"eIDAS" would allow EU STATES to SPY on all INTERNET TRAFFIC!
Вставка
- Опубліковано 23 лис 2023
- 💸💸 Help me contribute to KDE and do these videos: 💸💸
Paypal: paypal.me/niccolove
Patreon: / niccolove
Liberapay: liberapay.com/niccolove
Ko-Fi: ko-fi.com/niccolove
Stay in the loop: t.me/veggeroblog
My website is nicco.love and if you want to contact me, my telegram handle is [at] veggero.
It's exhausting how frequently legislation like this is proposed nowadays. It's honestly shocking just how flippant people are with privacy nowadays. It became normal for big tech companies to harvest as much data as possible and people started coping by saying they've nothing to hide. And now governments are looking at the populace and thinking that most of people won't care if they spy on them... And they're right. And it feels so clear that the lessons of recent history have been lost. Especially for people to be this relaxed about privacy in Europe of all places.
2052: 1984, the sequel
What's sad is that I'm a CS student and most of my peers don't understand the importance of privacy either and have the exact same take. People seem to prefer convenience at any cost, even if their intellectual freedom is on the line...
Lucky for us there are plenty of movies with ideas how to take things down.
Government certificates should be installed in the browser, to provide security for gov.* services, but ONLY if the standard is extended so those certificates only apply to .gov. services (and no other certificates apply). This would increase security as the increasingly digital government services couldn’t be compromised by one of hundreds of private companies making a certificate
One slight technical nitpick, EU's equivalent of .gov.eu is actually .europa.eu - of course I'm not talking about individual counties, eg. .gov.pl
Anyway! This it honestly the best way out of this mess. I reckon the whole was probably well-intentioned, considering the broader context. This regulation is about digital IDs, so the reasoning must've been "Well... We don't want any private company to have decryption access to our digital ID service - so we need our own authority! (and of course we're gonna mandate it by law because we can - we're the gov't)", but after that noone thought about what consequences this would have. A legislation forcing browsers to accept governmental certificates, but only on government websites would be the best of both worlds - no risk of private companies stealing your most sensitive personal data and probably selling it for profit, and also no risk of the government controlling your private communications.
Hopefully we'll finally get the technical parts needed for this extension, because it's something which should have been in the works for decades.
They've sadly even removed the EV-certificate system.
@@autohmae yeah removing EV was very stupid, it was a really good way for banks to avoid phishing.
The problem with this is that this would effectively generate another parallel domain name system (heck, or 152 parallel domain name systems), and given a URL, which root server should you look for? What if one of the parallel systems has records for a site which should properly be on another, and yields a parallel certificate for it, such that you either get the correct or the wrong certificate depending on which system the browser decides to try first? This seems like a step in the right direction, but has just as much potential to explode spectacularly in our faces just as much as the current plan.
Government certificates should not be installed in the browser at all.
Your political videos are amazing! The part where you used the translate voice was incredible funny
mandating trust... that's some Orwelling shit
This hostile move from governments will demand new type of protocol.
Given how Europen countries lean more and more towards autocratic governments recently, such potentially abusable infrastructure legislations are getting scarier if you imagine governments turning into China-lite in a decade :|
It's already happening, but they take it step by step, so people are slowly boiled like a frog.The processes of decay of our freedoms have already advanced too much...
waiting for china-max & china-max-pro
Countries leaving EU seem less autocratic than the ones who remain creating these type of legislations
It's a global trend tbh - Just look at the US and Trumpy boy for example.
@@nnnik3595 Trump is pro-freedom, not pro-autocratic. Biden is the Manchurian candidate.
EU takes 1 step forward and 2 steps back every time with their legislations.
Brexit geezer💀
The EU is the kid that thought a balanced meal means food that's half good and half bad for you and followed that idea religiously
The idea that any web user should have an identifiable "digital ID" at all times controlled by the government (though, I am aware of fingerprinting existing right now and controlled by companies) is disgusting to me, and not letting browser developers implement security features in areas of the world where this ID thing is mandatory makes it even more frightening.
Did you even watch the video? "Every web user" isn't required to have a digital ID. He literally said that the digital ID part of the legislation was fine. If this was something dystopian, like requiring a dID for internet access, he would've probably talked about it, wouldn't he?
I agree with the second part of your comment, tho - they shouldn't have control over certificates, at least not a whitelist. I could see a blacklist being enforced - so that the gov't could swiftly ban misbehaving CA, for example if they break the other regulation he mentioned (and this shouldn't be useful for banning of individual websites, for there are a lot of websites using a single CA and I doubt they'd be willing to block a large chunk of the Internet just to take down one). But don't force your bs upon me, please! (Alright, I will accept one form of forcing - if certificates from forced CAs are legally required to only apply to government's services unless the browser willingly choses to apply it everywhere. Hell, I'd prefer this over the current system where all governmental websites are ultimately under control of some random private company.)
I think the solution is for browsers to make "trust" not binary (either you trust or not): clearly show current authority when you visit a website and warn user when it has changed since your last visit.
I think this would be confusing to the average user. How would they know whether to trust the new certificate or not? Most people, and to be honest, myself, don't know what they would have to do in such a situation
@@lucaslzt Show the country flag next to it, that will make it clear enough.
What if the browser would perform a certificate check involving a third party. This way, if i access some European gov site, site presents a local gov certificate and the third party says it's the same on the other end - it can be trusted. But if i access, for example, google. com and it presents a local gov cert, it will not match on the other end, thus it should not be trusted.
Politicians are not afraid of us... it's our task to fix that.
I don't trust the EU.
I don't trust you
@@leelasuelane6544 A wise decision.
I came because of your interaction with louis rossmann
I subscribed and stayed because of quality content like this one 🙂
So basically, certificate pinning, that is long discussed but still not widely deployed, is the solution and the way to go for CAs, website owners and the browser developers. With certificate pinning, certifciates for particular websites can be "pinned" to particular CAs, and if certificate for the website seems to be issued by a different CA, browser treats it as invalid.
Also how they plan to enforce this legislation on open-source browsers? Even if Mozilla will conform to this, surely someone will fork Firefox and make a version that does not have these governmental certificates built in. Do they plan to prevent people from downloading and using such forked versions (how?) or make using them illegal (again, how do they plan to enforce this?)
Just when I thought they are doing a good job combating big tech gatekeeping and spying. They become the very thing they swore to destory
Hi Nicco, thanks for the content these days. Really linking the new format. Another channel to look forward to aside from "TheLinuxExperiment" channel.
Just a suggestion, i know you are trying to learn more English specially its pronunciation but I believe adding subs/close caption to your videos will greatly help many viewers because accent is a very hard thing to remove in oneself. I myself am not a native English speaker so hearing another non-native English speaker with their accent sometime gets very hard and confusing. The auto-generated CCs are also shitty at the words you are having difficulty to pronounce which may lead more to confusion. Anyways, good luck.
Hey, you too only watch these two channels?
He usually adds subtitles, maybe it'll be up in a few hours.
His English is pretty good, you'll get used to it just you want to watch more.
Captions is always good to have
the background music is such a fucking banger ive been watching you for a bit and the production quality keeps going higher and im proud of you and your team
Well... given how the open source community works, Chromium, Firefox and so on, I think it is going to be hard to implement those rules. EU or some other entity could not possible hold a browser download site - accountable, it is up to the user (that download) to be sure that the person complies to local laws or rules. especially if some mechanism is created to download the source (or part of it) and compile it automatically on the end user system without to much intervention.
Companies like Microsoft, Google and others might have a harder time as they are directly responsible for their products... even if it is based on open source, it is an "enhancement" of it, so they might end up getting fined.
if I recall, most unofficial minecraft server software have a system where when you do the first run, it will then compile the minecraft server source to get around some restrictions from ms/mojang
@@aceae4210
I do not know the inner works of minecraft, but it is java (mostly) and several mods suggest injections is possible.
Back to the browsers, it might be as easy to comply with, that the end user is presented with an option to enable access to those root certificate servers together with a small text describing the good and the bad with it.
It is delivered with the browser as said, the choice is the end user - perhaps not thought of.
Great topic to talk about !
As someone who knows a bunch about the technical parts, I would have worded some things differently, but that's not as important at the general message.
So everything would become like Discord DMs. Beautiful. /s
If this came from Eastern Europe, it wouldn't be surprising at all, as we had and still have governments that have autocratic tendencies. What really worries me it's that the entire EU has started to have more and more autocratic tendencies lately... 😅
You look so stylish! 😮😊
"To make the internet work, we need those certificate authorities". Nope. They are a flaw in the system. We need better algorithms that keep any human actor (including governments) out. Give any power to anyone and they will use it. Promises and laws are not trustworthy. Only maths is.
Thanks!
@NiccoLovesLinux, did you say Australia, but meant Austria?
I guess if this legislation passes services themselves would consider https traffic as effectively plaintext. A solution could be user space asymmetric encryption by the services themselves - encrypting the data to/from devices themselves. But there's no way to guarantee that a service does this and it would, as stated, take us back 12 years (a time before https as the legislation renders https useless)
Not completely. https did prevent 90% of MITM attacks in public spaces. But yeah, it would make it incredibly straightforward to censure people and take away their freedom of expression after that legislation is put in place.
the E.U is never “between” its either the worst or the best bills.
I like the "workers union spinoff education department" pin you have on you. :) (ABF = Arbetarnas Bildnings Furbund)
So, is this basically mass surveillance?
( I've read people and some MEP's talking about the Digital services act and how it apparently breaks certain ECHR laws. )
Well, it could potentially be used for that BUT as I understand it hasn't happened in practice.
The only technical reason it hasn't happened is: for technical reasons (takes a big investment) but also political (nobody wants to be that government).
@@autohmaetrust me, the fake and imaginary government of the EU is willing to turn Europe into the United Surveilled European States
My friend, mass surveillance has long been going on.
@@RedOneM well, the technologist working on how the Internet works actually greatly reduced the abilities to do so. Maybe I can even say: solved it Look up: encrypted client hello
I dunno, I lean towards a govt controlled CA managed by folks that could be voted out of office (in an ideal world) is not really that much worse than CAs controlled by corporations beholden to shareholders. We, the world, do need a rock solid eID system, so I hope the good guys work it out before the bad guys totally run riot.
EU commissioners are not voted into office thus cannot be voted out of office.
No, this is much worse: organizations and companies like Mozilla, Google, etc. can currently when abuse of the system is detected drop a bad actor.
This law says: they are not allowed to remove the bad actor from their browsers, etc.
So this is very much worse.
In Hungary (or perhaps even France) I'm sure that will work out just fine.
3:45 That's actually not 100% accurate. HTTPS/TLS handshake does not use the public key for encryption, but for validation. The key used for encryption is a symmetric key generated using ECDH or regular DH. The public key is used to verify if the website is who they say they are. Thus, the certificate authority can pretend to be soomeone else, but they cannot listen to other people communicating just through that.
i think it's possible because thats how adgaurd on Android performs https filtering
Can I ask you to cover The Breckn protocol & ONDC made by India
It's similar to their UPI tech
#SWEXIT 🇸🇪❤
I am confused, did it pass then?
I'm confused. It's like I watched a quarter of the video. First, I hear about the secret legislation, but no explanation what is it about. So next, you introduce those trust certificate bodies issue and... give us call to action. About what? Did I miss something?
Non avevo mai sentito parlare di questo eiDAS, maledetti
will it's because they wanted to make sure that non of the other mainstream browsers is going to abuse their marketshare
❤
This is out of the topic but I have to say it. Why KDE 6 is not fixing the rounded corner at the bottom 2 corner of the window? All 4 corner of every window should be equally round not like GNOME 36 which had upper 2 corner rounded and bottom 2 not!!
DAS = Authorized DOS (Denial of Service)
not DOS, but Man-In-The-Middle aka surveillance.
4:25 that's a funny French flag.
E- i-d-a-s es q es, creo
What does it say on your pride pin? My internet isn't good enough to have youtube's resolution high enough to read it
I knew cookies were bad
what is your abf pin?
Arbetarnas bildningsförbund
@@dimguru suuure
@@dimguru there is time, he will eventually find out for himself what a cancer the modern left is :))
@@dimguru Free country. If you don't like it get out. 🤫 Go to Russia or China. They will give you what you so desire.
@dimguru Ahhhhh, the classic intellectually dishonest argument of bothsidesism. Also, you're the one making this out to be "political". Me thinks you don't like Arbetarnas bildningsförbund for some reason and want to pretend neutrality while stifling his option or others of seeing them. Hmmmmmm, strange.
This is entirely a move in the wrong direction. I hate the rightward march of public policies that has happened in the last 30 years.
We need to get rid of these so-called "trusted" third-parties from the process altogether. It would be a trivial matter from a technical point of view, adoption would be a different story though. Basically just cut out the middle-man, use self-signed certs that can be verified by the user/browser (upon request).
that doesn't solve the trust problem at all. a self signed certificate is basically "I am who I say I am". what does the browser verify exactly in this case? if a scam website and a legit banking website both identify as the bank and both are self signed, how do you differentiate. they're called root certificates because you need a baseline trust to something, otherwise you can only trust yourself.
I think you misunderstand how the system works and why it works.
@@parabolicpanorama A scam website can get another certificate for their website, and it will still show as secure. This was solved for banks with EV certs but they removed them for some reason.
In OP's situation, the first time the client visited the website, it would probably store the certificate and display a huge warning if it ever changed. This has downsides, but so does the root CA solution.
@@parabolicpanorama Verification of "who you are" could be conducted by a third party, but this would have nothing to do with a third party actually signing your certificate (because, as Nick explains in this video, the scheme is flawed and open to government abuse). You (the website/domain name owner) could upload/register your public key with a third party, and this could then be used to verify you are who you say you are. But having a third party sign your certification are identity verification will always be exploited by governments.
@@MnemonicCarrier you seem to be misunderstanding the issue. what you described is how root certificates already work, without any of the security parts used.
Anyone can be a Certificate Authority (CA). When you self sign, you technically become a CA of your certificate. The root certificate is the certificate that is used to verify identity of a website before you establish a connection to it. A bunch of different organisations curate websites (aka uploading your certificate (self certified public key). MS, Google, Mozilla then verify that these people say who they are, and sign their certificates with root certificates. This allows your browsers to connect with these services.
As explained in the video, currently anyone can update the root certificates bundled on their devices. Enterprises often do this. They have their own subset of websites they want you to see, so they sign them with personal root certificates and install on employee devices. This way, any communication not intended by the enterprise automatically gets blocked before communication even occurs. The device will refuse to connect to unverified website until explicitly told to do so. This is very much a feature. This also keeps the "generally accepted" authorities in check as well, since if Google is malicious, anyone in the world will be able to instantly see and call them out on it. Their root of trust that they provide is based on them being able to provide secure platforms. Would the US DoD choose to host on Google if they start breaking encryption? People would remove their certificates and use their own. No one would ever trust Google for any kind of secure communication.
So 3rd parties aren't the issue at all actually, since you also suggest using them in the end. The issue is that EU wants to add certificates to your devices that you will not be allowed to remove. So in case a country goes rogue and they do compromise encryption, you will not be able to remove them from your device. You will be forced to use the insecure device BY LAW.
In your suggestion, even if 3rd parties stop verifying people, the issue of governments breaking encryption still stays. Your device will be forced to use whatever government certificates were issued. This is actually more insecure since certificates expire and change, and there can be multiple certificates for the same thing if signed with 2 different keys. This means, in your scenario, a completely different malicious actor could host keys on the 3rd party pretending to be the government, and read into your communications along with the rogue government.
I hope the issue is a bit more clear to you now.
Love the video, sad that there is another unrelated political/controversial display (the pin)
Of course, your content is _very_ worthwhile (to say the very least), so don't get this as a critique but as a wish:
Nicco, please use other quote marks in your titles so that those who download your videos could do so without manually inserting “” on choosing a file name. (These quote marks given in this example would work properly within file names.)
You could think of reasons (or also cons) as to why one would want an own archive (or you don't - which I'm meaning to say neutrally and in order to not impose this suggestion on you).
Is there a way to donate to you really anonymously (or in person, if you would ever be in Berlin, Germany)? (That's a basic question that I currently still perceive as non-trivial. And it's not so that I'd like to support non-benign creators, but given the climate of current affairs and their trend, you never know how things would be interpreted [quite later]... Even, if you surely believed to support someone honestly worthwhile who was _not_ fostering extremes, but quite the opposite. I find this chilling (and certainly not relaxing).)
I like your relatively calm style. Again: _Very_ good content.
I think you mean Austrian and not Australia, because Austria is in the EU and Australia not 😂
We like to keep our Signaturgesetz to ourselves as we ride our kangaroos across the Alps.
@@phelesmephisto7981 🤣
First
Thirst
Legislation is one of those weird words where you cannot use an indefinite article with it. “A legislation” does not sound correct in English. It would be “a piece of legislation,” “a law,” “a bill,” “a resolution,” or “a proposed law.” Which one to use depends on the type of legislative document it is, if it is known.
English is hard, and even as a native speaker, there are things I don’t like about it. Unfortunately, language is something we must adapt to rather than adapt for ourselves. Its rules and quirks will continue to be a thorn in our sides for generations, and significant change will take generations to unfold.
why not? why not say "a legislation" after all people will understand
what is that badge on your shirt...
LOL is it LGTV
Arbetarnas bildningsförbund
@@niccoloveslinuxoh that wokeness :(
@@survivor303You will never understand what you talk about if you never research, listening to far-right people and not fact checking their biased opinions will always be there and that's sad
@@duckriniumwhat? I dont support antihumanism.
@@survivor303 Anti-humanism is a philosophical point of view regarding the rejection of the idea of "human nature". LGBTQ is a diverse community of *people* who want to be respected and accepted for who they are. So it really have nothing to do with LGBTQ, really. But I will say it is often found that anti-LGBTQ individuals use any means to vilify this community, even if it has no direct connection to it.
Please keep the pride flags out of the videos. Trying to convince conservatives to go with privacy and open source is hard enough already (even though privacy in particular should be important to their beliefs). If I tried to share this video with them, many would just stop after seeing the pride flag and think it's something they don't agree with.
I'm not telling people how to believe, I just think the two issues are unrelated and should be kept separate