DZ
DefZone.Net

Kien thuc cong nghe & giai tri

  1. Home
  2. Wiki


Article 45

[edit]

A significant proportion of publications covering the law specifically examine Article 45, so I've put more weight to it, since this seems to be the most historically significant provision of the law. DenverCoder19 (talk) 16:21, 4 November 2023 (UTC)[reply]

MITM Section inaccuracy

[edit]

The section "Man-in-the-middle attacks and mass surveillance" has a very negative tone. It also states various factually incorrect statements and fearmongering. I have problems with the following:

- The term "EU Government". This sounds like the EU as a organization will be able to read, decrypt and perhaps re-encrypt HTTPS traffic, when it is in fact the national government that would be able do that.

- The mentions about the EU being able to "hack into any internet-enabled device" is too extreme and unsubstantiated with the sources provided. While yes, internet traffic could theoretically be intercepted and decrypted, that alone wouldn't allow "the EU" to "hack any internet-enabled device".

For this I am marking this section as disputed. Creekie (talk) 10:41, 9 November 2023 (UTC)[reply]

"Any EU government" refers unequivocally to any government in the EU. It's plural. This might be an American-European English split. In American English, "government" generally refers to the public sector as a whole, not the parliament or cabinet.
Yes, in fact it would allow any EU government to hack into the communications of any internet-enabled device. As long as a device is controlled by the internet, the packets can be intercepted and modified, as stated in the source. DenverCoder19 (talk) 01:23, 24 November 2023 (UTC)[reply]
The purpose of Qualified Web Authentication Certificates (QWACs) is to enhance the security and transparency of the Internet as trusted services. QWACs do not restrict browsers own security policies, especially as Article 45 of the Identity Regulation leaves it up to them to maintain their own procedures and criteria in order to maintain and preserve the privacy of online communication using encryption and other proven methods.
The final version of the European Digital Identity Regulation has confirmed this fact. https://www.europarl.europa.eu/doceo/document/TA-9-2024-0117_EN.pdf
Recital 65 establishes that, for the purpose of enhancing online security for end-users, "providers of web browsers should, in exceptional circumstances, be able to take precautionary measures that are both necessary and proportionate in response to substantiated concerns regarding security breaches or the loss of integrity of an identified certificate or set of certificates."
Finally, the Commissions’ statement issued in the Parliament has made it clear that recognising QWACs does not impose obligations or restrictions on how web browsers establish encrypted connections with websites or authenticate the cryptographic keys. This stance does not impact browser security policies. (Statement by the Commission on Article 45 on the occasion of the adoption of Digital Identity Regulation).
QWACs enable website identification at a high level of assurance, attesting the link between the website domain name and the natural or legal person to whom the certificate is issued, and confirming the identity of that person. Providers of web-browsers should then display the certified identity data and the other attested attributes to the end-user in a user-friendly manner in the browser environment. 158.169.40.25 (talk) 09:07, 9 April 2024 (UTC)[reply]
Just a warning to others: if it qwacs like the EC, and if it uses an EC IP, it might actually be an EC employee. See the next section or Wikipedia:Conflict of interest/Noticeboard#European Commision IP range for possible discussion on the wider issue of EC IP edits on Wikipedia. Boud (talk) 12:12, 30 September 2024 (UTC)[reply]

MITM Qualification

[edit]

A user added "While the main language of that text..." If I'm reading this correctly, it suggests that web browsers will be able to detect a MITM. However, they will still be able to perform the MITM, which is what a wide range of organizations were concerned about.

Is there a third-party source that analyzes this assertion? The source appears to be a single organization and not a secondary source. DenverCoder19 (talk) 01:48, 2 December 2023 (UTC)[reply]

QWAC issuers will have to undergo constant monitoring by their auditors in addition to annual audits, plus annual evaluation by an independent Conformity Assessment Body, as well as monitoring and approval by a national Supervisory Body. It is difficult to imagine how in this scenario the use of QWACS should facilitate an undetected MITM attack. Please refer to the detailed statement elaborated by the European Signature Dialogue to correct misinformation on the topic. (4) Post | LinkedIn 158.169.40.25 (talk) 09:08, 9 April 2024 (UTC)[reply]
The suggestion that monitoring bodies will have the power to do anything is highly dubious speculation. After all, the European Commission, which you (158.169.40.25) appear to represent (see WP:COI for how to declare a paid or unpaid conflict of interest), is in violation of the European privacy protection law, as established by the European Data Protection Supervisor (EDPS), a regulatory agency of the European Union, and was given nine months to comply. Instead of complying, the EC and Microsoft have launched legal actions attacking the EDPS (exercise: find the sources).
There is no point providing a link to LinkedIn - that is a private link that many editors don't have access to, and it is a generally unreliable source. Boud (talk) 12:07, 30 September 2024 (UTC)[reply]

Inaccurate introduction

[edit]

tl;dr eIDAS covers a variety of topics. The last paragraph of the intro about MITM and mass surveillance exclusively refers to QWAC and not other eIDAS features (judged by the references). So I propose moving it to the MITM section after addressing the following misunderstandings.

Misunderstanding of illegitimate certs and MITM

QWAC only regards Web communications, i.e., through a web browser: by mandating trust store maintainers (e.g., browsers) to accept trust anchors (root certificates) that might not comply to their rules, the browser is forced to trust any certificate signed by that trust anchor. So if an anchor (or any of its subordinate CAs) illegitimately issues a cert, e.g., for gmail.com (just as what happened during the DigiNotar hack), the browser would accept it and show the padlock. To actively abuse this issue and impersonate a service with a fake certificate, packets to the legitimate service have to be redirected to a server that actually deploys the fake certificate either through DNS spoofing or attacks such as BGP hijacking that can divert requests to the malicious server. So the claim that being able to issue certificates for any arbitrary domain name gives the power to intercept communication with servers under those names is plainly false. This, however, does not mean that that aforementioned attacks (e.g., by nation states) are infeasible.

Misunderstanding of communication over the Internet

The term "all internet messages" is vague. Messages over the Internet are transmitted over different protocols and are secured in different ways. Having a trust anchor in a browser trust store (as stated above), does not mean that it is going to be accepted as trustworthy in other settings. For example, the Signal App uses (or at least used to) a self-signed certificate and pin it directly in the source code, whereas the validation is independent of a trust store. The same goes for VPN communication where authentication is not necessarily through Web PKI certificates. کاربر نامناسب (talk) 22:15, 18 October 2024 (UTC)[reply]