Who will take control of Internet security in Europe?

While browsing the Internet, you have surely seen a security alert message like: “Warning: probable security risk” because your browser does not trust the site you are visiting. In its interactions, the browser must verify the authenticity of the site, and for that, it must verify the electronic certificate presented and rely on the expertise of the certification authority that issued and signed the electronic certificate. In the case of an authority that is not registered in the browser’s certificate store or that is registered but not identified as “trusted”, the certificate is considered invalid and an alert is issued.

A certification authority’s mission is to attest to the identity of sites, and more broadly the identity of any entity. It guarantees the latter by issuing an electronic certificate. It is therefore the decision-maker as to which entities on the Internet can be automatically recognized as trusted by browsers.

An authority can certify another, which naturally creates a hierarchy. The one at the top is called a “root authority” or “trust anchor” to signify its indispensable role in organizing security on the Internet.

The great powers of certification authorities

Whoever takes control of a root certification authority also has the power to decide whether a company or server is elevated from unknown on the Internet to fully recognized and trusted by billions of browsers. This demonstrates the associated power. Furthermore, the authority can outrageously create fake certificates and intercept the messaging or social media streams of a public figure, unbeknownst to them.

It’s no wonder that several hundred researchers and digital companies are rebelling against Article 45 of the current revision of eIDAS 2.0 on “establishing a European framework for digital identity”, which imposes the direct recognition of root certification authorities chosen by the Member States. This article, which allows Member States to impose their own root certification authorities, gives these states enormous power over communication security on the Internet. This does not please European citizens who fear increased surveillance, nor does it please well-established American companies who do not want the cards to be reshuffled.

More than 500 researchers and scientists from 42 different countries (including myself) and numerous non-governmental organizations signed an open letter in November 2023 to the members of the European Parliament and the Member States of the Council of the European Union. American companies, including Mozilla and CloudFlare, are also not behind with a joint declaration addressed to decision-makers within European institutions.

Drifting towards more cyber-surveillance?

In order to be integrated into a browser, a certification authority must satisfy the four major programs of Microsoft, Apple, Google, and Mozilla, which hold 94% of the Web browser market share. These programs are highly coordinated among themselves.

There are several hundred registered root authorities in browsers today.

Being part of this is highly coveted because for the companies that operate them, it’s like having a license to print money, except they generate and sell electronic certificates (the price of a certificate varies between 8 and 1,000 dollars per year) and they are essential for any client organization that wants their electronic certificate to be recognized as trusted by browsers.

The electronic certification market is concentrated in the hands of a few players, most of whom are American. Specifically, 6 certification authorities share 99.9% of Web certificates worldwide, 5 of which are American (as of January 2024).

Aside from the economic aspect, having a root certification authority is strategic for a State. It gives them technological means that facilitate the surveillance of its citizens. Indeed, it is possible for them to generate a fake certificate for any domain, for example, “google.com”. It’s a “fake certificate” in the sense that the certificate is not legally generated for the domain in question. However, this certificate will be accepted without a hitch by the browser of the person under surveillance because the issuing authority of the certificate is part of the list of trusted authorities in the browser. This is what the controversial Article 45 allows. The next step for the State is to put a spy server in between the browser and the service (for example, Google) to intercept and decipher the streams on the fly. Neither the browser, nor the user, will be able to detect this interception, and the State will have access to all of the user’s communications, such as the emails they send, the private exchanges they have on social networks, etc.

A controversial article

The goal of Article 45 is to require web browsers to recognize qualified website authentication certificates (QWAC) to authenticate websites. These QWAC electronic certificates must meet strict specifications set by the eIDAS regulation and be issued by qualified trust service providers (QTSP) that also meet strict specifications.

QWAC certificates undergo much more thorough checks than other certificates (SSL certificates) currently offered by certification authorities, which explains their higher costs. The company issuing these certificates must, in particular, verify that the domain of the website is actually controlled by the legal entity of the company requesting the certificates. This company, a qualified trust service provider, must undergo regular audits to be granted the “qualified” status by a supervisory body (designated by the Member State concerned), both as a provider and for the services it provides. It is worth noting that the PSD2 directive (for “Payment Services Directive”) has already imposed the use of QWAC certificates in the financial sector.

As digital technology in Europe is largely dominated by American actors, the goal of Article 45 is for Europe to take back control of security on the Internet, nothing less, and to impose its own framework for authorizing root certification authorities.

Mozilla sparked controversy in 2021, taking a stand against the eIDAS reform and specifically Article 45, claiming that QWAC certificates rely on outdated and discredited technology, which weakens Web security and should therefore not be reintroduced.

The technology in question concerns extended validation (EV) certificates. This type of SSL certificate, as previously mentioned, undergoes more thorough checks than ordinary SSL certificates, with nine additional verification steps, including the company’s public telephone number and registration number. Until 2019, EV certificates were indicated to browser users by a green bar specifying the legal name of the site visited. These EV indicators were removed in 2019, after the main browsers agreed that they cluttered the user interface and did not seem to have a real impact on users, who did not check or even notice the indicator, according to the Chrome security team.

If the question at the time was about the relevance of EV certificates because they were costly and imperceptible to Internet users, in the case of QWAC, the approach is different. The goal is to strengthen transaction security, and it doesn’t matter if Internet users are aware of it. The other criticized and questionable aspect was the EV verification procedure, which, despite enhancing security, did not provide 100% assurance of the legitimacy of the generated certificates. This criticism actually applies to all verification procedures, with a lower risk for EV certificates.

Risks for individual freedoms

In a Europe in tension, alternating between moderate and extreme governments, citizens and especially the people who signed the open letter, fear for their individual freedoms. Giving a State the ability to generate certificates recognized as valid by browsers is opening the door to abuses targeting certain individuals for political reasons or to massive cyber-surveillance. The risk is real. Once the technological system is in place, a government more concerned with its own interests than respecting the individual freedoms of citizens can change the law to make the exploitation of the system legal and serve its cause. What was illegal on the day the technological system was put in place, under the guise of completely moral purposes, can become legal the next day with insidious purposes.

It’s not so much today that companies or states are already intercepting our communications, but in the case of Article 45, the problem is that this interception capability can be carried out very close to us, with more impactful consequences on our daily lives. It’s no longer about data collected by foreign authorities for intelligence purposes, but here it’s about Member States administering their citizens and having a much greater potential for harm.

This divisive Article 45 raises the question: is it better for Europe to gain sovereignty by becoming the manager of its own root certification authorities, with the risk of facilitating surveillance operations on its citizens, or for Europe to continue to be influenced by economically powerful digital actors?

Leave a Reply

Your email address will not be published. Required fields are marked *