※ [本文轉錄自 Gossiping 看板 #1bJtYBwx ] 作者: skycat2216 (skycat2216) 看板: Gossiping 標題: [新聞] 歐盟打算監聽所有人的網路連線 時間: Sat Nov 11 20:50:17 2023 備註請放最後面 違者新聞文章刪除 1.媒體來源: The Register 2.記者署名: Thomas Claburn 3.完整新聞標題: Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections EFF warns incoming rules may return web 'to the dark ages of 2011' -----------簡單的說明:---------- 這算中國老早就做過的事 CNNIC發過這種證書，後來還買下其他證書發行商，導致CA開始不被信任 不過這次歐盟更狠，直接要求不得移除 4.完整新聞內文: Lawmakers in Europe are expected to adopt digital identity rules that civil soci ety groups say will make the internet less secure and open up citizens to online surveillance. The legislation, referred to as eIDAS (electronic IDentification, Authentication and trust Services) 2.0, has been described as an attempt to modernize an initi al version of the digital identity and trust service rules. The rules cover thin gs like electronic signatures, time stamps, registered delivery services, and ce rtificates for website authentication. But one of the requirements of eIDAS 2.0 is that browser makers trust governme nt-approved Certificate Authorities (CA) and do not implement security controls beyond those specified by the European Telecommunications Standards Institute (E TSI). Under eIDAS 2.0, government-endorsed CAs – Qualified Trust Service Providers, o r QTSPs – would issue TLS certificates – Qualified Website Authentication Cert ificates, or QWACs – to websites. But browser makers, if they suspect or detect misuse – for example, traffic int erception – would not be allowed to take countermeasures by distrusting those c ertificates/QWACs or removing the root certificate of the associated CA/QTSP fro m their list of trusted root certificates. Put simply: In order to communicate securely using TLS encryption – the technol ogy that underpins your secure HTTPS connections – a website needs to obtain a digital certificate, issued and digitally signed by a CA, that shows the website address matches the certified address. When a browser visits that site, the web site presents a public portion of its CA-issued certificate to the browser, and the browser checks the cert was indeed issued by one of the CAs it trusts, using the CA's root certificate, and is correct for that site. If the certificate was issued by a known good CA, and all the details are correc t, then the site is trusted, and the browser will try to establish a secure, enc rypted connection with the website so that your activity with the site isn't vis ible to an eavesdropper on the network. If the cert was issued by a non-trusted CA, or the certificate doesn't match the website's address, or some details are wrong, the browser will reject the website out of a concern that it's not connec ting to the actual website the user wants, and may be talking to an impersonator . Here's one problem: if a website is issued a certificate from one of those afore mentioned Euro-mandated government-backed CAs, that government can ask its frien dly CA for a copy of that certificate so that the government can impersonate the website – or ask for some other certificate browsers will trust and accept for the site. Thus, using a man-in-the-middle attack, that government can intercept and decrypt the encrypted HTTPS traffic between the website and its users, allo wing the regime to monitor exactly what people are doing with that site at any t ime. The browser won't even be able to block the certificate. As Firefox maker Mozilla put it: This enables the government of any EU member state to issue website certificates for interception and surveillance which can be used against every EU citizen, e ven those not resident in or connected to the issuing member state. There is no independent check or balance on the decisions made by member states with respect to the keys they authorize and the use they put them to. How that compares to today's surveillance laws and powers isn't clear right now, but that's the basically what browser makers and others are worried about: gove rnment-controlled CAs being abused to issue certificates to websites that allow for interception. If an administration tried using a certificate not issued by a trusted CA, browsers would reject the cert and connection, hence Europe's desir e to make browser makers accept government-backed CAs. Certificates and the CAs that issue them are not always trustworthy and browser makers over the years have removed CA root certificates from CAs based in Turkey , France, China, Kazakhstan, and elsewhere when the issuing entity or an associa ted party was found to be intercepting web traffic. Many such problems have been documented in the past. An authority purge of this sort occurred last December when Mozilla, Microsoft, Apple, and later Google removed Panama-based TrustCor from their respective lists of trusted certificate providers. Yet eIDAS 2.0 would prevent browser makers from taking such action when the CA h as a government seal of approval. "Article 45 forbids browsers from enforcing modern security requirements on cert ain CAs without the approval of an EU member government," the Electronic Frontie r Foundation (EFF) warned on Tuesday. "Which CAs? Specifically the CAs that were appointed by the government, which in some cases will be owned or operated by that selfsame government. That means cr yptographic keys under one government's control could be used to intercept HTTPS communication throughout the EU and beyond." The foundation added the rules "returns us to the dark ages of 2011, when certif icate authorities could collaborate with governments to spy on encrypted traffic — and get away with it." Mozilla and a collection of some 400 cyber security experts and non-governmental organizations published an open letter last week urging EU lawmakers to clari fy that Article 45 cannot be used to disallow browser trust decisions. "If this comes to pass it would enable any EU government or recognized third par ty country to begin intercepting web traffic and make it impossible to stop with out their permission," the letter warns. "There is no independent check or balan ce on this process described in the proposed text." In an email to The Register, a Mozilla representative added, "Mozilla is deeply concerned by the proposed legislation and is continuing to engage with key stak eholders in the final stages of the trilogue process. We are committed to securi ty and privacy on the Internet and have been heartened by the outpouring of supp ort from civil society groups, cyber security experts, academics, and the public at large on this issue. We are hopeful that this heightened scrutiny will motiv ate EU negotiators to change course and deliver regulation with suitable safegua rds." Google has also raised concerns about how Article 45 might be interpreted. "We a nd many past and present leaders in the international web community have signifi cant concerns about Article 45's impact on security," the Chrome security team argued, and urged EU lawmakers to revise the legal language. According security researcher Scott Helme, the latest regulatory language – whi ch has not been made public – is still problematic. The EFF says the legislative text "is subject to approval behind closed doors in Brussels on November 8." ® 5.完整新聞連結 (或短網址)不可用YAHOO、LINE、MSN等轉載媒體: https://www.theregister.com/2023/11/08/europe_eidas_browser/ 6.備註: CNNIC跟沃通：老鄉，你好，希望你比我們死的還慘 歐盟敢這麼做，我一定DDoS爆破他們伺服器，如果可以，我連他們的機密都要挖出來 這已經不是可以玩五樓哽的東西了，你能想像對岸監聽全世界的一切通訊嗎？ -- ※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 111.82.109.225 (臺灣) ※ 文章網址: https://www.ptt.cc/bbs/Gossiping/M.1699707019.A.EBB.html*[m ※ 發信站: 批踢踢實業坊(ptt.cc) ※ 轉錄者: skycat2216 (111.82.109.225 臺灣), 11/11/2023 21:56:27 ※ 編輯: skycat2216 (111.82.109.225 臺灣), 11/11/2023 21:57:13 ※ 編輯: skycat2216 (111.82.109.225 臺灣), 11/11/2023 22:00:52 老哥，問題是有個東西叫MITM 所以才會有CA證書以驗證站點持有者 打個比方好了，我今天擁有A.com，找某家合法，受信任的CA買了證書簽了這個域名跟我的I P之間的聯繫， 當你連上來卻不知道我究竟是不是真的A.com，要求驗證我的合法性的時候 我只需要掏出這個證書，你就知道我一定有這個域名 但現在歐盟只需要自己簽一個A.com的證書，就能說這域名他有，騙你跟他建立加密連線， 然後轉頭跟我再建立加密連線 這中間那段已解密的時間歐盟就能看到一切資料 至於流量跟儲存, GFW同等級的設備大概就十來架F-16V的價錢，儲存也不需要全部儲存 ※ 編輯: skycat2216 (111.82.109.225 臺灣), 11/12/2023 02:22:23 ※ 編輯: skycat2216 (111.82.109.225 臺灣), 11/12/2023 02:31:20