Fw: [新聞] 歐盟打算監聽所有人的網路連線
看板PC_Shopping作者skycat2216 (skycat2216)時間6月前 (2023/11/11 21:56)推噓37(38推 1噓 50→)留言89則, 39人參與討論串1/4 (看更多)
※ [本文轉錄自 Gossiping 看板 #1bJtYBwx ]
作者: skycat2216 (skycat2216) 看板: Gossiping
標題: [新聞] 歐盟打算監聽所有人的網路連線
時間: Sat Nov 11 20:50:17 2023
備註請放最後面 違者新聞文章刪除
1.媒體來源:
The Register
2.記者署名:
Thomas Claburn
3.完整新聞標題:
Bad eIDAS: Europe ready to intercept, spy on your encrypted HTTPS connections
EFF warns incoming rules may return web 'to the dark ages of 2011'
-----------簡單的說明:----------
這算中國老早就做過的事
CNNIC發過這種證書,後來還買下其他證書發行商,導致CA開始不被信任
不過這次歐盟更狠,直接要求不得移除
4.完整新聞內文:
Lawmakers in Europe are expected to adopt digital identity rules that civil soci
ety groups say will make the internet less secure and open up citizens to online
surveillance.
The legislation, referred to as eIDAS (electronic IDentification, Authentication
and trust Services) 2.0, has been described as an attempt to modernize an initi
al version of the digital identity and trust service rules. The rules cover thin
gs like electronic signatures, time stamps, registered delivery services, and ce
rtificates for website authentication.
But one of the requirements of eIDAS 2.0 is that browser makers trust governme
nt-approved Certificate Authorities (CA) and do not implement security controls
beyond those specified by the European Telecommunications Standards Institute (E
TSI).
Under eIDAS 2.0, government-endorsed CAs – Qualified Trust Service Providers, o
r QTSPs – would issue TLS certificates – Qualified Website Authentication Cert
ificates, or QWACs – to websites.
But browser makers, if they suspect or detect misuse – for example, traffic int
erception – would not be allowed to take countermeasures by distrusting those c
ertificates/QWACs or removing the root certificate of the associated CA/QTSP fro
m their list of trusted root certificates.
Put simply: In order to communicate securely using TLS encryption – the technol
ogy that underpins your secure HTTPS connections – a website needs to obtain a
digital certificate, issued and digitally signed by a CA, that shows the website
address matches the certified address. When a browser visits that site, the web
site presents a public portion of its CA-issued certificate to the browser, and
the browser checks the cert was indeed issued by one of the CAs it trusts, using
the CA's root certificate, and is correct for that site.
If the certificate was issued by a known good CA, and all the details are correc
t, then the site is trusted, and the browser will try to establish a secure, enc
rypted connection with the website so that your activity with the site isn't vis
ible to an eavesdropper on the network. If the cert was issued by a non-trusted
CA, or the certificate doesn't match the website's address, or some details are
wrong, the browser will reject the website out of a concern that it's not connec
ting to the actual website the user wants, and may be talking to an impersonator
.
Here's one problem: if a website is issued a certificate from one of those afore
mentioned Euro-mandated government-backed CAs, that government can ask its frien
dly CA for a copy of that certificate so that the government can impersonate the
website – or ask for some other certificate browsers will trust and accept for
the site. Thus, using a man-in-the-middle attack, that government can intercept
and decrypt the encrypted HTTPS traffic between the website and its users, allo
wing the regime to monitor exactly what people are doing with that site at any t
ime. The browser won't even be able to block the certificate.
As Firefox maker Mozilla put it:
This enables the government of any EU member state to issue website certificates
for interception and surveillance which can be used against every EU citizen, e
ven those not resident in or connected to the issuing member state. There is no
independent check or balance on the decisions made by member states with respect
to the keys they authorize and the use they put them to.
How that compares to today's surveillance laws and powers isn't clear right now,
but that's the basically what browser makers and others are worried about: gove
rnment-controlled CAs being abused to issue certificates to websites that allow
for interception. If an administration tried using a certificate not issued by a
trusted CA, browsers would reject the cert and connection, hence Europe's desir
e to make browser makers accept government-backed CAs.
Certificates and the CAs that issue them are not always trustworthy and browser
makers over the years have removed CA root certificates from CAs based in Turkey
, France, China, Kazakhstan, and elsewhere when the issuing entity or an associa
ted party was found to be intercepting web traffic. Many such problems have been
documented in the past.
An authority purge of this sort occurred last December when Mozilla, Microsoft,
Apple, and later Google removed Panama-based TrustCor from their respective
lists of trusted certificate providers.
Yet eIDAS 2.0 would prevent browser makers from taking such action when the CA h
as a government seal of approval.
"Article 45 forbids browsers from enforcing modern security requirements on cert
ain CAs without the approval of an EU member government," the Electronic Frontie
r Foundation (EFF) warned on Tuesday.
"Which CAs? Specifically the CAs that were appointed by the government, which in
some cases will be owned or operated by that selfsame government. That means cr
yptographic keys under one government's control could be used to intercept HTTPS
communication throughout the EU and beyond."
The foundation added the rules "returns us to the dark ages of 2011, when certif
icate authorities could collaborate with governments to spy on encrypted traffic
— and get away with it."
Mozilla and a collection of some 400 cyber security experts and non-governmental
organizations published an open letter last week urging EU lawmakers to clari
fy that Article 45 cannot be used to disallow browser trust decisions.
"If this comes to pass it would enable any EU government or recognized third par
ty country to begin intercepting web traffic and make it impossible to stop with
out their permission," the letter warns. "There is no independent check or balan
ce on this process described in the proposed text."
In an email to The Register, a Mozilla representative added, "Mozilla is deeply
concerned by the proposed legislation and is continuing to engage with key stak
eholders in the final stages of the trilogue process. We are committed to securi
ty and privacy on the Internet and have been heartened by the outpouring of supp
ort from civil society groups, cyber security experts, academics, and the public
at large on this issue. We are hopeful that this heightened scrutiny will motiv
ate EU negotiators to change course and deliver regulation with suitable safegua
rds."
Google has also raised concerns about how Article 45 might be interpreted. "We a
nd many past and present leaders in the international web community have signifi
cant concerns about Article 45's impact on security," the Chrome security team
argued, and urged EU lawmakers to revise the legal language.
According security researcher Scott Helme, the latest regulatory language – whi
ch has not been made public – is still problematic.
The EFF says the legislative text "is subject to approval behind closed doors in
Brussels on November 8." ®
5.完整新聞連結 (或短網址)不可用YAHOO、LINE、MSN等轉載媒體:
https://www.theregister.com/2023/11/08/europe_eidas_browser/
6.備註:
CNNIC跟沃通:老鄉,你好,希望你比我們死的還慘
歐盟敢這麼做,我一定DDoS爆破他們伺服器,如果可以,我連他們的機密都要挖出來
這已經不是可以玩五樓哽的東西了,你能想像對岸監聽全世界的一切通訊嗎?
--
※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 111.82.109.225 (臺灣)
※ 文章網址: https://www.ptt.cc/bbs/Gossiping/M.1699707019.A.EBB.html*[m
※ 發信站: 批踢踢實業坊(ptt.cc)
※ 轉錄者: skycat2216 (111.82.109.225 臺灣), 11/11/2023 21:56:27
※ 編輯: skycat2216 (111.82.109.225 臺灣), 11/11/2023 21:57:13
※ 編輯: skycat2216 (111.82.109.225 臺灣), 11/11/2023 22:00:52
→
11/11 22:01,
6月前
, 1F
11/11 22:01, 1F
推
11/11 22:03,
6月前
, 2F
11/11 22:03, 2F
推
11/11 22:08,
6月前
, 3F
11/11 22:08, 3F
推
11/11 22:09,
6月前
, 4F
11/11 22:09, 4F
→
11/11 22:13,
6月前
, 5F
11/11 22:13, 5F
推
11/11 22:16,
6月前
, 6F
11/11 22:16, 6F
→
11/11 22:16,
6月前
, 7F
11/11 22:16, 7F
→
11/11 22:17,
6月前
, 8F
11/11 22:17, 8F
→
11/11 22:18,
6月前
, 9F
11/11 22:18, 9F
→
11/11 22:18,
6月前
, 10F
11/11 22:18, 10F
→
11/11 22:18,
6月前
, 11F
11/11 22:18, 11F
推
11/11 22:18,
6月前
, 12F
11/11 22:18, 12F
推
11/11 22:26,
6月前
, 13F
11/11 22:26, 13F
→
11/11 22:26,
6月前
, 14F
11/11 22:26, 14F
推
11/11 22:32,
6月前
, 15F
11/11 22:32, 15F
推
11/11 22:33,
6月前
, 16F
11/11 22:33, 16F
推
11/11 22:45,
6月前
, 17F
11/11 22:45, 17F
推
11/11 22:52,
6月前
, 18F
11/11 22:52, 18F
推
11/11 22:53,
6月前
, 19F
11/11 22:53, 19F
→
11/11 22:54,
6月前
, 20F
11/11 22:54, 20F
→
11/11 22:54,
6月前
, 21F
11/11 22:54, 21F
→
11/11 22:54,
6月前
, 22F
11/11 22:54, 22F
→
11/11 22:54,
6月前
, 23F
11/11 22:54, 23F
→
11/11 22:54,
6月前
, 24F
11/11 22:54, 24F
→
11/11 22:55,
6月前
, 25F
11/11 22:55, 25F
→
11/11 22:55,
6月前
, 26F
11/11 22:55, 26F
老哥,問題是有個東西叫MITM
所以才會有CA證書以驗證站點持有者
打個比方好了,我今天擁有A.com,找某家合法,受信任的CA買了證書簽了這個域名跟我的I
P之間的聯繫,
當你連上來卻不知道我究竟是不是真的A.com,要求驗證我的合法性的時候
我只需要掏出這個證書,你就知道我一定有這個域名
但現在歐盟只需要自己簽一個A.com的證書,就能說這域名他有,騙你跟他建立加密連線,
然後轉頭跟我再建立加密連線
這中間那段已解密的時間歐盟就能看到一切資料
至於流量跟儲存, GFW同等級的設備大概就十來架F-16V的價錢,儲存也不需要全部儲存
推
11/11 22:56,
6月前
, 27F
11/11 22:56, 27F
推
11/11 22:56,
6月前
, 28F
11/11 22:56, 28F
→
11/11 22:56,
6月前
, 29F
11/11 22:56, 29F
→
11/11 22:56,
6月前
, 30F
11/11 22:56, 30F
→
11/11 22:56,
6月前
, 31F
11/11 22:56, 31F
推
11/11 22:57,
6月前
, 32F
11/11 22:57, 32F
→
11/11 22:58,
6月前
, 33F
11/11 22:58, 33F
→
11/11 22:58,
6月前
, 34F
11/11 22:58, 34F
推
11/11 23:00,
6月前
, 35F
11/11 23:00, 35F
→
11/11 23:00,
6月前
, 36F
11/11 23:00, 36F
推
11/11 23:01,
6月前
, 37F
11/11 23:01, 37F
推
11/11 23:02,
6月前
, 38F
11/11 23:02, 38F
→
11/11 23:03,
6月前
, 39F
11/11 23:03, 39F
推
11/11 23:04,
6月前
, 40F
11/11 23:04, 40F
推
11/11 23:04,
6月前
, 41F
11/11 23:04, 41F
→
11/11 23:05,
6月前
, 42F
11/11 23:05, 42F
→
11/11 23:05,
6月前
, 43F
11/11 23:05, 43F
→
11/11 23:05,
6月前
, 44F
11/11 23:05, 44F
→
11/11 23:05,
6月前
, 45F
11/11 23:05, 45F
推
11/11 23:07,
6月前
, 46F
11/11 23:07, 46F
→
11/11 23:07,
6月前
, 47F
11/11 23:07, 47F
推
11/11 23:09,
6月前
, 48F
11/11 23:09, 48F
→
11/11 23:09,
6月前
, 49F
11/11 23:09, 49F
推
11/11 23:14,
6月前
, 50F
11/11 23:14, 50F
→
11/11 23:14,
6月前
, 51F
11/11 23:14, 51F
→
11/11 23:14,
6月前
, 52F
11/11 23:14, 52F
→
11/11 23:14,
6月前
, 53F
11/11 23:14, 53F
→
11/11 23:14,
6月前
, 54F
11/11 23:14, 54F
→
11/11 23:15,
6月前
, 55F
11/11 23:15, 55F
→
11/11 23:15,
6月前
, 56F
11/11 23:15, 56F
推
11/11 23:22,
6月前
, 57F
11/11 23:22, 57F
→
11/11 23:22,
6月前
, 58F
11/11 23:22, 58F
→
11/11 23:22,
6月前
, 59F
11/11 23:22, 59F
→
11/11 23:22,
6月前
, 60F
11/11 23:22, 60F
→
11/11 23:22,
6月前
, 61F
11/11 23:22, 61F
→
11/11 23:25,
6月前
, 62F
11/11 23:25, 62F
推
11/11 23:28,
6月前
, 63F
11/11 23:28, 63F
→
11/11 23:28,
6月前
, 64F
11/11 23:28, 64F
推
11/11 23:31,
6月前
, 65F
11/11 23:31, 65F
推
11/11 23:35,
6月前
, 66F
11/11 23:35, 66F
推
11/11 23:38,
6月前
, 67F
11/11 23:38, 67F
→
11/11 23:42,
6月前
, 68F
11/11 23:42, 68F
→
11/11 23:44,
6月前
, 69F
11/11 23:44, 69F
→
11/11 23:44,
6月前
, 70F
11/11 23:44, 70F
推
11/11 23:58,
6月前
, 71F
11/11 23:58, 71F
→
11/11 23:59,
6月前
, 72F
11/11 23:59, 72F
→
11/12 00:00,
6月前
, 73F
11/12 00:00, 73F
→
11/12 00:19,
6月前
, 74F
11/12 00:19, 74F
推
11/12 00:29,
6月前
, 75F
11/12 00:29, 75F
推
11/12 00:32,
6月前
, 76F
11/12 00:32, 76F
→
11/12 02:19,
6月前
, 77F
11/12 02:19, 77F
※ 編輯: skycat2216 (111.82.109.225 臺灣), 11/12/2023 02:22:23
※ 編輯: skycat2216 (111.82.109.225 臺灣), 11/12/2023 02:31:20
推
11/12 02:31,
6月前
, 78F
11/12 02:31, 78F
→
11/12 03:24,
6月前
, 79F
11/12 03:24, 79F
推
11/12 06:50,
6月前
, 80F
11/12 06:50, 80F
推
11/12 12:50,
6月前
, 81F
11/12 12:50, 81F
→
11/12 12:50,
6月前
, 82F
11/12 12:50, 82F
推
11/12 12:57,
6月前
, 83F
11/12 12:57, 83F
噓
11/12 14:25,
6月前
, 84F
11/12 14:25, 84F
推
11/12 16:14,
6月前
, 85F
11/12 16:14, 85F
推
11/12 18:34,
6月前
, 86F
11/12 18:34, 86F
推
11/12 23:32,
6月前
, 87F
11/12 23:32, 87F
→
11/14 00:16,
6月前
, 88F
11/14 00:16, 88F
推
11/14 20:35,
6月前
, 89F
11/14 20:35, 89F
討論串 (同標題文章)
以下文章回應了本文:
完整討論串 (本文為第 1 之 4 篇):