How does Article 45 enable the interception of web traffic?
Under the eIDAS regulation, each member state of the EU (as well as recognised third party countries) is able to designate Qualified Trust Service Providers (Qualified TSPs) for the distribution of Qualified Website Authentication Certificates (QWACs). Outside the EU, these TSPs and QWACs are more typically known as Certificate Authorities (CAs) and TLS Certificates, respectively. Article 45 requires browsers to recognise these certificates.
This is particularly troubling because any malicious CA has the ability to intercept all the web traffic of affected browsers. This is because any CA trusted by a browser has the capability to issue a certificate to any website, even a website using certificates provided by a different CA. If the CA issues a certificate containing cryptographic keys not actually under the control of the website operator, the party who actually controls the keys can use them to intercept web traffic to that website.
Consequently, CAs are subject to stringent security and safety checks. Currently, browsers vet the CAs they trust and monitor them carefully for compliance through audits, incident reporting, and other controls like Certificate Transparency. In the event a CA misbehaves or substantiated concerns emerge regarding their behavior, browsers act swiftly to remove the CA’s certificate and prevent any further harm to users or websites.
Article 45 appears to block the removal of CAs selected by European governments. Browsers are banned from withdrawing these CAs without the permission of the government concerned. Some member states directly operate or own these CAs, making them simultaneously the suspect, the jury and the judge in the event of any misbehavior. If this comes to pass it would enable any EU government or recognised third party country to begin intercepting web traffic and makes it impossible to stop without their permission. There is no independent check or balance on this process described in the proposed text.
Even worse, this regulation allows the government of every EU member state to add CA certificates to a central list and only the member state responsible for adding the CA to the list can remove it, yet these CAs will be distributed to every European citizen. As a result, ineptitude or malice by one EU member state will impact the security of every European citizen. This means that EU citizens need not only be concerned with their own governments, but are forced to place their online security in the hands of every member state and recognised third party country, each of whom can individually act in order to intercept their traffic.
There is long history of mis-issued certificates by government agencies being used to compromise encrypted web traffic:
-
2013, Turkey - Revoking Trust in Two TurkTrust Certificates - TurkTrust is a Turkish Internet Authority Agency, a part of the Turkish government. This CA’s root certificates were removed because certificates the CA had mis-issued were being used maliciously to intercept and inspect encrypted web traffic.
-
2013, France - Revoking Trust in one ANSSI Certificate - ANSSI (Agence nationale de la sécurité des systèmes d’information) is a French Network and Information Security Agency, a part of the French Government. This CA’s root certificate was removed because certificates it had mis-issued were being used to maliciously intercept and inspect encrypted web traffic.
-
2015, China - Distrusting New CNNIC Certificates - China Internet Network Information Center (CNNIC), a non-profit organization administered by Cyberspace Administration of China. This CA’s root certificates were removed because certificates the CA had mis-issued were being used maliciously to intercept and inspect encrypted web traffic.
-
2019, Kazakhstan - Distrusting CA in Kazakhstan - The Kazakhstan government was requiring people in the country to download and install a government-issued certificate on all devices and in every browser in order to access the internet. Additionally, there were credible reports that the Kazakhstan government was using their root certificate to intercept the internet traffic of everyone in the country, as they had also previously attempted. So browsers blocked these root certificates.
In all of these cases, certificates that were mis-issued by the CA were used by attackers to intercept and inspect encrypted web traffic for popular websites. In each case, browsers responded by revoking trust, denying inclusion, or actively blocking the use of these certificate authorities.