Cybersecurity Experts Urge EU Lawmakers to Fix Website Authentication Proposal That Puts Internet Users’ Security and Privacy at Risk

SAN FRANCISCO—Electronic Frontier Foundation (EFF) technologists, along with 36 of the world’s top cybersecurity experts, today urged European lawmakers to reject proposed changes to European Union (EU) regulations for securing electronic payments and other online transactions that will dramatically weaken web security and expose internet users to increased risk of attacks by cybercriminals.

The ill-conceived proposed amendment to Article 45 in the EU’s Digital Identity Framework (eIDAS) requires popular browsers like Firefox, Google, and Safari to accept flawed website certificates that bypass the rigorous security standards built into today’s browsers to ensure user data isn’t intercepted and stolen by criminals. Website certificates help ensure that, when you use a credit card to buy something online, your payment information is going to the right website and not to cybercriminals who have created fake websites that impersonate real websites.

In a letter today to members of the European Parliament, EFF Director of Engineering Alexis Hancock, EFF Director of Technology Projects Jon Callas, and cybersecurity experts from Belgium, Canada, France, Germany, Taiwan, the UK and the U.S. said requiring browsers to accept Qualified Website Authentication Certificates (QWACs), a specific EU form of website certificate that never gained traction because of implementation flaws, would put the entire website security ecosystem at risk by requiring browsers to trust third parties designated by the government without any security assurances.

The experts urged EU lawmakers to amend the revised Article 45.2 to “ensure that browsers can continue to undertake their crucial security work to protect individuals from cybercrime on the web.” Insecure third parties can have a devastating effect on online privacy and security by opening the door to malware attacks, stolen personal and financial information, and other acts of cybercrime.

“While we understand that the intent of these provisions is to improve authentication on the web, they would in practice have the opposite effect of dramatically weakening web security,” 38 cybersecurity researchers, advocates, and practitioners said in the letter. “At a time when two-thirds of Europeans are concerned about being a victim of online identity theft and over one-third believe they are not able to sufficiently protect themselves against cybercrime, weakening the website security ecosystem is an untenable risk.”

Website authentication is a cornerstone of security online and the basis for e-commerce and e-government. Internet users become at risk for cybercrime when certificate authorities are not rigorously vetted to ensure their certificates can be trusted. Signatories to the letter are holding a technical workshop today to discuss implications of the proposed amendment.

For the letter:
https://www.eff.org/document/eidas-letter-2022

For more on the amendment:
https://eff.org/deeplinks/2021/12/eus-digital-identity-framework-endangers-browser-security
https://www.eff.org/deeplinks/2022/02/what-duck-why-eu-proposal-require-qwacs-will-hurt-internet-security