Experts urge EU not to force insecure certificates in web browsers

A group of 38 cybersecurity professors and IT experts worldwide, together with the Electronic Frontier Foundation (EFF), have cosigned a letter to EU regulators that warns of a proposal that could expose internet users to cybercrime.

More specifically, the experts' highlight problems in the proposed amendment to Article 45 concerning establishing a framework for a European Digital Identity.

The particular provision requires web browsers like Chrome, Safari, and Firefox to accept QWACs (Qualified Website Authentication Certificates), which practically compels browser developers and security advocates to ease their security stance.

Website TLS certificates

Websites that use TLS certificates provide security assurances by encrypting the communication between a user's computer and the server that hosts the site and proving the owner's identity in many cases.

Signs of valid certificates come in the form of a padlock on the URL address bar, and the URL begins with "https://" instead of "http://".

These certificates are signed by a trusted authority that has verified the organization's identity connected to a domain and has expiration dates, after which the owner needs to acquire a new one.

TLS certificates are vital for the online exchange of sensitive information with websites such as passwords, sensitive uploads, or payment details.

Without them, any bad actor would be able to spoof a website and claim they are any organization they need to be to exploit internet users.

A risky proposal

As part of the amendment to Article 45, EU lawmakers want to force browsers to accept QWACs certificates to improve authentication on the Web and create a more streamlined system of GDPR compliance, owner information, and data transaction guarantees.

QWACs combine TLS and electronic ID into a single certificate, binding identity with TLS deployment, theoretically creating a transparent and technologically neutral system.

While the intents of the lawmakers are sincere, their lack of technical understanding makes the proposal ill-conceived, according to EFF, and also Mozilla, who has previously raised the following four points against the adoption of QWACs:

1. The cryptographic binding of a QWAC to a connection or TLS certificate will violate provisions of the eIDAS regulation, relating to website authentication, technological neutrality, and interoperability.
2. Binding TLS with QWACs limits technological neutrality and interoperability in the EU digital market, and harms the ability of EU entities to compete in the global economy.
3. Third-party services assigned with the task to handle the validation procedures may access user browsing activity, or track and profile users, without any oversight.
4. The automatic inclusion of appointed validation service providers in the root certificate authority, which is far more stringent, would introduce risky forced white-listing by government dictate.

The letter sent to members of the European Parliament warns of technical implementation flaws in the QWACs, which are the very reason standing in the way of its mass adoption since 2014 when the new website authentication system was first introduced.

“The Digital Identity framework mandates browsers accept QWACs issued by Trust Service Providers, regardless of the security characteristics of the certificates or the policies that govern their issuance,” reads the letter to sent EU regulators.

“This legislative approach introduces significant weaknesses into the global multi-stakeholder ecosystem for securing web browsing, and will significantly increase the cybersecurity risks for users of the web.”

“The policy approach with the revised Article 45 signals a dangerous cybersecurity policy trend. It compels private actors to forgo their duty to those who use their products and services, by assuming that because government-appointed Certificate Authorities are subject to government security standards, they can pose no cybersecurity risk.”

The proposed mandate forces vendors to accept technology that they believe is insecure and has fundamental privacy issues, which is against established security norms, making quick responses to shifting threats practically impossible.

The concerns regarding QWAC are details in a Twitter thread by Google's Ryan Sleevi.

You see, browsers/OS vendors haven’t adopted QWACs, mostly because CAs are insisting it can only be as TLS certs, while browsers have been pointing out that makes zero technical sense for the goals (and makes the whole Web less secure! More here https://t.co/Ic9RBJ57W0 )

— Ryan Sleevi (@sleevi_) June 9, 2021

The biggest worry is that bad actors could impersonate legitimate websites to intercept data in transit, potentially leading to financial crimes and identity theft cases.

Attack cases involving spoofed e-commerce or e-government portals could lay the ground for massive data breaches that would leverage security gaps introduced by new legislation.

Mozilla has also objected to this proposal in a consultation document sent to the EU Commission in October 2020, explaining the risks of QWACs in great detail.

The feedback period for this proposal closed in September 2021, so the letter sent by the cybersecurity experts today is a last-ditch effort to convince the EU lawmakers they need to amend their proposal accordingly.