看板 PC_Shopping
作者 skycat2216 (skycat2216)
標題 Fw: [新聞] 歐盟打算監聽所有人的網路連線
時間 Sat Nov 11 21:56:27 2023


※ [本文轉錄自 Gossiping 看板 #1bJtYBwx ]

看板 Gossiping
作者 skycat2216 (skycat2216)
標題 [新聞] 歐盟打算監聽所有人的網路連線
時間 Sat Nov 11 20:50:17 2023


備註請放最後面 違者新聞文章刪除

1.媒體來源:
The Register


2.記者署名:
Thomas Claburn

3.完整新聞標題:
Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections

EFF warns incoming rules may return web 'to the dark ages of 2011'




4.完整新聞內文:

Lawmakers in Europe are expected to adopt digital identity rules that civil soci
ety groups say will make the internet less secure and open up citizens to online
 surveillance.

The legislation, referred to as eIDAS (electronic IDentification, Authentication
 and trust Services) 2.0, has been described as an attempt to modernize an initi
al version of the digital identity and trust service rules. The rules cover thin
gs like electronic signatures, time stamps, registered delivery services, and ce
rtificates for website authentication.

But one of the requirements of eIDAS 2.0 is that browser makers trust governme
nt-approved Certificate Authorities (CA) and do not implement security controls
beyond those specified by the European Telecommunications Standards Institute (E
TSI).

Under eIDAS 2.0, government-endorsed CAs – Qualified Trust Service Providers, o
r QTSPs – would issue TLS certificates – Qualified Website Authentication Cert
ificates, or QWACs – to websites.

But browser makers, if they suspect or detect misuse – for example, traffic int
erception – would not be allowed to take countermeasures by distrusting those c
ertificates/QWACs or removing the root certificate of the associated CA/QTSP fro
m their list of trusted root certificates.

Put simply: In order to communicate securely using TLS encryption – the technol
ogy that underpins your secure HTTPS connections – a website needs to obtain a
digital certificate, issued and digitally signed by a CA, that shows the website
 address matches the certified address. When a browser visits that site, the web
site presents a public portion of its CA-issued certificate to the browser, and
the browser checks the cert was indeed issued by one of the CAs it trusts, using
 the CA's root certificate, and is correct for that site.

If the certificate was issued by a known good CA, and all the details are correc
t, then the site is trusted, and the browser will try to establish a secure, enc
rypted connection with the website so that your activity with the site isn't vis
ible to an eavesdropper on the network. If the cert was issued by a non-trusted
CA, or the certificate doesn't match the website's address, or some details are
wrong, the browser will reject the website out of a concern that it's not connec
ting to the actual website the user wants, and may be talking to an impersonator
.

Here's one problem: if a website is issued a certificate from one of those afore
mentioned Euro-mandated government-backed CAs, that government can ask its frien
dly CA for a copy of that certificate so that the government can impersonate the
 website – or ask for some other certificate browsers will trust and accept for
 the site. Thus, using a man-in-the-middle attack, that government can intercept
 and decrypt the encrypted HTTPS traffic between the website and its users, allo
wing the regime to monitor exactly what people are doing with that site at any t
ime. The browser won't even be able to block the certificate.

As Firefox maker Mozilla put it:

This enables the government of any EU member state to issue website certificates
 for interception and surveillance which can be used against every EU citizen, e
ven those not resident in or connected to the issuing member state. There is no
independent check or balance on the decisions made by member states with respect
 to the keys they authorize and the use they put them to.

How that compares to today's surveillance laws and powers isn't clear right now,
 but that's the basically what browser makers and others are worried about: gove
rnment-controlled CAs being abused to issue certificates to websites that allow
for interception. If an administration tried using a certificate not issued by a
 trusted CA, browsers would reject the cert and connection, hence Europe's desir
e to make browser makers accept government-backed CAs.

Certificates and the CAs that issue them are not always trustworthy and browser
makers over the years have removed CA root certificates from CAs based in Turkey
, France, China, Kazakhstan, and elsewhere when the issuing entity or an associa
ted party was found to be intercepting web traffic. Many such problems have been
 documented in the past.

An authority purge of this sort occurred last December when Mozilla, Microsoft,
 Apple, and later Google removed Panama-based TrustCor from their respective
lists of trusted certificate providers.

Yet eIDAS 2.0 would prevent browser makers from taking such action when the CA h
as a government seal of approval.

"Article 45 forbids browsers from enforcing modern security requirements on cert
ain CAs without the approval of an EU member government," the Electronic Frontie
r Foundation (EFF) warned on Tuesday.

"Which CAs? Specifically the CAs that were appointed by the government, which in
 some cases will be owned or operated by that selfsame government. That means cr
yptographic keys under one government's control could be used to intercept HTTPS
 communication throughout the EU and beyond."

The foundation added the rules "returns us to the dark ages of 2011, when certif
icate authorities could collaborate with governments to spy on encrypted traffic
 — and get away with it."

Mozilla and a collection of some 400 cyber security experts and non-governmental
 organizations published an open letter last week urging EU lawmakers to clari
fy that Article 45 cannot be used to disallow browser trust decisions.

"If this comes to pass it would enable any EU government or recognized third par
ty country to begin intercepting web traffic and make it impossible to stop with
out their permission," the letter warns. "There is no independent check or balan
ce on this process described in the proposed text."

In an email to The Register, a Mozilla representative added, "Mozilla is deeply
 concerned by the proposed legislation and is continuing to engage with key stak
eholders in the final stages of the trilogue process. We are committed to securi
ty and privacy on the Internet and have been heartened by the outpouring of supp
ort from civil society groups, cyber security experts, academics, and the public
 at large on this issue. We are hopeful that this heightened scrutiny will motiv
ate EU negotiators to change course and deliver regulation with suitable safegua
rds."

Google has also raised concerns about how Article 45 might be interpreted. "We a
nd many past and present leaders in the international web community have signifi
cant concerns about Article 45's impact on security," the Chrome security team
argued, and urged EU lawmakers to revise the legal language.

According security researcher Scott Helme, the latest regulatory language – whi
ch has not been made public – is still problematic.

The EFF says the legislative text "is subject to approval behind closed doors in
 Brussels on November 8." ®



5.完整新聞連結 (或短網址)不可用YAHOO、LINE、MSN等轉載媒體:
https://www.theregister.com/2023/11/08/europe_eidas_browser/
Europe prepares to break browser security with eIDAS 2.0 • The Register
[圖]
EFF warns incoming rules may return web 'to the dark ages of 2011' ...

 


6.備註:
CNNIC跟沃通:老鄉,你好,希望你比我們死的還慘

歐盟敢這麼做,我一定DDoS爆破他們伺服器,如果可以,我連他們的機密都要挖出來
這已經不是可以玩五樓哽的東西了,你能想像對岸監聽全世界的一切通訊嗎?

--
※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 111.82.109.225 (臺灣)
※ 文章代碼(AID): #1bJtYBwx (Gossiping)
※ 文章網址: https://www.ptt.cc/bbs/Gossiping/M.1699707019.A.EBB.html*[m
※ 同主題文章:
Fw: [新聞] 歐盟打算監聽所有人的網路連線
11-11 21:56 skycat2216
※ 發信站: 批踢踢實業坊(ptt.cc)
※ 轉錄者: skycat2216 (111.82.109.225 臺灣), 11/11/2023 21:56:27
※ 編輯: skycat2216 (111.82.109.225 臺灣), 11/11/2023 21:57:13
※ 編輯: skycat2216 (111.82.109.225 臺灣), 11/11/2023 22:00:52
skycat2216: 已徵得版主Arelies同意1F 111.82.109.225 台灣 11/11 22:01
greenpeace21: 這超嚴重的 怎大家沒反應?2F 150.116.141.88 台灣 11/11 22:03
maximper79: big brother 看著3F 39.10.34.166 台灣 11/11 22:08
Bencrie: 一層不夠就加兩層4F 114.34.235.107 台灣 11/11 22:09
skycat2216: 因為他們覺得歐盟管不到自己5F 111.82.109.225 台灣 11/11 22:13
Ceelo: 什麼稜鏡計畫6F 36.226.202.167 台灣 11/11 22:16
Medic: 要如何阻止別家侵犯隱私 就是自己先來XD7F 111.251.220.224 台灣 11/11 22:16
kaj1983: 全民公敵逆8F 36.238.164.86 台灣 11/11 22:17
ienet788: 只要沒有隱私就沒有侵犯問題,這很對岸9F 111.83.45.194 台灣 11/11 22:18
kaj1983: 電影劇情竟然要在現實生活出現了11F 36.238.164.86 台灣 11/11 22:18
MK47: 這超白爛的12F 36.235.176.124 台灣 11/11 22:18
auva: https://imgur.com/aBYod2F
https://imgur.com/lVDA6MB13F 182.233.3.206 台灣 11/11 22:26
[圖]
 
[圖]
SakeruMT: >>距離一有犯罪念頭就逮捕的進度>>>>>15F 36.233.161.168 台灣 11/11 22:32
a27588679: 太扯了吧 歐盟明顯越線了16F 180.177.33.135 台灣 11/11 22:33
ltytw: 嘔盟本來就管東管西17F 125.224.89.76 台灣 11/11 22:45
dos01: 所有人也不包含我們吧 就...沒我們的事啊18F 182.155.78.98 台灣 11/11 22:52
wahaha99: 問題是怎麼做的到?
所有的通訊都是加密過的,他們有位數夠多的量子電腦了?
然後是如何過濾這麼龐大的資料量?
要用多強大的硬體、多大的頻寬、多少的儲存容量?
老實說,很多陰謀論或是政府真的想做的事在現實中顯得很「不現實」19F 36.226.163.196 台灣 11/11 22:53
RaiGend0519: 笑死,對岸好歹只管牆內27F 36.232.158.55 台灣 11/11 22:56
dos01: 這法案八成只是想要管特定人士
不會是真的同時間管所有人 就算你知道同時28F 182.155.78.98 台灣 11/11 22:56
RaiGend0519: 歐盟這個牆內牆外全部都要管30F 36.232.158.55 台灣 11/11 22:56
dos01: 間所有人的連線也沒意義31F 182.155.78.98 台灣 11/11 22:56
wahaha99: 看了一下內容,要政府當CA的方式來管
太荒謬了,他要發瘋就自己去
這篇新聞真的不是把俄羅斯誤植成歐盟?32F 36.226.163.196 台灣 11/11 22:57
dos01: 看了一下 裡面提到土耳其 中國 哈薩克
大概跟詐騙有關吧 比較奇怪的是還有法國35F 182.155.78.98 台灣 11/11 23:00
Richun: 那段是說有攔截流量的,通常是政府想查才37F 182.233.159.82 台灣 11/11 23:01
AI007: 美國: 笑死,太慢了38F 123.193.164.228 台灣 11/11 23:02
Richun: 會出現,名單內國家都有審查言論的前科吧?39F 182.233.159.82 台灣 11/11 23:03
dos01: 所以我覺得法國跟這些東西放在一起很奇怪40F 182.155.78.98 台灣 11/11 23:04
RaiGend0519: 裡面提到的點是給政府權利可以跟CA要某個網站的授權/認證,由此政府就可以藉由冒充/模仿該網站以中間人攻擊的方式去攔截使用者的HTTPS資訊
並同時解密
而且瀏覽器沒有辦法阻止
真能成這比對岸屌上百倍有餘41F 36.232.158.55 台灣 11/11 23:04
MK47: 中國應該很驚訝 原來可以這麼侵犯的嗎XD
就像強姦犯看到印度高手也要高呼真會玩48F 36.235.176.124 台灣 11/11 23:09
intela03252: 歐盟嘛,大概的做法就是要求社群網站必須在歐盟有需要的時候提供所有用戶的監控影音資料,至於要怎麼做當然是你社群網站自己想辦法,辦不到就不能在歐盟營運
至於範圍當然是夠大的公司才會有此限制,然後都剛好是美國公司50F 114.33.155.28 台灣 11/11 23:14
cmcmisgod: 未來言論審查會不會直接抓關鍵字就通
DC還能講幹話嗎57F 36.227.140.34 台灣 11/11 23:22
RaiGend0519: 極端點可能...連在網銀輸入的帳密都能到手60F 36.232.158.55 台灣 11/11 23:22
ILoveElsa: 我覺得你們根本看不懂就跟著發病62F 1.175.166.8 台灣 11/11 23:25
dos01: 我還真的看不太懂他想幹嘛 可以幫翻譯一下嗎?63F 182.155.78.98 台灣 11/11 23:28
FXW11314: 我看看能不能回一篇簡單講一下好了65F 42.73.236.14 台灣 11/11 23:31
RaiGend0519: 其實都是旁敲側擊,敲碗專業文66F 36.232.158.55 台灣 11/11 23:35

--
作者 skycat2216 的最新發文:
點此顯示更多發文記錄