{"id":68528,"date":"2022-03-03T13:44:08","date_gmt":"2022-03-03T21:44:08","guid":{"rendered":"https:\/\/blog.mozilla.org\/?p=68528"},"modified":"2022-03-03T13:44:10","modified_gmt":"2022-03-03T21:44:10","slug":"mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/","title":{"rendered":"The website security ecosystem protects individuals against fraud and state-sponsored surveillance. Let\u2019s not break it."},"content":{"rendered":"\n<p>Principle four of the <a href=\"https:\/\/www.mozilla.org\/en-US\/about\/manifesto\/\">Mozilla Manifesto<\/a> states that \u201cIndividuals\u2019 security and privacy on the internet are fundamental and must not be treated as optional.\u201d We\u2019ve made real progress on improving security on the Internet, but unfortunately, a draft law under discussion in the EU \u2013 the eIDAS Regulation \u2013 threatens to reverse that progress. Mozilla and many others have been raising the alarm in the last few months. Today, leading cybersecurity experts are weighing in too, in an <a href=\"https:\/\/www.eff.org\/document\/eidas-letter-2022\">open letter<\/a> to EU lawmakers that warns of the risks that eIDAS represents to web security.<\/p>\n\n\n\n<p>Website certificates sit at the heart of web security. When you make a connection to a web site, say \u201cmozilla.org\u201d, that connection is protected with <a href=\"https:\/\/datatracker.ietf.org\/doc\/html\/rfc8446\">TLS<\/a>, but TLS only protects the connection itself; each server has a certificate which ensures that the server on the other end is \u201cmozilla.org\u201d and not an attacker impersonating Mozilla. Certificates are issued by Certificate Authorities (CAs), who are responsible for verifying that a given entity controls the site in question.&nbsp;<\/p>\n\n\n\n<p>A malicious CA \u2014\u00a0or just one which did not have secure practices \u2014 could issue incorrect certificates which could then be used by attackers to attack people\u2019s connections and steal their data. In order to ensure that CAs are held to high standards, each <a href=\"https:\/\/www.apple.com\/certificateauthority\/ca_program.html\">major<\/a> <a href=\"https:\/\/docs.microsoft.com\/en-us\/security\/trusted-root\/program-requirements\">browser<\/a> and <a href=\"https:\/\/chromium.googlesource.com\/chromiumos\/docs\/+\/HEAD\/ca_certs.md\">operating system<\/a> maintains their own \u201cRoot Program,\u201d which is responsible for vetting CAs to ensure that they have acceptable issuance practices, and, where necessary, <a href=\"https:\/\/blog.mozilla.org\/security\/2018\/03\/12\/distrust-symantec-tls-certificates\/\">removing <\/a><a href=\"https:\/\/blog.mozilla.org\/security\/2011\/08\/29\/fraudulent-google-com-certificate\/\">CAs<\/a> who do not adhere to those practices. For 18 years, Mozilla has operated its Root Program in the open, with published practices and where each proposed CA is considered on a public mailing list, ensuring that any stakeholder can be heard.<\/p>\n\n\n\n<p><a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/library\/trusted-and-secure-european-e-id-regulation\">Proposed EU legislation<\/a> threatens to disrupt this balance. Article 45.2 of the eIDAS Regulation mandates support for a new kind of certificate called a Qualified Website Authentication Certificate (QWAC). Under this regulation, QWACs would be issued by Trust Service Providers (another name for CAs), with those TSPs being approved not by the browsers but rather by the governments of individual EU member states. Browsers would be required to trust certificates issued by those TSPs regardless of whether they would meet Root Program security requirements, and without any way to remove misbehaving CAs.&nbsp;<\/p>\n\n\n\n<p>This change would weaken the security of the web by preventing browsers from protecting their users from the security risks \u2013 such as identity theft and financial fraud \u2013 that a misbehaving CA can expose them too. Worse, compelled inclusion of CAs in our root program would set a precedent for action by repressive regimes. We have already seen state actors (such as Kazakhstan) try to ramp up their surveillance capacities by forcing browsers to automatically trust their CAs \u2014 a dangerous practice that browsers and civil society organizations have <a href=\"https:\/\/blog.mozilla.org\/netpolicy\/2020\/12\/18\/kazakhstan-root-2020\/\">successfully resisted so far<\/a>, but if we set the precedent that web browser can\u2019t hold CAs to appropriate security standards that could change quickly.<\/p>\n\n\n\n<p>Technical experts at <a href=\"https:\/\/www.internetsociety.org\/resources\/doc\/2021\/internet-impact-brief-mandated-browser-root-certificates-in-the-eu-eidas-regulation\/\">Mozilla, the Internet Society<\/a>, the <a href=\"https:\/\/www.eff.org\/deeplinks\/2022\/02\/what-duck-why-eu-proposal-require-qwacs-will-hurt-internet-security\">Electronic Frontier Foundation<\/a>, as well as European<a href=\"https:\/\/epicenter.works\/document\/3865\"> civil society<\/a> <a href=\"https:\/\/www.beuc.eu\/publications\/beuc-x-2022-016_eidas_position_paper.pdf\">organisations<\/a> have all spoken out about how these requirements would be bad for the web. Today, Mozilla and the EFF are publishing a <a href=\"https:\/\/www.eff.org\/document\/eidas-letter-2022\">letter<\/a> signed by 38 cybersecurity experts about the danger of Article 45.2 to web security and recommendations for how lawmakers can avoid those dangers. The letter demonstrates that the cybersecurity community believes this provision is a threat to web security, creating more problems than it solves.&nbsp;&nbsp;&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Principle four of the Mozilla Manifesto states that \u201cIndividuals\u2019 security and privacy on the internet are fundamental and must not be treated as optional.\u201d We\u2019ve made real progress on improving security on the Internet, but unfortunately, a draft law under discussion in the EU \u2013 the eIDAS Regulation \u2013 threatens to reverse that progress. Mozilla [&hellip;]<\/p>\n","protected":false},"author":1590,"featured_media":68529,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30710,290364,463312,5],"tags":[283198,4708],"coauthors":[320790],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Mozilla and the EFF publish letter about the danger of Article 45.2<\/title>\n<meta name=\"description\" content=\"Technical experts at Mozilla and many other organizations have all spoken out about how these requirements would be bad for the web.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/\",\"url\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/\",\"name\":\"Mozilla and the EFF publish letter about the danger of Article 45.2\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2022\/03\/fx_blog_header_editorial_privacy_002_1920x1080.jpg\",\"datePublished\":\"2022-03-03T21:44:08+00:00\",\"dateModified\":\"2022-03-03T21:44:10+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/d7c6be5f71d0f9fe53dbf12167ba6722\"},\"description\":\"Technical experts at Mozilla and many other organizations have all spoken out about how these requirements would be bad for the web.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2022\/03\/fx_blog_header_editorial_privacy_002_1920x1080.jpg\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2022\/03\/fx_blog_header_editorial_privacy_002_1920x1080.jpg\",\"width\":1920,\"height\":1080,\"caption\":\"Abstract digital pattern with pink binary symbols on dark purple background\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The website security ecosystem protects individuals against fraud and state-sponsored surveillance. Let\u2019s not break it.\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/en\/\",\"name\":\"The Mozilla Blog\",\"description\":\"News and Updates about Mozilla\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/en\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/d7c6be5f71d0f9fe53dbf12167ba6722\",\"name\":\"Eric Rescorla\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/image\/1a9b13dd968f9eaf49e0a37dc8195326\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e5f9acbf6d67bc10e02f6289a4afd588?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e5f9acbf6d67bc10e02f6289a4afd588?s=96&d=mm&r=g\",\"caption\":\"Eric Rescorla\"},\"description\":\"Eric is CTO of the Firefox team at Mozilla.\",\"url\":\"https:\/\/blog.mozilla.org\/en\/author\/ekrmozilla-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Mozilla and the EFF publish letter about the danger of Article 45.2","description":"Technical experts at Mozilla and many other organizations have all spoken out about how these requirements would be bad for the web.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/","url":"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/","name":"Mozilla and the EFF publish letter about the danger of Article 45.2","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2022\/03\/fx_blog_header_editorial_privacy_002_1920x1080.jpg","datePublished":"2022-03-03T21:44:08+00:00","dateModified":"2022-03-03T21:44:10+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/d7c6be5f71d0f9fe53dbf12167ba6722"},"description":"Technical experts at Mozilla and many other organizations have all spoken out about how these requirements would be bad for the web.","breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/#primaryimage","url":"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2022\/03\/fx_blog_header_editorial_privacy_002_1920x1080.jpg","contentUrl":"https:\/\/blog.mozilla.org\/wp-content\/blogs.dir\/278\/files\/2022\/03\/fx_blog_header_editorial_privacy_002_1920x1080.jpg","width":1920,"height":1080,"caption":"Abstract digital pattern with pink binary symbols on dark purple background"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/en\/mozilla\/mozilla-eff-cybersecurity-experts-publish-letter-on-dangers-of-article-452-eidas-regulation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/en\/"},{"@type":"ListItem","position":2,"name":"The website security ecosystem protects individuals against fraud and state-sponsored surveillance. Let\u2019s not break it."}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/en\/#website","url":"https:\/\/blog.mozilla.org\/en\/","name":"The Mozilla Blog","description":"News and Updates about Mozilla","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/en\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/d7c6be5f71d0f9fe53dbf12167ba6722","name":"Eric Rescorla","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/en\/#\/schema\/person\/image\/1a9b13dd968f9eaf49e0a37dc8195326","url":"https:\/\/secure.gravatar.com\/avatar\/e5f9acbf6d67bc10e02f6289a4afd588?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e5f9acbf6d67bc10e02f6289a4afd588?s=96&d=mm&r=g","caption":"Eric Rescorla"},"description":"Eric is CTO of the Firefox team at Mozilla.","url":"https:\/\/blog.mozilla.org\/en\/author\/ekrmozilla-com\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/posts\/68528"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/users\/1590"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/comments?post=68528"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/posts\/68528\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/media\/68529"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/media?parent=68528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/categories?post=68528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/tags?post=68528"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/en\/wp-json\/wp\/v2\/coauthors?post=68528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}