakers want to force browsers to accept QWAC certificates to improve web authentication and create a more streamlined system for GDPR compliance, information on the owner and guarantees of data transaction.
QWACs combine TLS and electronic ID into a single certificate, tying the identity to the TLS deployment, theoretically creating a transparent and technology-neutral system.
Although the intentions of the lawmakers are sincere, their lack of technical understanding renders the proposal ill-conceived, according to EFFand also Mozilla, which has previously raised the following four points against the adoption of QWACs:
- The cryptographic binding of a QWAC to a TLS connection or certificate will violate the provisions of the eIDAS regulation, relating to site authentication, technological neutrality and interoperability.
- Tying TLS to QWACs limits technology neutrality and interoperability in the EU digital market and harms the ability of EU entities to compete in the global economy.
- Third-party services responsible for managing validation procedures may access users’ browsing activity, or track and profile users, without any monitoring.
- Automatic inclusion of designated validation service providers in the much stricter root CA would introduce risky forced whitelisting by government order.
The letter sent to Members of the European Parliament warns of technical flaws in the implementation of QWACs, which are the very reason for its mass adoption since 2014, when the new website authentication system was introduced for the first time.
“The Digital Identity Framework requires browsers to accept QWACs issued by trust service providers, regardless of the security features of the certificates or the policies that govern their issuance,” it reads. the letter to EU regulators sent.
“This legislative approach introduces significant weaknesses in the global, multi-stakeholder ecosystem for securing web browsing, and will significantly increase cybersecurity risks for web users.”
“The political approach with the revised Article 45 signals a dangerous trend in cybersecurity policy. This forces private actors to relinquish their duty to those who use their products and services, assuming that because government-appointed certificate authorities are subject to government security standards, they cannot pose any cybersecurity risk.
The proposed mandate forces vendors to accept technology that they deem insecure and has fundamental privacy issues, which goes against established security standards, making it nearly impossible to respond quickly to changing threats.
Concerns about QWAC are detailed in a Twitter thread from Google’s Ryan Sleevi.
You see, browser/OS vendors haven’t adopted QWACs, mainly because CAs insist that it can only be TLS certificates, while browsers have pointed out that it doesn’t. made no technical sense for purposes (and made the whole web less secure! More here https://t.co/Ic9RBJ57W0 )
— Ryan Sleevi (@sleevi_) June 9, 2021
The biggest concern is that malicious actors could impersonate legitimate websites to intercept data in transit, which could lead to financial crimes and cases of identity theft.
Attack cases involving impersonated e-commerce or e-government portals could pave the way for massive data breaches that would take advantage of security loopholes introduced by the new legislation.
Mozilla also opposed this proposal by a consultation file sent to the European Commission in October 2020, explaining in detail the risks of QWACs.
The feedback period for this proposal ended in September 2021, so the letter sent by cybersecurity experts today is a last-ditch effort to convince EU lawmakers that they need to amend their proposal accordingly .