eIDAS Art.45(2) on web authentication poses a threat to internet users, Mozilla Firefox warns
Mozilla Firefox warns that eIDAS Art.45(2) threatens internet users by requiring browsers to accept Qualified Web Authentication Certificates. Marshal Erwin from Mozilla believes this regulation would weaken defenses against cyberattacks and increase the potential for state-sponsored surveillance. European Commission aims to address concerns over the technical implementation of Art.45(2) and ensure the recognition of certificates without compromising security.
EU’s Regulation on eIDAS entered into force in September 2014 and aimed to secure cross-border identification access for online services offered by the EU member states. The revised provision regarding web authentication (Art.45 (2) ) of the Regulation) obliges browsers to accept the EU-designed Qualified Web Authentication Certificates (QWACs) to protect them from fraud, malware, and surveillance.
According to Chief Security Officer at Mozilla, Marshal Erwin, Art.45 (2) of the eIDAs would bypass the critical line of defense against cybercrime and would eventually make it harder to push back surveillance attempts in the future. Erwin also adds that if Art.45 (2) is taken into a global standard, it will give tools to governments to carry out state-sponsored surveillance of internet traffic.
MEP Romana Jerkovic, deleted Art.45(2) in her draft to come up with a strategy that will not jeopardize security.
European Commission’s spokesperson said that the concerns raised by the browser community are based on the technical implementation of Art.45(2). The Commission intends to achieve the recognition of QWACs without any interference, and in collaboration with the relevant standardized bodies the technical implementation of Art.45(2) will be set.