SecurityMozilla: Report raises concerns over potential cybersecurity threat within the EU’s digital identity framework

Leading security experts have expressed concerns over the proposed revision of Article 45.2 of the eIDAS regulation by the European Union (EU), citing potential risks to web authentication and encryption standards. A new report, produced by the Economist Impact Studios for Mozilla and the #SecurityRiskAhead campaign, includes findings from global experts from both industry and civil society.

The report shows that Article 45.2 could weaken cybersecurity for web users, leaving them vulnerable to state surveillance and targeted interception of internet traffic. The law could effectively bypass existing security checks as browsers would be mandated to support EU-designed Qualified Web Authentication Certificates (QWACs). QWACs are not available for free and have weaker security properties than the most commonly-used certificates by browsers.

Joseph Lorenzo Hall, Senior Vice President for Strong Internet at the Internet Society, emphasized that web security is constantly evolving and adapting, and by putting it into legislation, the proposed revision does not take into account the dynamic nature of security threats. “By bolting an exception mechanism on for EU government trusted entities, browsers will be forbidden, for example, from revoking trust for certain things. This means that you could have a group of websites online that are being spoofed or being eavesdropped upon by some compromised EU-anointed authority. And we are handcuffed and cannot do things that we would normally do very quickly to protect the people of the internet.”

Marshall Erwin, Vice President and Chief Security Officer at Mozilla Corporation, said: “The real problem with Article 45.2 of eIDAS is it’s going to set a precedent that regimes around the globe are going to follow – and as a result not only undermine web encryption in general, but then also put dissidents, and journalists, at immediate risk.”

Arvid Vermote, Worldwide Chief Information Security Officer at GlobalSign, a Certificate Authority, highlighted the risk of having 30 additional supervisory bodies that can define a company as globally trusted, up from just four. He states, “For me, that would be an astronomical problem,” as it could potentially allow for the targeted interception of internet traffic if compromised.

Echoing the other interviewees, Scott Helme an authentication and security researcher pointed to the importance of having free certificates which “have been fundamental in completely transitioning web security.”

PRNewswire

Leave a Reply

Your email address will not be published. Required fields are marked *