In June 2021, the European Commission proposed to amend the Regulation on electronic identification and trust services (eIDAS). While the proposed amendment expressly aims to improve security and trust in the delivery of public services online, its provisions that would force compliance from web browsers are technically misguided and would result in anything but increased trust in the web –– not just for Europeans, but the rest of the world.
The intentions of the eIDAS amendment are to improve trust in web-based provision of European services in two main ways. First, the amendment would require browsers to recognise EU-designated certificate authorities (CAs) as more trustworthy than other CAs. Second, the amendment would require a long-since-abandoned approach to web security certificates that would make some certificates, e.g. EU-trusted certificates, appear to users as more trustworthy. Indicated as a special icon in the browser’s address bar, these qualified website authentication certificates (QWACs) are supposed to let the user know that a very high bar has been cleared with a qualified “trust service provider” (QTSP) by the website owner. But a global technical system underpins the web, and this proposal creates an exception that discredits the rule.
The most impactful improvement to trust in the web was making it easy for every website to allow users to securely connect to them with transport layer security (TLS). This ensures online transactions and account logins, among other things, are secure exchanges between the user and the website. Every secure exchange requires authentication, and users’ security depends on their ability to authenticate the websites that they visit. This can be done by inspecting the certificate of the website that has been issued by a CA. Massive web security gains have been achieved by strengthening the global technical system that makes TLS, CAs, and certificates ubiquitous. The proposed QWAC would be a new and special kind of certificate that would be issued by new and special intermediaries, the QTSPs, designed to work alongside the existing certificate system.
There are many substantive, technical, and procedural problems with these proposals. Along with other organisations, like EFF and ISOC, the Center for Democracy & Technology has identified a litany of issues with the proposed revision to eIDAS and has recommended the rejection of any measures that would “bypass existing security vetting practices in browsers.”
The first substantive technical problem is that the proposal misunderstands certificates as reliable agents of online trust, when in fact they are for verification of website identity only. Technically rigourous concepts like authentication, validity, and verification often get conflated with the sociocultural concept of trust. Unfortunately, plenty of malware is delivered securely. A certificate should be trusted by users to validate the identity of the website only, and stretching the purpose of QWACs would further confuse users about how much they should actually trust the web.
So what if some certificates could be considered more trustworthy than others? The existing certificate system already tried making different certificates. Domain validation can be issued by any certificate authority, and is the basic form of verifying to users a website owner’s identity. Extended validation can only be issued by special CAs, and verifies the legal identity of the website owner. QWACs issued by QTSPs just repeat something that’s been tried before.
Tiered trust doesn’t even work. Browser vendors have shown that users don’t notice the difference between certificate types, and years ago deprecated the distinct icons that display the difference. Ultimately, certificates are a tactic to achieve security through user behaviour, e.g., “don’t enter sensitive details unless you see the green lock!” So, if a user can’t tell the difference, then the difference doesn’t matter.
Not only will the eIDAS proposal fail to significantly improve web security for users in Europe, it will actually make it worse for everyone. QTSPs are still just a kind of CA, and would need to maintain the capacity to respond to security incidents involving the websites that they have validated, a function that has not been guaranteed to be proportional to the increased level of trust they are meant to represent. Furthermore, as web certificates are shown to users to positively reinforce behaviour with a green lock, it could be suggested by intermediary implementers, or mandated in future amendments, to use negative reinforcement by flagging certificates that aren’t QWACs.
Where Let’s Encrypt, a CA supported by the Internet Security Research Group (ISRG), hastened the adoption of web security measures by making certificates easy to obtain, eIDAS would slow adoption. The proposed changes would slow adoption of security certificates by providers because the requirements from QTSPs would be very high, just so all users could have a secure connection to that website. EIDAS would also impede the establishment of secure connections that users might make from devices, browsers, or applications that haven’t yet implemented the requirements of the eIDAS framework. Perhaps only a handful of large software companies will be fully compliant with the framework, yet all applications should be able to make secure connections with the TLS standard on behalf of users.
The proposed amendment also creates a precedent that authoritarian governments can cite to undermine security. Let’s take a real-world example of a disruption to the certificate system by a government: Kazakhstan keeps intercepting traffic between users and websites, even though the connection uses transport security. It does this by convincing users to trust a certificate authority that validates a false identity for popular websites. Usually, browsers are able to action these kinds of attacks by revoking the root certificate of “rogue” CAs. Yet, in the case of Kazakhstan, users are compelled to download those root certificates directly. While QTSPs aren’t “rogue,” the eIDAS revision would establish a precedent whereby browsers must comply with government security measures using the certificate system.
Given all of these technical problems, and risks introduced by the eIDAS revision, the EU digital identity framework fails at meeting the principle of proportionality.
It would be far better if the revision focussed on a parallel system of verification that does not rely on changes to the certificate system, certificate authority ecosystem, and applications, which all work well together merely to provide secure website connections. The details of TLS and web authentication should be left to the open, consensus-driven technical community rather than the government, which looks more like what China and Russia would propose.
To review, the latest proposed revision of eIDAS that — unless rejected — will harm web security and online trust in profound ways, the key points for EU lawmakers to remember are:
- Certificates are for verification, which shouldn’t be expanded to mean “trust”.
- Establishing a higher trust tier won’t improve user security.
- The proposed narrow changes will undermine security of the broader certificate system.
- Changes to the system would slow adoption of truly secure transport between websites and users.
- Giving select governments control over how browsers deliver secure websites to users fails to meet proportionality requirements.
- Allowing governments to dictate how software mitigates web-based attacks sets a dangerous precedent for digital authoritarianism.
- The technical community is best placed to make architectural decisions about internet and web security in multistakeholder, consensus-driven fora.
CDT welcomes improvements to online security models that strengthen the role of trusted intermediaries. The eIDAS revision, however, is a misguided policy that would force compliance with a technical solution that has proven not to benefit users, and would put the existing ecosystem of trust in the web at unnecessary risk for users around the world.