Earlier this year the European Commission unveiled its proposed ‘Digital Identity Framework’, a revision to the 2014 eIDAS regulation. While the draft law includes many welcome provisions on the security and interoperability of digital ID, it also contains a set of provisions that, if adopted, would have a fundamentally negative impact on the website security ecosystem. Our new position paper spells out the risks involved in forcing browsers to support a kind of web certificate known as Qualified Web Authentication Certificates (QWACs), and provides recommendations for lawmakers in the European Parliament and EU Council who are presently amending the draft law.
Web browsers are key user agents in our modern digital world. The web browser helps people visit the sites and services they want to use, and it protects them while they are there. One of the most important ways in which browsers protect users is through website authentication. For instance, if a person wants to visit Europa.eu, the web browser must reliably ensure that the site is actually under control of the owner of the domain ‘Europa.eu’, and not an attacker on the network impersonating the European Commission’s domain. Absent that assurance, users might send passwords, personal details, and other compromising information to the wrong party, putting them at risk of identity theft, fraud, and other privacy interferences.
An insecure website authentication ecosystem would lead to significant harms, both online and off. Put simply, the trust benefits of website authentication and the ecosystem that underpins it are essential for the Digital Single Market, e-government, as well as to protect the public interest work of journalists, politicians, and human rights defenders.
Unfortunately, the draft eIDAS revision would undermine years of advancements in this space. In a nutshell, the revised Article 45 would force browsers to suspend the ‘root store’ policies that are essential for maintaining trust and security online. These rigorous and independent policies and vetting practices underpin a system of online trust that is put into practice every single second, and which is fundamental to ensuring the online security of every person on the planet who uses a browser to navigate the web.
At the same time, the types of website certificates that browsers would be forced to accept, namely QWACs, are based on a flawed certificate architecture that is ill-suited for the security risks users face online today. In the years since the original eIDAS regulation was adopted in 2014, an increasing body of research has illustrated how the certificate architecture upon which QWACs are inspired – namely, extended validation certificates – lull individuals into a false sense of security that is often exploited for malicious purposes such as phishing and domain impersonation. For that reason, since 2019 no major browser showcases EV certificates directly in the URL address bar.
As such, should the revised Article 45 be adopted as is, Mozilla would no longer be able to honour the security commitments we make to the hundreds of millions of people who use our Firefox browser or any of the other browser and email products that also depend on Mozilla’s Root Program. It would amount to an unprecedented weakening of the website security ecosystem, and undercut the browser community’s ability to push back against authoritarian regimes’ interference with fundamental rights (see here and here for two recent examples).
Fortunately, there is still time to address the problems wrought by this proposal, and our position paper includes recommendations for how lawmakers in the European Parliament and EU Council can amend the relevant provisions. As the discussions on the eIDAS revision heat up in the EU Institutions, we’ll be engaging intensively with lawmakers and the broader community to protect trust and security on the web.