What if your HTTPS traffic was not secure?

During the last few years, our internet has become more private and secure with encrypted traffic using SSL certificates. A certificate is used by the webserver to prove its authenticity on that domain and to set up a secure encrypted channel to the browser. When the traffic is encrypted, no one between the visitor and the server can look at the traffic and see what is being transmitted. Since we have this technology, we can use online banking, healthcare and communicate without spying eyes. 

A certificate is data generated by a server administrator and digitally signed by a trusted third party. This third part is called a Certificate Authority (CA), and they are operating following guidelines and laws. If a CA is not living up to the standard, they can quickly and easily be removed from our devices and browsers. All certificates signed by that CA would then also lose their trust. 

This technology is in place, trusted, and working without significant issues. 

Let’s say that I was a trusted CA. I could create and sign certificates for any website. These certificates could then be used to impersonate any site – without the visitors noticing it. The green lock indicating a secure and trusted connection would still be there. I could sit in front of a website pretending to be the website and proxying the traffic to the actual site. The end user would not know. I could see all the traffic between the user and the final website. This is called a man-in-the-middle attack. But luckily, no CA would be creating certificates in that way. If they were, they would quickly be out of business.

But, there have historically been attempts to do this in parts of the world. Back in 2019, the government in Kazakstan tried to have their citizens install a root certificate in their devices, making the government a trusted CA. If they had succeeded, they could perform a man in the middle and spy on their citizens. There have also been other similar attempts in Mauritius

The EU has a legislation called eIDAS that regulates electronic authentication. This legislation has been in the reworks for a few years, and the new and updated version is, when I write this, about to be submitted for a vote in the parliament. There are a lot of improvements and good things in the new suggestion. But, as often, the devil is in the details. 

As the draft is written now, it needs to be clarified what the certification requirements will be. But it could be interpreted as the EU wants to control what certificates the citizens trust or do not trust. It could also mean that the EU, or any member state, would have the right to introduce root certificates, which we would have to be trusted by any web browser in the EU. With a root certificate like this in place, generating seemingly valid certificates for any website and placing themself as the man in the middle would be possible. So, are the EU trying to do what Mauritius and Kazakstan failed to do, or are the lawmakers simply unaware of what they are about to do?

This new regulation is not good because it is unclear. When dealing with trust, security, and potential impact on private life, we must be clear about what is what. These issues have been highlighted by scientists and privacy organizations but have yet to be successful. The group drafting the proposal has chosen to ignore the criticism.  

It is now time for you to reach out to the elected representatives from your country. Tell them about the dangers of this proposal and that they need to vote against it! There is still time to stop this catastrophe before it happens.