看板PC_Shopping
: ※ [本文轉錄自 Gossiping 看板 #1bJtYBwx ]
:
: 作者: skycat2216 (skycat2216) 看板: Gossiping
: 標題: [新聞] 歐盟打算監聽所有人的網路連線
: 時間: Sat Nov 11 20:50:17 2023
: 備註請放最後面 違者新聞文章刪除
: 1.媒體來源:
: The Register
: 2.記者署名:
: Thomas Claburn
: 3.完整新聞標題:
: Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections
: EFF warns incoming rules may return web 'to the dark ages of 2011'
: -----------簡單的說明:----------
: 這算中國老早就做過的事
: CNNIC發過這種證書,後來還買下其他證書發行商,導致CA開始不被信任
: 不過這次歐盟更狠,直接要求不得移除
: 4.完整新聞內文:
: Lawmakers in Europe are expected to adopt digital identity rules that civil soci
: ety groups say will make the internet less secure and open up citizens to online
: surveillance.
: The legislation, referred to as eIDAS (electronic IDentification, Authentication
: and trust Services) 2.0, has been described as an attempt to modernize an initi
: al version of the digital identity and trust service rules. The rules cover thin
: gs like electronic signatures, time stamps, registered delivery services, and ce
: rtificates for website authentication.
: But one of the requirements of eIDAS 2.0 is that browser makers trust governme
: nt-approved Certificate Authorities (CA) and do not implement security controls
: beyond those specified by the European Telecommunications Standards Institute (E
: TSI).
: Under eIDAS 2.0, government-endorsed CAs – Qualified Trust Service Providers, o
: r QTSPs – would issue TLS certificates – Qualified Website Authentication Cert
: ificates, or QWACs – to websites.
: But browser makers, if they suspect or detect misuse – for example, traffic int
: erception – would not be allowed to take countermeasures by distrusting those c
: ertificates/QWACs or removing the root certificate of the associated CA/QTSP fro
: m their list of trusted root certificates.
: Put simply: In order to communicate securely using TLS encryption – the technol
: ogy that underpins your secure HTTPS connections – a website needs to obtain a
: digital certificate, issued and digitally signed by a CA, that shows the website
: address matches the certified address. When a browser visits that site, the web
: site presents a public portion of its CA-issued certificate to the browser, and
: the browser checks the cert was indeed issued by one of the CAs it trusts, using
: the CA's root certificate, and is correct for that site.
: If the certificate was issued by a known good CA, and all the details are correc
: t, then the site is trusted, and the browser will try to establish a secure, enc
: rypted connection with the website so that your activity with the site isn't vis
: ible to an eavesdropper on the network. If the cert was issued by a non-trusted
: CA, or the certificate doesn't match the website's address, or some details are
: wrong, the browser will reject the website out of a concern that it's not connec
: ting to the actual website the user wants, and may be talking to an impersonator
: .
: Here's one problem: if a website is issued a certificate from one of those afore
: mentioned Euro-mandated government-backed CAs, that government can ask its frien
: dly CA for a copy of that certificate so that the government can impersonate the
: website – or ask for some other certificate browsers will trust and accept for
: the site. Thus, using a man-in-the-middle attack, that government can intercept
: and decrypt the encrypted HTTPS traffic between the website and its users, allo
: wing the regime to monitor exactly what people are doing with that site at any t
: ime. The browser won't even be able to block the certificate.
: As Firefox maker Mozilla put it:
: This enables the government of any EU member state to issue website certificates
: for interception and surveillance which can be used against every EU citizen, e
: ven those not resident in or connected to the issuing member state. There is no
: independent check or balance on the decisions made by member states with respect
: to the keys they authorize and the use they put them to.
: How that compares to today's surveillance laws and powers isn't clear right now,
: but that's the basically what browser makers and others are worried about: gove
: rnment-controlled CAs being abused to issue certificates to websites that allow
: for interception. If an administration tried using a certificate not issued by a
: trusted CA, browsers would reject the cert and connection, hence Europe's desir
: e to make browser makers accept government-backed CAs.
: Certificates and the CAs that issue them are not always trustworthy and browser
: makers over the years have removed CA root certificates from CAs based in Turkey
: , France, China, Kazakhstan, and elsewhere when the issuing entity or an associa
: ted party was found to be intercepting web traffic. Many such problems have been
: documented in the past.
: An authority purge of this sort occurred last December when Mozilla, Microsoft,
: Apple, and later Google removed Panama-based TrustCor from their respective
: lists of trusted certificate providers.
: Yet eIDAS 2.0 would prevent browser makers from taking such action when the CA h
: as a government seal of approval.
: "Article 45 forbids browsers from enforcing modern security requirements on cert
: ain CAs without the approval of an EU member government," the Electronic Frontie
: r Foundation (EFF) warned on Tuesday.
: "Which CAs? Specifically the CAs that were appointed by the government, which in
: some cases will be owned or operated by that selfsame government. That means cr
: yptographic keys under one government's control could be used to intercept HTTPS
: communication throughout the EU and beyond."
: The foundation added the rules "returns us to the dark ages of 2011, when certif
: icate authorities could collaborate with governments to spy on encrypted traffic
: — and get away with it."
: Mozilla and a collection of some 400 cyber security experts and non-governmental
: organizations published an open letter last week urging EU lawmakers to clari
: fy that Article 45 cannot be used to disallow browser trust decisions.
: "If this comes to pass it would enable any EU government or recognized third par
: ty country to begin intercepting web traffic and make it impossible to stop with
: out their permission," the letter warns. "There is no independent check or balan
: ce on this process described in the proposed text."
: In an email to The Register, a Mozilla representative added, "Mozilla is deeply
: concerned by the proposed legislation and is continuing to engage with key stak
: eholders in the final stages of the trilogue process. We are committed to securi
: ty and privacy on the Internet and have been heartened by the outpouring of supp
: ort from civil society groups, cyber security experts, academics, and the public
: at large on this issue. We are hopeful that this heightened scrutiny will motiv
: ate EU negotiators to change course and deliver regulation with suitable safegua
: rds."
: Google has also raised concerns about how Article 45 might be interpreted. "We a
: nd many past and present leaders in the international web community have signifi
: cant concerns about Article 45's impact on security," the Chrome security team
: argued, and urged EU lawmakers to revise the legal language.
: According security researcher Scott Helme, the latest regulatory language – whi
: ch has not been made public – is still problematic.
: The EFF says the legislative text "is subject to approval behind closed doors in
: Brussels on November 8." ®
: 5.完整新聞連結 (或短網址)不可用YAHOO、LINE、MSN等轉載媒體:
: https://www.theregister.com/2023/11/08/europe_eidas_browser/
: 6.備註:
: CNNIC跟沃通:老鄉,你好,希望你比我們死的還慘
: 歐盟敢這麼做,我一定DDoS爆破他們伺服器,如果可以,我連他們的機密都要挖出來
: 這已經不是可以玩五樓哽的東西了,你能想像對岸監聽全世界的一切通訊嗎?
reddit有討論這件事
先下結論:破解加密技術現階段是不太可行的
但是如鄉民說的 歐盟可能會從CA機構證書下手
那就是回到以前沒有https的年代,只要會抓封包,就能知道流量往哪跑
這個封包最原始是從哪邊發出
那這樣就會變成那我不去申請證書不就好了(風險自負)
目前大家比較擔心的是
歐盟當中間人就可以隨意頒發證書,用這些證書機構當作中間人進行導流
也就是所謂的 MITM attack (中間人攻擊)
既然瀏覽器跟作業系統是加密的,等到法案通過,歐盟就能架合法的CA伺服器
進行導流,也不會出現疑似不安全的網站,畢竟是歐盟合法架設的
不過我認為這項提議應該會被拒絕
https://reurl.cc/z6kpda
--
※ 批踢踢實業坊(ptt.cc), 來自: 1.169.160.151 (臺灣)※ 文章網址: https://www.ptt.cc/bbs/PC_Shopping/M.1699727937.A.AD6.html
推 yymeow: 其實網站只要有用cdn做proxy(比如cloudfla 223.140.24.66 11/12 13:12
→ yymeow: re),封包在cdn那邊就已經解密過一次了。 223.140.24.66 11/12 13:12
→ yymeow: 第二段cdn與真正的server間有些人會選不加 223.140.24.66 11/12 13:12
→ yymeow: 密,就算有加密也是解開又重新加密過的。 223.140.24.66 11/12 13:12
推 yymeow: 要偷聽就是政府或駭客伴演這個cdn的角色, 223.140.24.66 11/12 13:14
→ yymeow: 至於憑證的話技術上也可以用廣域憑證來「 223.140.24.66 11/12 13:14
→ yymeow: 蓋台」。 223.140.24.66 11/12 13:14
推 yymeow: 補充一下應該叫做多網域憑證(san憑證)。 223.140.24.66 11/12 13:29