Security News > 2023 > November > Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections

One of the requirements of eIDAS 2.0 is that browser makers trust government-approved Certificate Authorities and do not implement security controls beyond those specified by the European Telecommunications Standards Institute.

When a browser visits that site, the website presents a public portion of its CA-issued certificate to the browser, and the browser checks the cert was indeed issued by one of the CAs it trusts, using the root certificate, and is correct for that site.

If the certificate was issued by a known good CA, and all the details are correct, then the site is trusted, and the browser will try to establish a secure, encrypted connection with the website so that your activity with the site isn't visible to an eavesdropper on the network.

If the cert was issued by a non-trusted CA, or the certificate doesn't match the website's address, or some details are wrong, the browser will reject the website out of a concern that it's not connected to the actual website the user wants, and may be talking to an impersonator.

The browser won't even be able to block the certificate.

Certificates and the CAs that issue them are not always trustworthy and browser makers over the years have removed CA root certificates from CAs based in Turkey, France, China, Kazakhstan, and elsewhere when the issuing entity or an associated party was found to be intercepting web traffic.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/11/08/europe_eidas_browser/