Estonian Free PressEstonian Free Press
  • National Security
    • United States
    • United Kingdom
    • Europe
    • Estonia
    • Latvia
    • Lithuania
    • Moldova
    • Poland
    • Russia
    • Ukraine
  • Counterterrorism
  • Cybersecurity
  • Intelligence

Subscribe to Updates

Get the latest National Security News directly to your inbox.

What's Hot

Beitnere-Le Galla pieņēmusi lēmumu nekandidēt Saeimas vēlēšanās ģimenes apstākļu dēļ

August 7, 2022

Unde activează fostul vicepremier pe Reintegrare, Vladislav Kulminski

August 7, 2022

Thatcher’s energy secretary says Tory leadership contenders’ response to price spike ‘inadequate’

August 7, 2022
Facebook Twitter Instagram
  • Privacy Policy
  • Terms and Conditions
  • Contact
Sunday, August 7
Estonian Free PressEstonian Free Press
  • National Security
    • United States
    • United Kingdom
    • Europe
    • Estonia
    • Latvia
    • Lithuania
    • Moldova
    • Poland
    • Russia
    • Ukraine
  • Counterterrorism
  • Cybersecurity
  • Intelligence
en English
en Englishet Estonianlv Latvianlt Lithuanianpl Polishro Romanianru Russianuk Ukrainian
Trending
  • Beitnere-Le Galla pieņēmusi lēmumu nekandidēt Saeimas vēlēšanās ģimenes apstākļu dēļ
  • Unde activează fostul vicepremier pe Reintegrare, Vladislav Kulminski
  • Thatcher’s energy secretary says Tory leadership contenders’ response to price spike ‘inadequate’
  • Jos sau nu guvernarea? Expert: Vom vedea situația când vor fi proteste
  • Ce cadouri a primit prim-ministra de la diferiți oficiali
  • Beijing continuing to send warships, aircraft toward Taiwan after Pelosi visit
  • Thousands of infected blood victims to receive £100,000 compensation
  • Penny Mordaunt claims Liz Truss ‘misinterpreted’ after dismissing cost of living ‘handouts’
Subscribe
Facebook Twitter Instagram
Estonian Free PressEstonian Free Press
Home » Internet leaders’ concern over revised article on web authentication

Internet leaders’ concern over revised article on web authentication

April 8, 20224 Mins Read Cybersecurity
Share
Facebook Twitter LinkedIn Pinterest Email

12 leaders in the web community sent a letter to MEPs and representatives of the EU Council to express their security concerns over the revised Article 45 of the e-ID Draft Legislative Proposal. 

The European Commission’s legislative proposal to amend the Electronic Identification, Authentication and Trust Services (eIDAS) regulation, which dates back to 2014 and aims to secure cross-border transactions, is facing pushback from the web community – particularly regarding Article 45.

The legal inclusion of selected European companies, so-called “Certificate Authorities”, in web browsers’ root programs poses serious threats and weaknesses to web security, the undersigned argue. 

Under the revised Article 45, browsers would be forced to accept a system of Qualified Web Authentication Certificates (QWACs) from Certificate Authorities (CAs), irrespective of whether they met the browser’s security standards. 

“Unfortunately, this technical requirement is problematic as security teams’ must respond at the speed of evolving cybersecurity threats and incidents, and not be stifled by a legislative provision that would hamper such a timely response,” the letter, sent on Wednesday (6 April), reads. 

The letter was signed by high-level internet players such as Vint Cerf, internet pioneer and former chairman of ICANN, and Andrew Sullivan, president and CEO of the Internet Society. 

Web authentication 

Web authentication is the technical mechanism that ensures that users are visiting the website they want to visit and are not directed to entities masquerading as that website. 

In order to do so, users are given a certificate that confirms they are visiting the website they intended to visit. CAs are third parties, appointed by EU governments, that issue such certificates to the websites.  

“So it’s a very powerful tool, because if it issues that certificate incorrectly, it means that a malicious party can masquerade as the website that you’re trying to visit,”  Marshall Erwin, Head of Trust Intelligence Specialist at Mozilla told EURACTIV.

Thus, CAs have to be trusted and run well. 

The problem with QWACs

The critical issue under the draft legislation regards how and under which security standards such certificates should be given. The proposal would enable CAs issuing certain types of certificates, namely QWACs, to be recognised by the browsers, irrespective of the security standards they apply.

The idea of QWACs was established by law in 2014. They ensure that certificates would include further information, not just about the domain one is visiting, but also about the legal entity behind it. 

According to various sources, including the Electronic Frontier Foundation, requiring QWACs is problematic because they have been “debunked as an effective way to convey security to users”. 

So far, browsers first make sure that CAs satisfy their standards, explained Erwin. However, the idea behind the current proposal is that “this would create a parallel process in which individual states would decide based on an unspecified set of standards,” he said. And Mozilla, for instance, would have to accept this CA.

A dangerous precedent

“Essentially, these are government-mandated Certificate Authorities that we would have to recognise,” said Erwin.

This EU legislation could set a dangerous precedent elsewhere. “I think our biggest concern is that other, repressive regimes or other major powers would follow and essentially take the same approach,” Erwin said. 

For example, governments such as the United Arab Emirates or Kazakhstan have previously actively sought to undermine web authentication “by pursuing legislation that would mandate that browsers provide a man in the middle capability by accepting CA’s that don’t meet our standards”, Erwin explained.

“We have successfully pushed back on that globally. But our ability to do so will really be undermined at the point at which the precedent has been set.”

Kate Charlet, Director of Data Governance at Google, told EURACTIV that this would not only set an unsettling precedent but “it would actively expose citizens to increased digital risk at a time when protection is more challenging – and essential – than ever.” 

In line with the letter’s signatories, Charlet does not believe that regulatory frameworks should have the effect of preventing organisations from protecting their users from evolving cybercrime and threats. 

At the Parliament, the file has been assigned to the Industry, Research and Energy Committee (ITRE). Rapporteur Romana Jerković said that the committee vote on the draft proposal is expected in July.

[Edited by Nathalie Weatherald]

Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email

Articles Liés

U.K. National Health Service Hit by Cyber Attack

August 6, 2022 Cybersecurity

IPAWS Advisory: Emergency Alert System (EAS) Vulnerability

August 5, 2022 Cybersecurity

GAO Warns Coast Guard of IT and OT Cybersecurity Vulnerabilities

August 5, 2022 Cybersecurity

TMF Invests in Improving Public-Facing Services, Bolstering Cybersecurity

August 4, 2022 Cybersecurity

Bipartisan Legislation Aims to Protect Federal Data Centers from Extreme Weather, Cyber Attacks, and Other Disasters

August 2, 2022 Cybersecurity

HSToday Welcomes Bob Kolasky, Former Head of DHS National Risk Management Center, as Editorial Board Member and Columnist

August 1, 2022 Cybersecurity
Don't Miss
Moldova

Unde activează fostul vicepremier pe Reintegrare, Vladislav Kulminski

By woe whAugust 7, 20220

Fostul vicepremier pe Reintegrare, Vladislav Kulminski, are o nouă funcție. Acesta participă la inspectarea navelor…

Thatcher’s energy secretary says Tory leadership contenders’ response to price spike ‘inadequate’

August 7, 2022

Jos sau nu guvernarea? Expert: Vom vedea situația când vor fi proteste

August 7, 2022

Ce cadouri a primit prim-ministra de la diferiți oficiali

August 7, 2022
Stay In Touch
  • Facebook
  • Twitter
  • Pinterest
  • Instagram
  • YouTube
  • Vimeo
Our Picks

Thousands of infected blood victims to receive £100,000 compensation

August 7, 2022

Penny Mordaunt claims Liz Truss ‘misinterpreted’ after dismissing cost of living ‘handouts’

August 7, 2022

Liz Truss extends polling lead over Rishi Sunak in race for prime minister

August 7, 2022

China keeps up pressure on Taiwan with 4th day of drills

August 7, 2022

Subscribe to Updates

Get the latest National Security News directly to your inbox.

© 2022 Estonian Free Press. All rights reserved.
  • Privacy Policy
  • Terms and Conditions
  • Contact

Type above and press Enter to search. Press Esc to cancel.