Last Chance to fix eIDAS: Secret EU law threatens Internet security

If you are concerned by this proposals, then you should check out current CAs trusted by your browser - all those CAs can issue rogue certificates trusted by your browser, that can be used in MITM attack.

For example, CAs present in Firefox, that might give you pause: Beijing Certificate Authority, China Financial CA, Guang Dong CA

The CA system in browsers is inherently broken and it allows state actors to MITM you and see all your traffic if they: 1. have ability to capture IP traffic (requires cooperation with ISP) 2. have ability to generate rogue certificate via cooperation with CA

Yes, but:

1. Major browsers (Chrome, Safari, Edge) only accept certificates which are published in Certificate Transparency logs.

2. If a CA is discovered to have issued MitM certificates, they are swiftly distrusted by browsers.

So it's not really viable to use the existing CA system for MitM attacks.

The eIDAS proposal would:

1. Prevent browsers from distrusting CAs which are used in MitM attacks.

2. Ban mandatory checks (such as Certificate Transparency) on certificates unless the EU agrees to them.

That creates a system that is very viable for government MitM attacks.

The browser/CA forum’s requirement to log all issuances into the CT log takes care of this; the EU mandate hardly has such requirements while still mandating the inclusion of root certs. The approach of the browser/CA forum vs EIDAS cannot be equated for this reason.

It's not like Beijing CA can issue a rogue certifcate and suddenly a malicious actor would be able to decrypt all your internet traffic. You would have to connect to a service that uses those certificates in the first place.

An interesting experiment would be to log all certificates used by the sites you normally use, say for a month, and then look at the list for anything shady. I have no ideia if an extension exists that would allow such and experiment, but the resulting list would be much more useful.

> For example, CAs present in Firefox, that might give you pause: Beijing Certificate Authority, China Financial CA, Guang Dong CA

For someone living in the West, what are the consequences of deleting or distrusting those CAs?

> 2. If a CA is discovered to have issued MitM certificates, they are swiftly distrusted by browsers.

Thats reassuring but, not knowing much about this, I have a couple of questions:

1. Is this proactively monitored for? And how? And by whom?

2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?

I think this is a matter of assumption. For communication through mainland China, one should assume that all internet traffic is actively surveilled with probably way easier methods than CAs. On the other hand, this assumption is definitely not as true in the EU, nor do I think the Chinese government forces Firefox to trust CAs by law (talking about irony)….

You can find more about certificate monitoring and who are involved here

https://certificate.transparency.dev/

No, that's not needed at all. If the malicious actor can man-in-the-middle traffic to victimsite.com (say using a BGP hijack), they can serve HTTPS traffic to the end user from their MITM server, secured with a certificate issued to "victimsite.com" that is issued by their own CA, and the MITM can then in turn communicate to the real victimsite.com using HTTPS secured by the real site's certificate, signed by its own CA.

Now, there are CAA DNS records, which serve the purpose of restricting the CAs that can sign a particular domain, which would of course be ignored by the malicious actor, but _could_ be checked by the end user's browser. But to the best of my knowledge, no browser does that.

In the case of mainland China, it’s easy for the Party 1) issue a malicious certificate and 2) redirect your Internet traffic to MITM box. They do 2) for all the time when blackholing Internet traffic.

With certificate logs there is a chance, I don’t know how high, to catch 1).

probably none

If you run into some websites which use them the browser will tell you that the certificate is invalid; you can always reinstall them if you prefer.

> 1. Is this proactively monitored for? And how? And by whom?

Yes, security researchers like myself are constantly looking in CT logs for suspicious certificates, and I've found many, most notably Symantec issuing certs for example.com (https://groups.google.com/g/mozilla.dev.security.policy/c/fy...) and Certinomis issuing for test.com (https://bugzilla.mozilla.org/show_bug.cgi?id=1496088). Both CAs were eventually distrusted. (But Certinomis will be back once eIDAS is adopted!)

Domain owners can use Certificate Transparency Monitors to learn about suspicious certificates for their own domains. Here are some monitors:

https://crt.sh/ - allows you to search for certificates for a domain

https://github.com/SSLMate/certspotter/ - open source tool which notifies you when a certificate is issued for one of your domains

https://sslmate.com/certspotter/ - commercial service that does the same, operated by my company

> 2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?

In 2017, Chrome and Firefox distrusted Symantec, which was at the time the world's largest certificate authority: https://security.googleblog.com/2017/09/chromes-plan-to-dist...

Symantec hadn't even issued MitM certs - they were just grossly incompetent. Distrusting them was very painful, but necessary to uphold the integrity of the CA system, and demonstrated conclusively that there is no such thing as a too-big-to-fail CA.

This will get noticed in a matter of seconds.

But if your own government tells your own isp to reroute just your traffic over some MITM proxy, it's only you there to notice, and most probably, you won't.

You lose nothing, gain nothing. It's hard for china to reroute your traffic, and even if they did, what can they do to you after that?

It's your own government that can actually do something bad to you.

(unless you're doing some really really nasty stuff, and china wants to eliminate you for those reasons, and is willing to create a large international incident because of that).

Unless it's gotten better, it's super easy for China.. My traffic to EU World of Warcraft servers got hijacked all the time. I don't know if it was malicious or just incompetent Chinese ISPs, but you feel that extra latency when it goes through China.

>and even if they did, what can they do to you after that?

An example of what China can do is they can have their workers put pressure on you. Often this pressure is soft, nothing as direct as 'do X or we hurt you with Y'. And often the request, at least at the start, is for something legal and only a bit unethical if even that. A little information to help win a contract, maybe a way to advertise to you why you should go with their vendor for a product, maybe just asking you if a specific coworker seems to have any interest in some odd topic or passing you a resume of someone who seems a good fit for the job. If they can they'll push for more with increasing levels of silver and lead, and if not, they use what they did get to pressure elsewhere.

But this wasn't a bgp redirect, this was blizzard doing something... if chinese telcos acted as if they were blizzard telcos, there would be bgp filters and a lot of outrage in a matter of minutes. This is not a small deal.

In an ideal world, yes, they would by shut down in seconds. Yet BGP hijacks still occur in the real world; here's one from last month: https://slowmist.medium.com/analysis-of-balancer-bgp-hijacki...

And you're certainly right about government-mandated traffic hijacking.

> 2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?

Pretty much every browser distrusted the root certificate from Spain's FNMT-RCM for a decade, so I think the answer's yes.

Can you help me intuit what a suspicious certificate might look like in practice?

If you're a domain owner monitoring your own domains, a certificate is suspicious if it was not issued by one of the CAs that you use (e.g. you use Let's Encrypt, but you see a certificate for your domain in CT that was issued by Certinomis). If you keep an inventory of all of your certificates, then you can also cross-reference certificates from CT against your inventory, and flag any certificate that isn't in your inventory.

If you're a security researcher monitoring other people's domains, you have to rely on heuristics - e.g. if a domain has a long history of getting certs from a major US CA, and then suddenly a tiny European CA issues them a certificate, that's pretty suspicious. When I found the example.com certificate misissued by Symantec, I though it was suspicious because it was also valid for subdomains like products.example.com and support.example.com, which don't make sense for a domain that's reserved for documentation purposes. ICANN operates example.com, so I emailed their security team to confirm that they did not authorize the certificate.

The system works best if domain owners are monitoring their own domains, because only they know for sure if a certificate is authorized or not.

That's your smoking gun? CAs that issued certificates for example.com and test.com? You genuinely believe that the only possibility here is a vast conspiracy to defraud and steal?

> You genuinely believe that the only possibility here is a vast conspiracy to defraud and steal?

Care to point out where I said that?

example.com and test.com are real domains, and their owners did not authorize those certificates to be issued, so issuing them was a serious breach of the trust which CAs are expected to uphold. Furthermore, the discovery of these certificates led to investigations which turned up additional issues which are documented in detail here:

https://wiki.mozilla.org/CA/Symantec_Issues

https://wiki.mozilla.org/CA/Certinomis_Issues

That makes sense, thank you.

Follow-up question: presumably, a state actor with dominion or leverage over a CA can coerce said CA into issuing a certificate, right?

Yes, though eventually the state actor would run out of CAs to coerce as all the CAs in their country get distrusted.

The threat of distrust means CAs have a very strong incentive to contest any government orders, since if they comply their business is destroyed.

That tracks. Thanks for helping me get a bead on this!

You are correct that no browser is looking at CAA records, because it would be wrong to do so. CAA records don't retroactively revoke certificates that have already been issued. Their only purpose is for CAs to check them before issuing a certificate.

In some very prominent countries there are laws with extreme consequences which not only prevent companies from contesting and not complying, but even prevent them ever disclosing such requests.

True, but then they will be found out and distrusted. So basically they'll lose business because of the government of the country they are established in.

It looks like the Symantec distrusting was done with the cooperation of Symantec, which agreed to wind things down and transfer clients to a new provider in an orderly fashion?