The offending legislation is
<eIDAS (electronic IDentification, Authentication and trust Services)The Situation<These legislative articles were introduced in recent closed-door meetings undermining democratic norms of public scrutiny. This legislation will be presented to the public and parliament for a rubber stamp before the end of the year.
<It seems to enable any EU member states to issue fake website certificates for interception and surveillance via a man in the middle attack. Website certificates are crypto-graphically secure identities of websites, and states might be allowed to commit a type of identity theft.
<There is no independent check on the decisions made by member states with respect to the keys they authorize and the use they put them to.
<This legislation seeks to ban browsers from applying security checks to these EU web certification keys and certificates except those pre-approved by the EU IT standards body ETSI. There are misaligned incentives. ETSI has a concerning track record of producing compromised cryptographic standards.further reading
https://www.techdirt.com/2023/11/03/eu-tries-to-slip-in-new-powers-to-intercept-encrypted-web-traffic-without-anyone-noticing/#commentshttps://last-chance-for-eidas.org/https://stackdiary.com/mozilla-and-others-warn-eu-identity-cert-rules-undermine-security/My take This definitely is malicious intent, because they schemed in secret. Democratic politics are done in the open. This also will not stay contained to the EU. This could be the followup punch of the attack on encryption from the chat-control law.
They already tried to label the warnings about this as """missinformation""" which is very ominous and censorious.
Their intentions are probably institutionalizing more surveillance crimes that violate privacy rights. I'm not sure about all the technical exploitation vectors, i think this could enable them to redirect users to malicious websites, somebody correct me if i'm wrong. So they might have cyber-crime-mafia aspirations.
Politically this might also be an attack on Google since they are trying to fuck with the internal workings of browsers, and google produces the most popular browser. Tho Google probably will not be affected by this type of law, because browsers are so complex that the possibility for malicious compliance are basically infinite, they can abide by this law while at the same time technologically neutralizing it. I'm saying they can, i have no idea whether they will.
If this goes through this will likely kill off the web as we know it. Not because of tyrannical political abuse that this definitely will cause. Systems like this are like dams once a small but critical breach happens and it can't be patched it will erode the rest of the dam and all the water floods out. This will 100% become a third-party exploitable security hole that gets used by petty-criminals. Once the browser has the functionality of turning off security checks there will be endless ways to trigger this state. Not to forget the leaky official certificate authority getting compromised.
While the people who are doing this are most certainly evil bastards, and ought to be regarded as partaking in a criminal conspiracy to commit grave human privacy rights violation against potentially hundreds of millions of people. In the end this is also the result of a technical design failure, the web did not have to use trust-based certificate-authorities, there are trust-less systems that do not have this attack surface. This security design failure has probably already been present with CDNs (services that help reduce network load on a web-server).
The most egregious part is perhaps the attempt at banning security features and mandating security holes. Why does the government try to make digital infrastructure more brittle ? Systems are never too secure.
I don't know what the result will be, but my guess would be that the monolithic web that can do most online things, with the browser being the one application that grants access to all of that is probably going away, and will get replaced with lots of different stuff. In technology there definitely is a pendulum swinging back and forth between monolithic and dispersed system design. And we might just have reached monolithic peak and the pendulum will soon swing towards dispersion.
And the tech sector is probably going to learn a lesson about using static naming schemes that enable legal liabilities. And instead go for a rolling naming scheme for Program and features, with goofy words that one can't put into laws.
I find this endlessly frustrating. Maybe this can be stopped on the political level like all the horrors of similar nature that came before, or maybe it just gets circumvented by new tech, but the constant rat race is so annoying. Is there a political fix ? Do we need new institutions ? Will this situation improve with a generational shift of more tech-literacy entering political institutions?