I doubt they care about CT checks per se, they’re just afraid that Digicert fucking up will break their critical government services. They say “trust our shit when X and Y” because that’s how they designed their system, they don’t want to think about fraud and abuse and human error, because that would be Not According To The Law and therefore never happens.
If they wanted to make browsers less secure, they would do so in much more obvious ways. They proposed a straight-up ban on E2EE and mandatory upload filtering with a hashing algorithm they decided on. They also have several (outdated) security specs that made it into the Brexit accords.
Individual sets of intelligence agencies break and sabotage encryption all the time (5 eyes, 7 eyes, other configurations of eyes) but they’re not as obvious as “here’s a spec everyone can read and verify with obvious flaws”.
The EU can be rather shit, but they don’t care to hide their shittiness.
If they wanted to make browsers less secure, they would do so in much more obvious ways.
The new proposal demands browsers automatically trust government created root certificates. That means any EU government can do a man-in-the-middle attack on any end user running that web browser, even users in other countries. There is no reason to do that other than to spy on people or to manipulate the content that they’re viewing.
If any government, or company for that matter, wants to make their own root cert and deploy it to all their users/machines they can already do that easily. A lot of companies that work with sensitive data already do this, and some companies (ex: symantec) provide solutions to do it very easily, so the IT team can see everything the users are doing.
I doubt they care about CT checks per se, they’re just afraid that Digicert fucking up will break their critical government services.
Right… uh. Listen, my government used a local/regional CA. Do you want to know what happened? My government got the privilege to emergency re-issue all of their TLS certificates with a different CA because the local/regional CA forgot to renew its own CA certificate. Everything was down. Government websites, government services, eID SSO authentication, etc. You had one job!
I doubt they care about CT checks per se, they’re just afraid that Digicert fucking up will break their critical government services. They say “trust our shit when X and Y” because that’s how they designed their system, they don’t want to think about fraud and abuse and human error, because that would be Not According To The Law and therefore never happens.
If they wanted to make browsers less secure, they would do so in much more obvious ways. They proposed a straight-up ban on E2EE and mandatory upload filtering with a hashing algorithm they decided on. They also have several (outdated) security specs that made it into the Brexit accords.
Individual sets of intelligence agencies break and sabotage encryption all the time (5 eyes, 7 eyes, other configurations of eyes) but they’re not as obvious as “here’s a spec everyone can read and verify with obvious flaws”.
The EU can be rather shit, but they don’t care to hide their shittiness.
The new proposal demands browsers automatically trust government created root certificates. That means any EU government can do a man-in-the-middle attack on any end user running that web browser, even users in other countries. There is no reason to do that other than to spy on people or to manipulate the content that they’re viewing.
If any government, or company for that matter, wants to make their own root cert and deploy it to all their users/machines they can already do that easily. A lot of companies that work with sensitive data already do this, and some companies (ex: symantec) provide solutions to do it very easily, so the IT team can see everything the users are doing.
https://spectrum.ieee.org/diginotar-certificate-authority-breach-crashes-egovernment-in-the-netherlands
This is probably the seed of this madness
Right… uh. Listen, my government used a local/regional CA. Do you want to know what happened? My government got the privilege to emergency re-issue all of their TLS certificates with a different CA because the local/regional CA forgot to renew its own CA certificate. Everything was down. Government websites, government services, eID SSO authentication, etc. You had one job!