Aral Balkan
🚨 Another EU mass surveillance attempt. Will kill privacy on web. Must not pass. 🚨
“[A]ll web browsers distributed in Europe will be required to trust the certificate authorities and cryptographic keys selected by EU governments.
These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic across the EU.”
Aral Balkan
@JohnDal This is about browser certificates so whether you’re on a VPN shouldn’t factor into it either way. They’re looking to MITM TLS.
John Dal
@aral how does that affect VPNs?
Aral Balkan
@adrianfry That’s considering the browser vendors make separate builds. Which would be one way of circumventing this, yes. You have to understand that the folks in the EU making these laws have roughly a Bronze Age understanding of technology.
Adrian
@aral What does 'distributed in Europe' mean? I have access to the whole world's servers and can download a browser from anywhere, especially as I use a VPN. Anyone with their eye on privacy would surely circumvent this nonsense, so it's pointless anyway?
Børge
@aral Jesus Christ! What is going on in the EU these days!?
Aral Balkan
@vfrmedia @finlaydag33k The Netherlands is scary in just how much Orwellian legislation/processes they can introduce without anyone batting an eyelid. They embraced body scanners by default at the airports*. They’re also going cash-free at an alarming rate. And few folks seem to be worried.
(An uncomfortable eye opener for me was when I was processed by G4S at one end of my trip and by G4S at the other while traveling to the Netherlands from possibly the UK once.)
Alex@rtnVFRmedia Suffolk UK
I remember reading quite a few years back about how the Dutch Communications Ministry Agentschap Telecom (now the Rijksinspectie voor Digitale Infrastructuur) had started introducing this - (with surprisingly little comment about it across Europe)
Aroop Roelofs :verified:
@aral Iirc, Iran does the same as well and The Netherlands has been doing so for a while as well.
Aral Balkan
@JohnDal No problem :)
John Dal
@aral Thanks
Aral Balkan
@gwenn Not lawful for browser vendors to do so if this law passes.
Gwenn
@aral
Wouldn't it be possible to delete these ca certificates? What if my company delete all ca certificates except there trust? Hopefully this law will not pass. Anywise we need bugfixes for any browser, clients etc.
Aral Balkan
@opendna Yep, we’re all tinfoil hat conspiracy theorists here, you really figured us out. Everyone at Mozilla too. They’re the worst! That’s why Google pays them half a billion dollars a year. Because – you guessed it (damn, you’re good) – Google are tinfoil hat conspiracy theorists too! Don’t let their trillion-dollar adtech business fool you, it’s tin foil hat all the way down. Ever wonder why you never see the inside of their propeller hats?… Now you know.
Viktor Orbán approves this message.
OpenDNA⚙️
@aral Uh, no. This is some weird tinfoil hat nonsense. eiDAS isn't Clipper Chip, it PKI.
This regulation would require that browsers recognize the certificates of EU government-issued IDs.
It would allow me to use the same hardware token ID I use to file taxes and customs paper to verify my ID with banks, EU agencies, and other governments. It would allow us to use our IDs to sign PDFs, and widely enable passport verification.
Aral Balkan
@finlaydag33k @vfrmedia There’s a reason in the prequel to The Handmaid’s Tale, one of the first things a fledgling Gilead does is to freeze the bank accounts of women – rendering them financially dependent on men from one day to the next.
Aroop Roelofs :verified:
@aral Yea, I still pay a bunch in cash but indeed it's getting harder and harder to do so.
Places where you can put cash into your bank account are also becoming increasingly rare.
Aral Balkan
@grob Oh, it’s always the enemy. This is just one way of bypassing it. Client-side scanning is another. Signalling capture is a third (“let’s add another end to the end-to-end without telling anyone”). As far as I can see, they’re still very much interested in trying their luck with all these approaches. (When they’re not busy trying to outlaw mathematics, that is.)
grob 🇺🇦
@aral interesting how all of a sudden cryptography is not the enemy anymore. Looking at you, #chatcontrol
Aral Balkan
@stephengentle No idea. Given malicious compliance is what companies like Google, etc., have been undertaking with GDPR/cookie notices/right to be forgotten, I don’t see why not. (Then again, things have a way of being implemented differently whenever “national security” enters into the picture… Here’s hoping we don’t have to find out.)
Stephen Gentle
@aral Could malicious compliance be an option if this goes through? Like the page loads, but a big banner is displayed in the browser informing the user that an unsafe CA is being used which probably means that the web use is being directly surveilled?
Aral Balkan
@kravietz This is all I see at that link:
kravietz 🦇
Aral, this story is bullshit. It’s yet another of US companies to thwart a regulation that hurts their business, nothing more - I’ve explained it in details here:
Aral Balkan
@kravietz Ah. Makes sense.
kravietz 🦇
Aral Balkan
@rmanos There’s always stuff that can we done as workarounds, etc., but the issue is that 99.99999% of people will be affected by whatever is the default.
Manos Ragiadakos
@aral I am not an expert on these stuffs.
But let's say it passes.
Can a website create an encrypted communication through a JS client using asymmetric cryptography?
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.