The European Union is about to finalize a revision of its digital identity and trust services regulation, known as eIDAS 2.0. The regulation aims to improve the security and interoperability of electronic identification, authentication and signatures across the EU, as well as to introduce a new app called EU ID Wallet for all Europeans.
However, the regulation also contains some provisions that have raised serious concerns among security experts, privacy advocates and browser makers. These provisions could undermine the security and privacy of HTTPS connections, the encrypted protocol that protects the communication between web browsers and servers.
In this blog post, I will explain what these provisions are, why they are problematic, and what are the potential implications for online privacy.
What is eIDAS 2.0 and why does it matter?
eIDAS stands for electronic IDentification, Authentication and trust Services. It is a set of rules that govern how electronic identification and trust services are provided and recognized across the EU. The first version of eIDAS was adopted in 2014 and entered into force in 2016.
The main objectives of eIDAS are to:
– Enhance trust and security in online transactions within the EU
– Facilitate cross-border access to public and private online services
– Promote the use of electronic signatures, seals, timestamps and other trust services
– Ensure interoperability and mutual recognition of electronic identification schemes across the EU
In 2020, the European Commission launched a review process to update eIDAS in light of the digital transformation and the COVID-19 pandemic. The proposed revision, known as eIDAS 2.0, was published in June 2021 and is expected to be adopted by the European Parliament and the Council in early 2024.
The main changes introduced by eIDAS 2.0 are:
– The creation of a new app called EU ID Wallet, which will allow Europeans to store and use their national electronic identification (eID) on their smartphones
– The extension of the scope of eIDAS to cover not only public sector online services, but also private sector ones, such as banking, health care, education and social media
– The introduction of new rules for website authentication certificates, which are used to verify the identity and security of websites
It is this last point that has sparked controversy and criticism from various stakeholders.
What are website authentication certificates and how do they work?
Website authentication certificates are digital documents that prove that a website is legitimate and secure. They are issued by entities called Certificate Authorities (CAs), which verify the identity and ownership of the website owner.
When you visit a website that uses HTTPS, your browser checks the certificate presented by the website to make sure it is valid and trustworthy. If the certificate is issued by a CA that your browser trusts, you will see a padlock icon next to the website address in your browser’s address bar. This indicates that the connection between your browser and the website is encrypted and protected from eavesdropping or tampering.
However, if the certificate is not issued by a trusted CA, or if it is expired, revoked or mismatched with the website address, you will see a warning message or an error page in your browser. This indicates that there is something wrong with the certificate or the website, and that you should not proceed with your visit.
The list of trusted CAs is maintained by each browser vendor, such as Google, Mozilla or Microsoft. They decide which CAs to include or exclude from their list based on various criteria, such as technical competence, security practices, audit results and compliance with industry standards.
What does eIDAS 2.0 propose to change about website authentication certificates?
One of the most controversial provisions of eIDAS 2.0 is Article 45, which deals with website authentication certificates. Article 45 states that:
– Member states can designate certain CAs as Qualified Trust Service Providers (QTSPs), which will be authorized to issue Qualified Website Authentication Certificates (QWACs) to websites
– QWACs will have a higher level of assurance than regular certificates, as they will be linked to the legal identity of the website owner
– Browser vendors will have to accept QWACs as valid and trustworthy certificates for all websites operating in the EU
– Browser vendors will not be allowed to implement any additional security measures beyond those specified by the European Telecommunications Standards Institute (ETSI), such as distrusting or removing QWACs or QTSPs from their list of trusted CAs
In other words, eIDAS 2.0 will give member states the power to decide which CAs can issue certificates for websites in their jurisdiction, and will force browser vendors to trust those CAs without question or intervention.
Why is this a problem for online privacy?
The proposed changes to website authentication certificates pose several risks for online privacy, such as:
– Increased surveillance and censorship: Member states could use QWACs to monitor or block access to certain websites, by issuing fake or malicious certificates that allow them to intercept or manipulate HTTPS traffic. For example, a member state could issue a QWAC for a website that is critical of its government, and then use it to spy on or censor the visitors of that website. Browser vendors would not be able to detect or prevent this, as they would have to trust the QWAC as valid.
– Reduced security and trust: QWACs could undermine the security and trust of HTTPS connections, by introducing new vulnerabilities and attack vectors. For example, a QTSP could be compromised or coerced by hackers or state actors, and issue fraudulent or malicious QWACs for websites. Browser vendors would not be able to revoke or remove those QWACs, as they would have to comply with the ETSI standards.
– Decreased competition and innovation: QWACs could stifle the competition and innovation in the browser and CA markets, by imposing a one-size-fits-all approach that favors certain players over others. For example, a member state could favor a national QTSP over a foreign one, and create barriers to entry or unfair advantages for its preferred CA. Browser vendors would not be able to choose or differentiate their trusted CAs, as they would have to accept all QWACs equally.
What are the alternatives and solutions?
Many experts and organizations have voiced their opposition and criticism of Article 45 of eIDAS 2.0, and have proposed alternatives and solutions to address the issues raised by the regulation.
Some of these proposals are:
– Removing Article 45 altogether: This would preserve the status quo of website authentication certificates, and allow browser vendors to continue managing their own list of trusted CAs based on their own criteria and policies.
– Modifying Article 45 to limit its scope and impact: This would reduce the risks and consequences of QWACs, by restricting their use to certain types of websites (such as public sector ones) or certain purposes (such as identity verification), and by allowing browser vendors to implement additional security measures (such as distrusting or removing QWACs or QTSPs) in case of misuse or abuse.
– Replacing Article 45 with a different approach: This would introduce a new way of dealing with website authentication certificates, such as using a decentralized or federated model that does not rely on centralized CAs or QTSPs, but rather on peer-to-peer verification or blockchain technology.
Conclusion
The EU eIDAS 2.0 regulation is an ambitious and important initiative that aims to improve the security and interoperability of electronic identification and trust services across the EU. However, it also contains some provisions that could threaten the security and privacy of HTTPS connections, by changing how website authentication certificates are issued and trusted.
These provisions have been widely criticized by security experts, privacy advocates and browser makers, who have warned of the potential implications for online surveillance, censorship, trust and innovation. They have also proposed alternatives and solutions to address the issues raised by the regulation.
The regulation is still under negotiation and revision by the European Parliament and the Council, and is expected to be adopted in early 2024. It is crucial that the lawmakers take into account the feedback and concerns of the stakeholders, and ensure that the regulation does not compromise the security and privacy of online communications in the EU.
References
: EU eIDAS: VPNs won’t protect Europeans privacy if law passes, experts warn | TechRadar https://www.techradar.com/computing/cyber-security/eu-eidas-vpns-wont-protect-europeans-privacy-if-law-passes-experts-warn
: Europe prepares to break browser security with eIDAS 2.0 • The Register https://www.theregister.com/2023/11/08/europe_eidas_browser/
: EU revamps eIDAS with law allowing member states to track internet sessions | Techzine https://www.techzine.eu/blogs/privacy-compliance/113128/eu-revamps-eidas-with-law-allowing-member-states-to-track-internet-sessions/
: eIDAS: EU’s internet reforms will undermine a decade of advances in encryption | Help Net Security https://www.helpnetsecurity.com/2023/12/12/eu-eidas/
: European Digital Identity – Provisional Agreement https://www.europarl.europa.eu/cmsdata/278103/eIDAS-4th-column-extract.pdf
