24.Key Code

The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from enforcing modern security requirements on certain CAs without the approval of an EU member government. Which CAs?

Specifically, the CAs that were appointed by the government, which in some cases will be owned or operated by that selfsame government. That means cryptographic keys under one government’s control could be used to intercept HTTPS communication throughout the EU and beyond. 

This is a catastrophe for the privacy of everyone who uses the internet, but particularly for those who use the internet in the EU. Browser makers have not announced their plans yet, but it seems inevitable that they will have to create two versions of their software: one for the EU, with security checks removed, and another for the rest of the world, with security checks intact. We’ve been down this road before when export controls on cryptography meant browsers were released in two versions: strong cryptography for US users and weak cryptography for everyone else. It was a fundamentally inequitable situation, and the knock-on effects set back web security by decades.

Read what LinuxSecurity.com Founder and Linux Security expert Dave Wreski has to say about the implications of this proposed regulation in a new LinkedIn update.