this post was submitted on 02 Nov 2023
514 points (98.7% liked)

Programmer Humor

32115 readers
18 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
cat_programmer@lemmy.ml
514
at the trilogue meeting, secretly negotiating legislation to reduce web browser security (lemmy.ml)
submitted 11 months ago by cypherpunks@lemmy.ml to c/programmerhumor@lemmy.ml
34 comments fedilink hide all child comments
 

context

you are viewing a single comment's thread
view the rest of the comments
[–] cypherpunks@lemmy.ml 24 points 11 months ago (1 children)

The legislation requires web browsers to trust EU countries' CAs (which browsers already tend to do, but are presently free to remove when they're observed being misused) and prohibits doing non-ETSI-approved validity checks (eg, certificate transparency, which is a way CA-misusing MITM attackers can be caught).

Wouldn't you say the point of that particular clause is to reduce browser security (so that cops and intelligence agencies are free to exploit it without interference from CT)?

[–] skullgiver@popplesburger.hilciferous.nl -2 points 11 months ago* (last edited 10 months ago) (2 children)

[This comment has been deleted by an automated system]

[–] dark_stang@beehaw.org 5 points 10 months ago (1 children)

If they wanted to make browsers less secure, they would do so in much more obvious ways.

The new proposal demands browsers automatically trust government created root certificates. That means any EU government can do a man-in-the-middle attack on any end user running that web browser, even users in other countries. There is no reason to do that other than to spy on people or to manipulate the content that they're viewing.

If any government, or company for that matter, wants to make their own root cert and deploy it to all their users/machines they can already do that easily. A lot of companies that work with sensitive data already do this, and some companies (ex: symantec) provide solutions to do it very easily, so the IT team can see everything the users are doing.

[–] lukas@lemmy.haigner.me 1 points 10 months ago* (last edited 10 months ago)

I doubt they care about CT checks per se, they’re just afraid that Digicert fucking up will break their critical government services.

Right... uh. Listen, my government used a local/regional CA. Do you want to know what happened? My government got the privilege to emergency re-issue all of their TLS certificates with a different CA because the local/regional CA forgot to renew its own CA certificate. Everything was down. Government websites, government services, eID SSO authentication, etc. You had one job!