this post was submitted on 10 Nov 2023
517 points (98.7% liked)

Technology

59080 readers
4184 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L3s@fry.gs
L4s@fry.gs
L4s@lemmy.world
enu@lemmy.world
517
EU Article 45 requires that browsers trust certificate authorities appointed by governments (www.eff.org)
submitted 1 year ago by L4s@lemmy.world to c/technology@lemmy.world
108 comments fedilink hide all child comments
 

EU Article 45 requires that browsers trust certificate authorities appointed by governments::The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from...

you are viewing a single comment's thread
view the rest of the comments
[–] uis@lemmy.world 4 points 11 months ago (1 children)

Can we at least admit that requiring CAs is not how ecryption in Internet should work? Just FYI there is already distributed public key infrastructure: DNS(DNSSEC).

[–] Slotos@feddit.nl 2 points 11 months ago (1 children)

You gotta love confident statements that don’t stand to scrutiny.

DNSSEC keys are signed in the same recursive manner SSL certificates are. If I, as a government, block your access to root servers and provide you my own servers, I can spoof anything I want. It’s literally the same bloody problem.

Chain of trust doesn’t disappear just because you use a new acronym.

[–] uis@lemmy.world 2 points 11 months ago (1 children)

DNSSEC keys are signed in the same recursive manner SSL certificates are.

That's why I said there is already there is already distributed PKI.

Chain of trust doesn’t disappear just because you use a new acronym.

The thing with SSL, for you, as a government, one of 142 root certificates is enough to spoof on any domain, while DNS has only one root certificate and good luck getting that. And if you don't trust DNS, then who you even trust then? DNS is how major CAs check if you really own that domain. Because, you know, domains are part of DNS. Shocking, I know.

Or you can use public keys as addresses somewhere like I2P.

[–] Slotos@feddit.nl 1 points 11 months ago (1 children)

I described a route to spoof DNS root authority that Russia and China can use already. Single root is not an advantage, it’s merely a different kind of implementation with different attack vectors.

When it comes to security, it is better to have multiple different implementations coalesce at a point of service delivery, than have a single source of truth. If everything is delivered via DNS, there’s your tasty target for a capable adversary. If there are multiple verification mechanisms, it’s easier to tailor an attack for a specific target.

I want cryptographic infrastructure I rely on to be the last resort for anyone capable of dealing with it.

[–] uis@lemmy.world 1 points 11 months ago* (last edited 11 months ago)

I described a route to spoof DNS root authority that Russia and China can use already.

This is not what they are doing. They cannot spoof root authority because they don't have private keys. They send unsigned replies which clients with DNSSEC will reject and client without will show blocked banner. Unless client uses DNSCrypt.

If everything is delivered via DNS, there’s your tasty target for a capable adversary.

As I said this news again brought up problem of CAs capable of signing any certificate in any domain. You need only one of 142 private to spoof any certificate. And as I already said, CAs already need to trust DNS. So right now we are in position, where we should trust that DNS and all 142 CAs aren't lying. If any of those 143 enities lie, all that (in)security breaks.