EU Article 45 requires that browsers trust certificate authorities appointed by governments::The EU is poised to pass a sweeping new regulation, eIDAS 2.0. Buried deep in the text is Article 45, which returns us to the dark ages of 2011, when certificate authorities (CAs) could collaborate with governments to spy on encrypted traffic—and get away with it. Article 45 forbids browsers from…

  • WDX@feddit.de
    link
    fedilink
    English
    arrow-up
    42
    ·
    1 year ago

    There can be an infinite amount of certificates for a single domain.

    When you setup a connection to a website you basically get a response back that has been signed with a certificate.

    Your Browser / OS has a list of certification authorities that it deems trustworthy.

    So when you get the response the browser checks if the certificate was issued by a trusted CA.

    Now, if the EU forces browsers to trust their CA they can facilitate a man-in-the-middle attack.

    In this instance they will intercept the TLS Handshake and give you back a response that was signed by their certificate. Your Browser deems the certificate valid and sets up a secure tunnel to the EUs Server.

    From then on they can forward packets between you and the real website while being able to read everything in cleartext