- cross-posted to:
- hackernews@derp.foo
- cross-posted to:
- hackernews@derp.foo
EU Article 45 requires that browsers trust certificate authorities appointed by governments::The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from…
A government could create a new certificate for any domain without having ownership of the domain or permission of the owner. This way they can perform Man-in-the-middle attacks.
In such an attack someone intercepts the traffic of a client and presents their own certificate.
Because a government can create a universally accepted certificate, thise would be accepted as valid. The traffic can then be decrypted and forwarded to the real website. The attacker is now between the client and the real host (the Man in the middle) and can view the unencrypted traffic.