Who will gain control of Internet security in Europe?

This Article was republished from The Conversation (fr) by Maryline Laurent, professor, director of the RST department at Telecom SudParis, co-founder of the VP-IP IMT Chair and Montassar Naghmouchi, PhD student in Blockchain at Telecom SudParis – Institut Mines-Télécom.

While browsing the internet, there’s a good chance you've come across the message “warning: potential security risk” alerting you that your browser does not trust the site you are trying to visit. Over the course of its interactions, your browser verifies a website’s authenticity by checking the validity of the electronic certificate presented, based on the expertise of the certification authority that issued and signed the electronic certificate. If the authority is not registered in the browser’s certificate store or is registered but not identified as “trusted”, the certificate is considered invalid, and a warning message is sent.

Certification authorities are responsible for certifying the identity of websites and any entity in general. It does so by issuing an electronic certificate. It therefore decides which entities on the Internet can be automatically recognized as trusted by browsers.

One authority can certify another, which naturally creates a hierarchy. The top authority is called a “root authority” or “trust anchor”, reflecting the vital role they play in organizing online security.

The extensive powers of certification authorities

Whoever gains control of a root certificate authority can also control internet security. They have the power to decide if a certain company or server can be raised from being completely unknown online to gaining fully recognized, trusted status for billions of browsers. This just shows the level of power involved. Worse yet, the authority can astoundingly create fake certificates and start intercepting a person’s email messages or social media feeds without them knowing it.

It’s no wonder that hundreds of researchers and digital companies are up in arms over article 45 of the eIDAS 2.0 regulation, currently under revision, which calls for “the establishment of a framework for European digital identity,” imposing the direct recognition of root certification authorities chosen by Member States. This article, which allows Member States to impose their own root certification authorities, significantly increases the power of these States over the security of Internet communications. This does not come as good news for European citizens who fear increased surveillance or for the economically well-established big American companies who wish to avoid any reshuffling of the cards.

Over 500 researchers and scientists from 42 different countries (including myself) and numerous non-governmental organizations signed an open letter to Members of the European Parliament and Member States of the Council of the European Union in November 2023. American companies, including Mozilla and CloudFlare, were quick to respond by issuing a joint statement addressed to decision-makers in European bodies.

A move towards increased cyber-surveillance?

To be integrated into a browser, a certificate authority must meet the criteria of all four major programs, Microsoft, Apple, Google, and Mozilla, which hold 94% of the market share for web browsers. These programs are highly coordinated with each other.

Hundreds of root authorities are now registered in browsers.

This is a very coveted position given the benefits for the operating companies, which gain powers similar to that of a license to print money, except that in this case they generate and market electronic certificates (the price of a certificate varies between 8 and 1,000 dollars per year) and that they are essential for any client organization that wants their electronic certificate to be trusted by browsers.

The electronic certification market is concentrated among a handful of key players, most of them American. To be precise, six certificate authorities share 99.9% of web certificates worldwide, five of which are American (January 2024 figures).

Apart from the economic aspect, possessing a root certification authority is a strategic move for governments because it gives them technological means that facilitate the surveillance of citizens. They gain the capacity to generate a fake certificate for any domain, such as “google.com”. This type of certificate is considered to be a “fake” since it is not legally generated for the domain in question. The browser operated by the person under surveillance then accepts this certificate without hesitation since the certificate’s issuing authority is included on the browser’s list of trusted authorities. This is made possible by the controversial article 45. The government is therefore able to introduce a spy server that intercepts the browser and server (such as Google) to relay and decrypt streams on the fly. Neither the browser nor the user can detect this interception and the government gains access to all the user’s communications, including the emails they send and private discussions on social media.

A number of cases of this type are public knowledge, e.g. China in 2015 through its root certification authority CNNIC, Turkey in 2013 through TurkTrust, or Kazakhstan in 2020.

An article to consolidate Member States' sovereignty in the area of digital trust

The purpose of article 45 is to require web browsers to recognize qualified website authentication certificates (QWAC) to authenticate websites. These QWAC electronic certificates must meet strict specifications set out in the eIDAS regulations and be issued by qualified trust service providers (QTSPs) who also meet strict specifications.

QWAC certificates are subject to much more extensive verification than other certificates (SSL certificates) currently offered by certification authorities, which explains their higher costs. The company issuing these certificates must specifically verify that the website’s domain is actually controlled by the legal entity of the company requesting the certificates. This company, which is a qualified trust service provider, must undergo regular audits in order to be granted “qualified” status by a supervisory body (designated by the given Member State), both as a provider and for the services it provides. It is worth noting that the Payment Services Directive (PSD2) has already imposed the use of QWAC certificates in the financial sector.

Since American stakeholders largely dominate digital technology in Europe, the objective of article 45 is nothing less than to give Europe an opportunity to regain control over Internet security and impose its own framework for authorizing root certification authorities.

The pretext of QWAC certificates to block Article 45

Mozilla sparked controversy in 2021 by taking a stand against the eIDAS reform and article 45 in particular, claiming that QWAC certificates are based on outdated and discredited technology, which weakens web security and which should therefore not be reintroduced.

The technology in question is extended validation (EV) certificates. This type of SSL certificate, as previously mentioned, is subject to more extensive verification than ordinary SSL certificates, with nine additional verification steps, including the company’s public telephone number and registration number. Until 2019, browser users were informed of EV certificates via a green bar displaying the name of the site visited. These EV indicators were removed in 2019, after major browsers agreed that they cluttered the user interface and did not appear to have any real impact on users, who did not check or even notice the indicator, according to the Chrome security team.

Although the issue at the time was the relevance of EV certificates, which were both expensive and imperceptible to Internet users, the approach behind the QWACs is different. The goal is to improve the security of transactions, regardless of whether Internet users are aware of this. The other criticized and controversial aspect was related to the EV verification procedure. While it did increase security, the procedure did not make it possible to fully ensure the legitimacy of the certificates generated. This criticism applies to all the verification procedures, with a lower risk for EV certificates.

Risks to individual freedoms

Amid tensions in Europe, with countries alternating between moderate and more extreme governments, citizens, particularly those who signed the open letter, are afraid of losing their individual freedoms. When governments are given the ability to generate certificates recognized as valid by browsers, this paves the way for abuses ranging from targeting a few individuals for political reasons to mass cyber-surveillance. This is where the real risk lies. Once the technological system is in place, a government more concerned with its own interests than respecting the individual freedoms of citizens will be able to amend the law to legalize the exploitation of the system to serve its cause. What was illegal when the technological system was put in place, under the guise of entirely ethical purposes, can become legal tomorrow for malevolent purposes.

In the case of article 45, it is not currently so much an issue of governments already intercepting our communications, but of this interception capacity occurring so close at hand with more significant consequences for our daily lives. It is no longer a matter of foreign authorities collecting data for intelligence purposes, but rather of Member States governing their citizens, with much greater potential for harm.

The polarizing nature of article 45 raises the question: is it better to have a Europe that increases its sovereignty by managing its own root certification authorities, with the risk of facilitating the surveillance of citizens, or a Europe that continues to be mediated by the economically powerful players of the digital industry?

⇒ This article was republished from The Conversation under the Creative Commons license. Read the original article (fr).