Mozilla’s message to MEPs appears to be gaining traction, says senior public policy manager at the non-profit
Mozilla has stepped up its efforts to dissuade EU lawmakers from forcing web browsers to recognize the validity of contentious web certificates created by the bloc.
The non-profit architect of the Firefox browser has launched a campaign urging Members of the European Parliament (MEPs) to amend proposals tabled by the European Commission (EC) that would oblige browsers to accept Qualified Website Authentication Certificates (QWACs).
The EU created QWACs in 2014 to validate a website’s professed identity and therefore – in theory – protect users from fraud, malware, and surveillance.
However, QWACs, which are based on somewhat discredited extended validation certificates, have failed to gain much of a foothold in the web ecosystem in the eight years since their introduction.
Mozilla argues that QWACs are inferior to the existing, longstanding web authentication ecosystem, and that the EC proposal would bypass “the critical first line of defense against cybercrime on the web”.
With MEPs expected to vote on the proposal in October, Mozilla launched a #SecurityRiskAhead campaign yesterday (July 13) with a carnival-style duck-fishing game pitched outside the European Parliament in Brussels.
Owen Bennett, Mozilla’s senior public policy manager for Europe, told The Daily Swig that Mozilla’s message appeared to be gaining traction.
The QWACs amendment – article 45.2 – was deleted from a recent draft report (PDF) for the EU’s digital identity framework in order to accommodate revisions, and various security-related amendments have already been tabled in parliament, he said.
An open letter urging a rethink, published in March by 38 security experts, was “a big turning point” in persuading MEPs, Bennett believes.
The Internet Society, Electronic Frontier Foundation (EFF), and the world’s largest certificate authority, Let’s Encrypt, have also campaigned against the proposal.
The browser-led web authentication system in place sees certificated websites using the TLS-encrypted HTTPS protocol and displaying a padlock icon in the URL address bar to advertise their secure status.
DON’T FORGET TO READ HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges
Web – or SSL – certificates are currently issued by more than 100 certificate authorities (CAs), which are vetted by Mozilla and other leading browser makers, including Google, Microsoft, and Apple.
Critics of QWACs, which are issued by ‘Trust Service Providers’ (TSPs) approved by governments of EU member states, argue that they cannot draw on comparable technical expertise and resources. They can also point to the fact that hundreds of millions of web users happily submit payment card details online as evidence that the status quo is widely, and justifiably, trusted.
Mozilla takes its message direct to MEPs by pitching up outside the European Parliament
Mozilla CSO Marshall Erwin warned that if the well-intentioned EC proposal were “copied elsewhere, the regulation will give the tools to governments to carry out state-sponsored surveillance of internet traffic”.
Mozilla cited large-scale snooping campaigns by Iran’s theocracy in 2011 and the governments of Kazakhstan and Mauritius in 2020 and 2021 respectively as examples of the activity the regulation could enable.
‘Ceiling on website security’
“Article 45 puts a ceiling on website security,” said Bennet. “It says you must accept QWACs, not put in place any additional protections, and not take action when a certificate authority is found to be compromised. For us that creates an untenable risk to Firefox users.”
The EU’s digital identity framework will be incorporated into the electronic Identification, Authentication, and Trust Services (eIDAS) regulation, which was enacted in 2014 to facilitate the emergence of a European internal market for trust services.
Bennett said the campaign was not seeking to “blow up the whole regulation”, but that Mozilla simply wanted “some small tweaks” to give browsers the “discretion to take action when an entity issuing QWACs doesn’t meet existing security standards or poses a security risk”.
A spokesperson for the European Commission told The Daily Swig:
The eIDAS Regulation is technology neutral. QWACs were introduced in 2014 as a means to enhance trust and reduce fraud and is used to ensure trusted transactions in the PSD2 environment (as a means for Payment Service Providers to identify).
The concerns raised by the browser community is based on an understanding of the technical implementation of the obligation to recognise QWACs which is not supported by the Commission legal proposal. The Commission proposal intends to achieve recognition of QWACs in the browser environment, which can be achieved without interfering with existing root store policies and web browser security requirement. There is no reason why a certificate issued as trustworthy according to EU law should not be recognised as such by the browser community.
In collaboration with the relevant standardisation bodies and the availability of commonly and globally accepted standards, the implementing act referred to in Article 45 will set out the technical specifications/references to the applicable standards which will enable the recognition of QWACs in accordance with the above.
YOU MIGHT ALSO LIKE Oblivious DNS-over-HTTPS offers privacy enhancements to secure lookup protocol