Last Chance to fix eIDAS: Secret EU law threatens Internet security

If you are concerned by this proposals, then you should check out current CAs trusted by your browser - all those CAs can issue rogue certificates trusted by your browser, that can be used in MITM attack.

For example, CAs present in Firefox, that might give you pause: Beijing Certificate Authority, China Financial CA, Guang Dong CA

The CA system in browsers is inherently broken and it allows state actors to MITM you and see all your traffic if they: 1. have ability to capture IP traffic (requires cooperation with ISP) 2. have ability to generate rogue certificate via cooperation with CA

Yes, but:

1. Major browsers (Chrome, Safari, Edge) only accept certificates which are published in Certificate Transparency logs.

2. If a CA is discovered to have issued MitM certificates, they are swiftly distrusted by browsers.

So it's not really viable to use the existing CA system for MitM attacks.

The eIDAS proposal would:

1. Prevent browsers from distrusting CAs which are used in MitM attacks.

2. Ban mandatory checks (such as Certificate Transparency) on certificates unless the EU agrees to them.

That creates a system that is very viable for government MitM attacks.

> 2. If a CA is discovered to have issued MitM certificates, they are swiftly distrusted by browsers.

Thats reassuring but, not knowing much about this, I have a couple of questions:

1. Is this proactively monitored for? And how? And by whom?

2. If a major state-level CA was discovered to have issued a mitm cert, would browser vendors really take the commercial hit of removing or distrusting their root cert?