🚨 Another EU mass surveillance attempt. Will kill privacy on web. Must not pass. 🚨
“[A]ll web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments.
These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU.”
@aral sometimes I wonder who are the technical people advising the minds that come up with this stuff and why are they so ineffective.
For privacy minded users, there's a whole distribution chain that can remove said certificates from the browser. There's no world in which the existence of the certificates can be guaranteed on a "target"'s computer so that it would be effective against whatever the hell they imagine it to be effective against. Sigh.
@aral What's next?
https://palant.info/2023/03/06/veraport-inside-koreas-dysfunctional-application-management/ (HT @WPalant )
While Wizvera Veraport is supposed to manage security applications easily, it suffers from a number of design flaws. In the worst case, these can lead to arbitrary websites installing malicious applications without the user noticing.
@finlaydag33k @aral eIDAS started nine years ago. I've had a Bulgarian cert for at least five years.
Utility is limited by the refusal to distribute the certificates of less-powerful counties. We all have cryptographically-verifiable PKI, but Google wants us to use their app instead.
I remember reading quite a few years back about how the Dutch Communications Ministry Agentschap Telecom (now the Rijksinspectie voor Digitale Infrastructuur) had started introducing this - (with surprisingly little comment about it across Europe)
@vfrmedia @finlaydag33k The Netherlands is scary in just how much Orwellian legislation/processes they can introduce without anyone batting an eyelid. They embraced body scanners by default at the airports*. They’re also going cash-free at an alarming rate. And few folks seem to be worried.
(An uncomfortable eye opener for me was when I was processed by G4S at one end of my trip and by G4S at the other while traveling to the Netherlands from possibly the UK once.)
That is good to know, what worried me is that I was on groups for subcultures that were previously (in 1980s/90s/00s) very inclusive so it seemed like NL (and UK) was sliding back.
But I did notice even on the piratenhits/pirate radio scene (where folk are even older and from rural areas) they were becoming more diverse and inclusive (eg I've heard more female DJ's on the pirates recently)
Urk was the first place that came to mind when I thought of "parts of NL best avoided!"
culturally the part of England where I live is very similar to NL (even with the religious/conservative rural areas), just that "everything happens on the other side of the road" 😁
@aral Uh, no. This is some weird tinfoil hat nonsense. eiDAS isn't Clipper Chip, it PKI.
This regulation would require that browsers recognize the certificates of EU government-issued IDs.
It would allow me to use the same hardware token ID I use to file taxes and customs paper to verify my ID with banks, EU agencies, and other governments. It would allow us to use our IDs to sign PDFs, and widely enable passport verification.
@opendna Yep, we’re all tinfoil hat conspiracy theorists here, you really figured us out. Everyone at Mozilla too. They’re the worst! That’s why Google pays them half a billion dollars a year. Because – you guessed it (damn, you’re good) – Google are tinfoil hat conspiracy theorists too! Don’t let their trillion-dollar adtech business fool you, it’s tin foil hat all the way down. Ever wonder why you never see the inside of their propeller hats?… Now you know.
Viktor Orbán approves this message.
Here’s what Google is doing right now:
Attached: 1 image New: YouTube's renewed 'war' on adblockers highlights something much deeper: how Google has its hands on every part of the ecosystem, meaning it can leverage power like no one else on this. https://www.404media.co/youtubes-war-on-adblockers-shows-how-google-controls-the-internet/
Just so we're all clear: if you fear eIDAS, burn your passport. Every passport issued in the last 15 years has essentially been an eIDAS document with a wireless antenna.
The question that is actually on the table is whether computers should be able verify the authenticity of an ID document without installing certificates for each national authority.
@opendna @aral Do you understand what PKI authorities do and their role in TLS interception?
If the answer to that is no, you might want to cease making a fool of yourself and read up on it first.
No one gives a shit about the keys to be trusted. The problem is the means to achieve that which are also concerned by the same legislation: the certificate authorities.
If you have a compromised root PKI certauth? You own the TLS net. That's it. You can eavesdrop and interfere with everything.
@lispi314 @aral There is nothing prohibiting them from declaring that a national CA is issuing fraudulent certificates, and the consequences of that would be much greater than you seem to appreciate.
The prohibition on revoking CAs is rule against a private American corporation autonomously revoking the identity documents of entire EU nations. And yes, they do have a habit of unlawful discrimination for profit.
@lispi314 @aral I do understand what PKI authorities do. I also understand what eIDAS is, the precusor programs, and the real world risks of document security. I was very good at catching counterfeits before they were digital, and honestly, I'm probably one of the last.
I also understand that neither security agencies nor tyrants ask for permission, so worrying about whether Hungary might get a third CA in the future is many years too late. China has 17 CAs which can do what you fear.
@opendna @aral Fun fact about tyrants, they do in fact fairly often acquire power legally, and then they rewrite the laws.
Authoritarian regimes are a large part of the why I consider the whole PKI scheme fundamentally broken.
However, unlike very localized instances, this effectively pushes practical usability of its inherent flaws into global deployment.
You won't hear me defending the #clearnet much, the whole thing is ill-designed & compromised as anything beyond a routing layer.
@lispi314 @aral As long as browsers have a de facto monopoly on distributing certs, it's reasonable for them to require that the root identity CAs be recognized.
Reasonable people can believe PKI is broken. Reasonable people don't claim that it is possible to issue a valid SSL based on a government ID while also rejecting the authenticity of that government ID.
@opendna @aral SMS (and indeed the telephone network infrastructure in general) is broken in a number of ways, both functionality-wise and security-wise, I won't defend it.
NIST is perfectly right to recommend against it as any sort of channel for authentication secrets (which banks then blithely ignore for some reason).
I also wouldn't trust a third party with conflicts of interest (such as a government) to secure my communications with my peers, which greatly limits the usefulness of that.
If you keep giving the police what they ask for, you end up with a police state.
Aral, this story is bullshit. It’s yet another of US companies to thwart a regulation that hurts their business, nothing more - I’ve explained it in details here:
Strata Lounge
Aral Balkan
[Yaseenist] CauseOfBSOD 
grob (teeth era) 🇺🇦🏳️🌈🏳️⚧️
Dr. ir. Brian R. Pauw
John Dal
Aroop Roelofs
maarten brouwers
kravietz 🦇
marius
LisPi
thinkberg
Ryuno-Ki
OpenDNA⚙️
Alex@rtnVFRmedia Suffolk UK
Filipe
Z T
Sylvain
Franko
Lightning Bjornsson* 
Dcypher 🇩🇰🇬🇱🇪🇺🇺🇦
Børge
Braw ☕🏳️🌈
Noel Kelly
Stephen Gentle