Europeans: “Those perfidious Russians and the nefarious Chinese are the two single biggest threats to our domestic security. Why… they’ll just hack into any old thing and fill it full of evil communist propaganda. They’ll shut down our critical infrastructure, hijack our data services, and spam us so full of phishing attempts that you won’t know what’s safe to click on! And all just to watch us fail, then laugh at us. The fiends!!!”
Also Europeans: “Google’s CEO said we need to dismantle the last ten years of digital safety standards so we can undermine the YouTube adblocker. Make this our top priority.”
Also, the implementation is fucking horrible. The rule is literally “Press, Think, Speak”, because requesting to speak and opening a connection takes a solid 5-10 seconds. Very good if you want to communicate while in a burning house. Literally everybody hates it.
The legislation requires web browsers to trust EU countries’ CAs (which browsers already tend to do, but are presently free to remove when they’re observed being misused) and prohibits doing non-ETSI-approved validity checks (eg, certificate transparency, which is a way CA-misusing MITM attackers can be caught).
Wouldn’t you say the point of that particular clause is to reduce browser security (so that cops and intelligence agencies are free to exploit it without interference from CT)?
I doubt they care about CT checks per se, they’re just afraid that Digicert fucking up will break their critical government services.
Right… uh. Listen, my government used a local/regional CA. Do you want to know what happened? My government got the privilege to emergency re-issue all of their TLS certificates with a different CA because the local/regional CA forgot to renew its own CA certificate. Everything was down. Government websites, government services, eID SSO authentication, etc. You had one job!
If they wanted to make browsers less secure, they would do so in much more obvious ways.
The new proposal demands browsers automatically trust government created root certificates. That means any EU government can do a man-in-the-middle attack on any end user running that web browser, even users in other countries. There is no reason to do that other than to spy on people or to manipulate the content that they’re viewing.
If any government, or company for that matter, wants to make their own root cert and deploy it to all their users/machines they can already do that easily. A lot of companies that work with sensitive data already do this, and some companies (ex: symantec) provide solutions to do it very easily, so the IT team can see everything the users are doing.
I’m curious why they want this instead of mTLS certificates? This smells like secret services counseled Europe using a front company. But that wouldn’t surprise me, since similar events happened multiple times in the past.
Why would the secret services need a front company?
Governments here must use public tenders to buy services, and they pick the offer with the lowest price. Secret services can eat operational costs to place an extraordinarily competitive bid, but governments usually have anti-spying regulations. Hence, secret services bid with front companies.
But why bid in the first place, you may ask? eGovernment services are an attractive target due to the sensitive information at stake, and the potential to influence laws related to the eGovernment services. Secret services implement eGovernment services in a way that allows them to gain intelligence.
But how can they implement services in such a way, you may ask? Ask forgiveness, not permission. Of course, bullshit justifications play an important role here. E2EE? Why do that? Do you not want to scan files that go through the system for viruses? Real justification for why De-Mail stores sensitives emails in plaintext.
Governments now have the following options:
Discard their paid work and forget about the initiative.
Discard their paid work and contract someone more expensive than the original bidder.
Pass laws to allow how the insecure service operates.
Remember De-Mail? Yeah, that exists. Exceptions that allow insecure storage of sensitive emails as long as it’s De-Mail. Exceptions that allow De-Mail providers to send legally binding emails on behalf of everyone. No, I’m serious. If anybody comprises De-Mail providers, they can practically send legally binding emails on behalf of everyone, as long as they don’t leave behind any trails of course.
But sometimes, like here I suspect, secret services hit the jackpot. They’ve got such an insecure implementation that the laws required to allow the service to operate nullifies the security of a large portion of the internet. Now, if enforced, they can intercept traffic like they used to back when everyone ran on http without the s. SIGINT is dead, long live SIGINT!
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !programmerhumor@lemmy.ml
Post funny things about programming here! (Or just rant about your favourite programming language.)
Rules:
Posts must be relevant to programming, programmers, or computer science.
No NSFW content.
Jokes must be in good taste. No hate speech, bigotry, etc.
Europeans: “Those perfidious Russians and the nefarious Chinese are the two single biggest threats to our domestic security. Why… they’ll just hack into any old thing and fill it full of evil communist propaganda. They’ll shut down our critical infrastructure, hijack our data services, and spam us so full of phishing attempts that you won’t know what’s safe to click on! And all just to watch us fail, then laugh at us. The fiends!!!”
Also Europeans: “Google’s CEO said we need to dismantle the last ten years of digital safety standards so we can undermine the YouTube adblocker. Make this our top priority.”
i hope this is exclusively anti-google and not some in-between the lines way of saying we’re also being too harsh to two genocidal dictatorships
Just fuckin’ start rectally examining every damm citizen!
yep, just in case theyre hiding a terrorist or pedophile up there.
But THINK OF THE CHILDREN!!1!
Disregard how 1184 children died in the US to cars and 162,298 were injured in 2021 alone
Fuck cars
damn carsexuals exist??
TETRA? The radio protocol used by the police?
not only, but yes.
Sigh…
I did not expect them to be so dumb as to break their own specific encryption systems…
Well, I guess I expected the bare minimum from the government, and they let me down…
…again.
Also, the implementation is fucking horrible. The rule is literally “Press, Think, Speak”, because requesting to speak and opening a connection takes a solid 5-10 seconds. Very good if you want to communicate while in a burning house. Literally everybody hates it.
Are you using a different Tetra than anyone else? Because every radio i have used takes at max 1-1,5s to establish communications?
Oh, what the fuck?
One of the key benefits of radio communications, is that it acts as a megaphone, but only to people monitoring the channel.
Press the PTT key, and talk (following established radio protocol), 5-10 sec delay is crap!
That’s why fire over here is either on analog FM or DMR
That sounds horrible. What about this stupid standard takes this fucking long? Is it not improvable by current tech?
They are working on it. The TETRA standard is from the 90s, and by now the last fire departments are switching to it (TETRA)
Maybe 20 years between the federal decision and the last county implementing the new standard.
No it’s the tech behind milk cartons, tetrapak
It’s what caused all those children to go missing
Sacrifices had to be made
So Alfa Laval?
If anyone actually bothers to read the EU website, it’s not the EU you have to worry about
Who is it then?
In one one of the randomly selected messages at the top of their homepage they show their opencollective page. They’ve marked themselves as Australian
Security through bureaucracy.
Please don’t.
Sorry but do you have a Please Don’t Form 1302?
Only the Can You Don’t 3907B
That one does not apply today or tomorrow.
But I have a The Eighties Called 60873.a form that allows me to use that previous one
Golf clap
deleted by creator
The legislation requires web browsers to trust EU countries’ CAs (which browsers already tend to do, but are presently free to remove when they’re observed being misused) and prohibits doing non-ETSI-approved validity checks (eg, certificate transparency, which is a way CA-misusing MITM attackers can be caught).
Wouldn’t you say the point of that particular clause is to reduce browser security (so that cops and intelligence agencies are free to exploit it without interference from CT)?
[This comment has been deleted by an automated system]
Right… uh. Listen, my government used a local/regional CA. Do you want to know what happened? My government got the privilege to emergency re-issue all of their TLS certificates with a different CA because the local/regional CA forgot to renew its own CA certificate. Everything was down. Government websites, government services, eID SSO authentication, etc. You had one job!
The new proposal demands browsers automatically trust government created root certificates. That means any EU government can do a man-in-the-middle attack on any end user running that web browser, even users in other countries. There is no reason to do that other than to spy on people or to manipulate the content that they’re viewing.
If any government, or company for that matter, wants to make their own root cert and deploy it to all their users/machines they can already do that easily. A lot of companies that work with sensitive data already do this, and some companies (ex: symantec) provide solutions to do it very easily, so the IT team can see everything the users are doing.
https://spectrum.ieee.org/diginotar-certificate-authority-breach-crashes-egovernment-in-the-netherlands
This is probably the seed of this madness
I’m curious why they want this instead of mTLS certificates? This smells like secret services counseled Europe using a front company. But that wouldn’t surprise me, since similar events happened multiple times in the past.
[This comment has been deleted by an automated system]
Governments here must use public tenders to buy services, and they pick the offer with the lowest price. Secret services can eat operational costs to place an extraordinarily competitive bid, but governments usually have anti-spying regulations. Hence, secret services bid with front companies.
But why bid in the first place, you may ask? eGovernment services are an attractive target due to the sensitive information at stake, and the potential to influence laws related to the eGovernment services. Secret services implement eGovernment services in a way that allows them to gain intelligence.
But how can they implement services in such a way, you may ask? Ask forgiveness, not permission. Of course, bullshit justifications play an important role here. E2EE? Why do that? Do you not want to scan files that go through the system for viruses? Real justification for why De-Mail stores sensitives emails in plaintext.
Governments now have the following options:
Remember De-Mail? Yeah, that exists. Exceptions that allow insecure storage of sensitive emails as long as it’s De-Mail. Exceptions that allow De-Mail providers to send legally binding emails on behalf of everyone. No, I’m serious. If anybody comprises De-Mail providers, they can practically send legally binding emails on behalf of everyone, as long as they don’t leave behind any trails of course.
But sometimes, like here I suspect, secret services hit the jackpot. They’ve got such an insecure implementation that the laws required to allow the service to operate nullifies the security of a large portion of the internet. Now, if enforced, they can intercept traffic like they used to back when everyone ran on http without the s. SIGINT is dead, long live SIGINT!