Upcoming EU legislation could undermine years of progress in cybersecurity, and weaken our first line of defence against cybercrime and malicious network interference.
Security on the web is a defining issue of our time. Consumers worry about their data being stolen and abused. Companies are under attack from cybercriminals and state actors. In Europe alone, 37% of residents do not believe they can protect themselves from cybercrime, and 41% are concerned about the security of online payments.
The Internet was not originally designed with privacy and security in mind. Rectifying this is an ongoing and essential effort. It is essential because security underpins commerce, public services, and learning today. Indeed, the centrality of the Internet to the most trivial and most profound of human activities was laid bare during the pandemic. And while we’ve made some important progress in securing the web in recent years – the proliferation of HTTPS being a notable example – we have more to do.
Authentication and trust
One of the most important mechanisms for securing the web is website authentication. In basic terms, this is the process of ensuring web traffic goes where it is intended and not to cybercriminals. It helps protect individuals from identity theft, financial crime, surveillance, and malware, and as such, is a key pillar of trust online. At a technical level, website authentication depends on website certificates. These are cryptographic documents that attest to control of a domain name, and which a website uses to assert itself to a web user’s browser. Certificates are issued by distinct entities, known as Certificate Authorities (CAs). CAs verify that websites are under legitimate control, and issue certificates to those websites.
If a CA issues a certificate to the wrong website – whether for malign intent or owing to poor operational practices – web users are at risk. It is therefore essential that CAs are trustworthy. To establish this trust, many browser vendors deploy a process for vetting certificate authorities for security proposes (called a ‘root program’). CAs that meet these security standards are eligible for inclusion in the root certificate store, and the certificates they issue to websites will be trusted in the browser. At Mozilla, we consider this process vital to the security of our products, the welfare of our users, and the health of the Internet in general. Independent browser root store programs have historically been an integral first line of defence for when web certificates are misused.
Unfortunately the website security ecosystem is under threat. Under a draft law under discussion in the EU – the eIDAS 2.0 regulation – browser makers would be forced to accept certificates issued by a CA approved by any of the EU Member States (known as Trust Service Providers or TSPs), regardless of whether they adhere to browser security standards. For example, Hungary, France, Finland and Cyprus could each choose their own CA's. All browsers would be required to accept these CAs and the certificates they issue, even if browsers deem the CAs (or the certificates they issue) to be untrustworthy. This provision amounts to a legalised bypass of vetting processes that are essential for security on the web. And it puts everyone's security at risk.
The consequences of this provision are stark. Browser makers like Mozilla would be inhibited in our ability to anticipate and respond to security breaches, for instance in cases where a TSP issues a certificate for a website that is controlled by a cybercriminal. In addition, it sets a de facto ceiling on website security – security standards governing the conduct of TSPs would be set to a ‘point-in-time’ EU legal standard, with browsers unable to supersede them in response to the ever-evolving threat landscape.
Yet while these consequences are alarming in themselves, there is a more profound unintended consequence that will be a concern for all of us who believe in multistakeholderism and the promise of the open Internet. Root certificates can be a powerful tool for surveillance and censorship, and in recent years we have experienced ever-increasing pressure from repressive regimes in various parts of the world to ‘white-list’ government-controlled CAs whose intent is to violate human rights.
While this is clearly not the intent of the EU legislator, there is a critical precedent-setting aspect that creates untenable risks for security on the web. The website security community has successfully resisted attempts by authoritarian regimes over the years precisely because there has been a strong international norm that forced inclusion of root certificates by governments is impermissible. By mandating browser makers to automatically trust government-approved CAs for well-intentioned ends, the EU rules will simply embolden authoritarian regimes and geopolitical competitors who seek to leverage root certificates for human rights abuses. And crucially, the consequences of this slide cannot be locally-contained. A rogue CA in one country can pose risks to web users everywhere.
Fortunately, there is still time to avoid these outcomes. Lawmakers in the European Parliament and the EU Council are currently considering the draft law, and have an opportunity to introduce essential amendments that would allow browsers to continue to undertake the necessary security work to protect web users and to maintain the integrity of the global website security ecosystem. A broad coalition of browser vendors, civil society organisations, and security experts are making their voices heard, and will continue to do so. The stakes are too high not to.