Cyber experts urge EU to reject web proposal that could impact security

A proposed amendment to eIDAS would force browsers like Google Chrome to trust government-designated third parties - without the requisite security guarantees

Image:

A proposed amendment to eIDAS would force browsers like Google Chrome to trust government-designated third parties - without the requisite security guarantees

A proposed amendment to Article 45 in eIDAS would have a significant, negative impact on web users' security

Leading cyber security experts, advocates and practitioners have urged EU lawmakers not to implement proposed changes for securing online transactions, which they say could jeopardise internet users' security and privacy.

In a letter to Members of the European Parliament on 3rd March, the Electronic Frontier Foundation (EFF) and others recommended that lawmakers reject a proposed amendment to Article 45 in the EU's Digital Identity Framework (eIDAS). The amendment would requires browsers to accept faulty website certificates, which could bypass the security measures modern browsers use to prevent cyber criminals from intercepting and stealing users' data.

Among the signatories are Alexis Hancock, EFF director of engineering; David Awad, faculty instructional associate of computer science at Georgia Tech; Andrew Ayer of SSLMate; and other security experts from Canada, France, Germany, Belgium, Taiwan, the UK and the USA.

The signatories argue that the proposed amendment to Article 45 would have significant, negative security consequences for millions of web users.

It would force browsers like Google, Firefox, and Safari to trust government-designated third parties without the requisite security guarantees.

Browsers would be required to accept Qualified Website Authentication Certificates (QWACs), a type of EU website certificate that has previously been disproved as an effective way of protecting users, due to implementation issues.

QWACs follow the same standards as Extended Validation (EV) certificates. Both are digital certificates provided to domain owners, with an additional mechanism that verifies the domain owner's identity - but the onus is all on the user. This approach has been shown to be ineffective in the past.

Trusting a third party who turns out to be irresponsible or unsecure could result in user privacy being jeopardised, personal or financial information being leaked, or the user being targeted by malware.

The EFF says requiring browsers to trust certificates issued by EU government-mandated Certificate Authorities (CAs) could impact users beyond the EU, as well. The approach would likely force the incorporation of a security-hindering feature into the internet experiences of users both inside and outside the European Union.

The letter's signatories say that the amendment to Article 45, if implemented, will undo the security gains that people have worked to achieve over the last decade. It should therefore be withdrawn, and instead CAs should be pushed to satisfy security, transparency and incident response criteria.