What the fuck is EU doing? Why are they trying so hard to participate in the enshitification effort?
this post was submitted on 10 Nov 2023
510 points (98.7% liked)
Technology
67825 readers
4742 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
Personal ID cards have certificates on them issued by the government. These certificates can be used for anything from digitally signing documents to logging in to government web sites without having yet another user/pass. So far situations was a nightmare.
Government provided tools and plugins for browsers to support logging in and signing, but it's been a shitshow when it comes to support. Pretty much only Windows and only certain versions of it and even then it worked half of the time. You had to install certificate manually and trust, etc. Am assuming this is to make sure these services work but also so they can issue certificates for their own web sites.
Personal digital certificate sounds like an awesome concept. Too bad the implementation seems so narrow-minded. Typical beaureaucrats.
They want to make all the decisions but are also mad that the IT guy presentation is taking to long and isn’t using simpler language
My country has half-assed implementation but in general it has been great. For any signing I can just shove my personal id, enter pin and document is cryptographically signed. No alteration possible. And since government is the issuer of the certificate, no one can fake it. We have our e-government thing also, where you can do a lot of things, from checking your kids grades in school to theoretically handling all of the documentation you might need. Personal id is used to login into that service. Shove a card, enter pin and you are there. No sign up, remember password, etc. I have even set up, at one point, login into my computer using my personal id, out of curiosity as it held no other benefit. Had to add that root certificate to my machine though.
Sadly it all sounds great on paper, but execution is lacking. Some things still require pen and paper and it's annoying, but we'll get there. That's why my assumption is governments wanting to push for easier integration. Then all you'd need was card reader and a browser. Which also the reason why I don't think they are trying to push this idea for nefarious purposes. People download and install government software without thinking or double-checking all the time. Adding certificate through any installation wouldn't be much of a challenge.
load more comments
(1 replies)
Great and in 2 -3 years we find out, that someone has actively abused this security hole for years and stole whatever master key is required, to create their own fake government CA and has been spying on everyone for years. Or political opposition was imprisoned before they could act. Best is, such man in the middle attacks allow for all sorts of things, including putting fake evidence on your computer.
Oh yes, no one would ever do that every, totally never happened and won't. Nazis will also never come back. What, they soon are the biggest party in Germany, in other countries too? And will dictate rules in the EU? No one could see that happening...
Where there's honey, there will be bears.
I just hope we can create a browser plugin to deny gov CAs automatically or a browser from outside EU to block that shit. ...until your ISP is forced by law to block traffic from these.
One step closer to a great EU firewall and it sucks. Good old salami tactics. Because at some point it doesn't even matter if there are ways to mitigate this spying, if the alternative are so complicated and uncomfortable to use, that 99,999% of the people won't bother.
Commercial CAs are not that better either
Companies always have a name and money to lose and are a hurdle for overreaching hands. The government has no reputation nor money to lose and a simple agreement opens all doors if it's already government owned. A big difference to me personally.
The government should only ever own things that would fail or be worse, if in public hands. Like infrastructure for instance.
Absolutely don't agree that companies are more trustworthy than governments.
My guess is that you have an awful government in your home country, but not here. And yes that could change, but they are at least voteable.
Companies are NEVER your friend.
load more comments
(2 replies)
load more comments
(1 replies)
Can someone tldr about the issue? I'm dumb?
Me too. This video helped a lot: https://www.youtube.com/watch?v=T4Df5_cojAs
load more comments
(1 replies)
load more comments
(7 replies)
This is really bad. This is the EU taking a page out of the books of Russia, Iran, and the PRC by implementing website blocking and government-issued CAs. Europeans could be at real risk in the event of a democratic backslide.
That's usually my way to evaluate if a government should have a power. I ask myself if the other side were in charge and had this power, would it be really bad? If the answer is yes, more than likely the government shouldn't have that power.
Congrats, you are smarter than most people talking about regulations.
load more comments
(1 replies)
You know, they are not being autocratic, it's for people's own good, to protect children and other "random bullshit go!" things.
Unless we act, we're doomed. This is the new "nobles and clergymen", only it's "riches and beurocrats".
Capitalism is just feudalism in new clothes. 😓
Serfs in Gucci belts.
Ah, who am I kidding? Serfs had a far better work/life balance than most people in the developed world today. They had to use regular belts, though, which is embarrassing.
The reason they had more days off wasn't so they could watch Netflix it was because to survive they needed to do a lot of long and heavy chores.
If you want to live the life of an illiterate subsistance farmer wearing rough jute clothes and drinking nasty ale made with dirty water and reed sugar then you can just do that.
load more comments
(6 replies)
What a fucking nightmare. And I thought the US was bad about trying to encroach more on privacy.
load more comments
(12 replies)
Where and how do we complain? This is really bad...
Oh HELL NO
Jesus, this is not about spaying. This is because browsers have history of sucking at trusting new certificate authorities.
In Spain you get private certificate on your ID. You can use this ID to sing documents and access government pages. Those certificates are signed and provided by the government institution responsible for printing money (Royal Mint). It took them like 10 years to get the root cert added to the main browsers so that people could authenticate using those certs on government pages. It still doesn't work very well and I have to manually trust certs on Linux. I think I don't have to explain why being able to identify yourself on govt pages would be great.
What's the security risk here? People really think that the Spanish spy agency would request certs signed by the Royal Mint for 3rd party domain and use those for MITM attack? When they are caught this would raise huuuuge stink, Spanish govt certs would get banned and Royal Mint would lose all credibility. I'm not saying they are definitely not stupid enough to try it but they would only be able to do it once.
I'm not saying they are definitely not stupid enough to try it but they would only be able to do it once.
They will the be caught and they will do it again and again. Normies they don't give a fuck about privacy or certificates.
This isn't it. You can use a separate CA for identification and for websites (TLS). If this were the problem, they could use any existing CA for their websites and their own for identifying the user - since that doesn't involve the browser trusting the ID CA.
See RFC 5280, Section 4.2.1.3, Key Usage: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3
I guess you're right. Maybe it is about spying after all.
When it comes to regulations, intent doesn’t matter when they enable abuse of power.
I don’t give a fuck if this is not aimed at spying. It trivially allows it, and that’s what matters.
Whatever their "intent" it fucking dumb and an invasion of privacy with no real justification. Governments don't need to see what I'm doing on the internet.
load more comments
(3 replies)
knowing that EU commission is full of IT "campers" waiting to reimburse their mortgage and they will probably outsource the work to india (despite being forbidden), i am not really fond of the idea.
"camper"?
Can we at least admit that requiring CAs is not how ecryption in Internet should work? Just FYI there is already distributed public key infrastructure: DNS(DNSSEC).
You gotta love confident statements that don’t stand to scrutiny.
DNSSEC keys are signed in the same recursive manner SSL certificates are. If I, as a government, block your access to root servers and provide you my own servers, I can spoof anything I want. It’s literally the same bloody problem.
Chain of trust doesn’t disappear just because you use a new acronym.
DNSSEC keys are signed in the same recursive manner SSL certificates are.
That's why I said there is already there is already distributed PKI.
Chain of trust doesn’t disappear just because you use a new acronym.
The thing with SSL, for you, as a government, one of 142 root certificates is enough to spoof on any domain, while DNS has only one root certificate and good luck getting that. And if you don't trust DNS, then who you even trust then? DNS is how major CAs check if you really own that domain. Because, you know, domains are part of DNS. Shocking, I know.
Or you can use public keys as addresses somewhere like I2P.
load more comments
(2 replies)
view more: next ›