Signatories to a letter criticizing EU scheme share their misgivings with The Daily Swig

Dangerous EU web authentication plan threatens to undercut browser-led certification system, detractors claim

An EU proposal to force browsers to accept web certificates created by the bloc risks “upsetting a carefully curated set of rules and technologies that undergird almost all privacy and security online”, according to a leading cybersecurity expert.

Joseph Lorenzo Hall, distinguished technologist at the Internet Society, is among 38 signatories to an open letter addressed to the European Parliament that criticizes the plans.

Other signatories include academics, security engineers, and security researchers in the US, Canada, UK, France, and Germany.

QWAC medicine

Published on March 3, the missive urged EU lawmakers to reject a proposed amendment to the eIDAS – or electronic Identification, Authentication, and Trust Services – regulation, which was passed in 2014 to facilitate the emergence of a European internal market for trust services.

eIDAS mandated the creation of Qualified Website Authentication Certificates (QWACs), which essentially vouch for a website’s professed identity. As such, the scheme purports to protect users from malicious domains parading as legitimate platforms and therefore malware, surveillance, identity theft, and financial crime.

RECOMMENDED ENISA urges data-handling innovation amid growing tide of healthcare breaches

However, critics point out that QWACs attempt to solve a problem already addressed by an existing system – only less effectively. QWACs have so far failed to gain much traction in the web ecosystem “owing to flaws with its technical implementation model”, says the open letter.

Worse still, in compelling web browsers to recognize the authority of QWACs, a contentious proposal from the European Commission would circumvent tried-and-tested security protections offered by prevailing mechanisms.

Status quo

At present, valid website certificates are issued by more than 100 certificate authorities (CAs), whose suitability for this critical gatekeeping role is vetted by leading browser makers.

Websites that pass muster use the TLS-encrypted HTTPS protocol, which protects communications with the site, and are flagged as secure by a padlock icon in the URL address bar.

Google (developer of Chrome), Mozilla (Firefox), Microsoft (Edge and IE), and Apple (Safari) all run ‘root programs’ that validate CAs’ compliance around issuance practices. CAs that fall below the required standards can be removed.

By contrast, QWACs are issued by ‘Trust Service Providers’ (TSPs) that are approved, not by browsers, but by the governments of EU member states.

This has prompted Firefox CTO Eric Rescorla to warn that the EU scheme may embolden repressive regimes that have already tried and failed to “ramp up their surveillance capacities by forcing browsers to automatically trust their CAs”.

Technical gap

By forcing browser developers to include TSPs in their root programs, many security experts feel the EU is needlessly undercutting a system managed adroitly by technically proficient experts.

“Simply speaking, current browser vendors have significant experience in vetting of certificates”, Dr Lukasz Olejnik, independent security researcher and consultant and a co-signatory to the open letter, tells The Daily Swig.

Catch up with the latest cybersecurity policy and legislation news

The impact assessment for the proposed regulation, he added, failed to explain how EU policymakers could match this expertise.

The open letter from concerned infosec experts said this “signals a dangerous cybersecurity policy trend”. It reads:

In the field of cybersecurity in particular, where threats evolve constantly and real-time operational responses are essential, regulatory frameworks should not have the effect of preventing vendors from taking security measures in the interest of their users.

‘System isn’t broken’

The fact that hundreds of millions of users routinely submit payment card details online, often to websites with which they are unfamiliar, arguably attests to the success of the current system in engendering trust in the web.

Critics believe the EU proposal could undermine this hard-won trust by raising the risk of certificates unwittingly being issued to cybercriminals.

“I think we can all understand wanting to have nationally controlled roots of trust and nothing is stopping the EU from doing that, and hopefully doing it well,” Joseph Lorenzo Hall of the Internet Society tells The Daily Swig.

“However, these ‘root programs’ that store the keys to various aspects of the internet and web are balanced ecosystems where incentives, evolution, auditability, and accountability are designed with sole purpose of protecting and securing billions of transactions and communications every day.

“This is a case where the system isn’t broken, but modifying it to do what the EU wants here is bound to break it.”

Mozilla, the non-profit behind the Firefox browser, expressed its own misgivings via an open consultation over the plans in 2020.

Among other things, the organization said “the move to cryptographically bind a QWAC to a connection or TLS certificate” would violate eIDAS’ professed principles of prioritizing authentication, interoperability, and technological neutrality.

It also said Firefox’s technical and policy requirements “are more transparent, have more stringent audit requirements and provide for improved public oversight as compared to what eIDAS requires of TSPs”.

Nevertheless, in June 2021 the European Commission proposed to make recognition of QWACs mandatory under a new digital identity framework (PDF) for eIDAS.

Path forward

Dr Olejnik suspects EU policymakers wanted to be seen to be doing “something” about web security. “So they did exactly that – they did something,” he said. “I can imagine that psychologically it is also very difficult to backtrack on proposals where one is invested organizationally. It works similarly in corporate settings.”

Lorenzo Hall is, however, “hopeful” that common sense will ultimately prevail.

“We're hopeful that EU policymakers understand by now that imposing these certificates upon the existing landscape risks not merely failure, in that these certificates are unlikely to be terribly useful, but also it risks completely upsetting a carefully curated set of rules and technologies that undergird almost all privacy and security online,” he said.

Dr Thyla van der Merwe, another co-signatory to the open letter and managing director at the ETH Future Computing Laboratory in Switzerland, tells The Daily Swig: “Browser vendors have a lot of experience when it comes to keeping users safe online, and checking digital certificates is an important piece of this puzzle.

“Ideally, the EC should work with browser vendors to find a solution that allows browser policies to remain in place whilst meeting the goals behind the EU’s digital identity framework.”

The EU’s press office did not respond to a request for comment from The Daily Swig.

READ MORE ‘Browser in a browser’: Phishing technique simulates pop-ups to exploit users