Browser Makers and EU Face Off Over QWACsEU Set to Approve Revised ID Framework to Digitize Public Service Access by 2030
A European effort to wrest greater control over the infrastructure underpinning internet encryption has some security experts warning about degraded website security.
The European Union is on the cusp of approving a revised identity framework intended to digitize access to key public services for the majority of Europeans by the start of the next decade (see: European Digital Identity Bill Heads to Final Negotiations).
A section of the nearly complete update to the electronic identification and trust services regulations - better known as eIDAS - imposes a different kind of identity requirement onto web browsers. The goal, say proponents, is to increase online trust by requiring web browsers to display the identity of the organization that owns the site. That would be done by having browsers accept web certificates issued by entities designated by European governments as qualified trust service providers.
The certificates themselves are known as qualified website authentication certificates, or more commonly, QWACs, pronounced the way a duck would say it.
Underneath the arguments of proponents and critics lies a clashing set of assumptions about the function of web certificates. Proponents say they should be able to guarantee a website is trustworthy. For critics, the icon only means the connection is encrypted.
Quack! There's a QWAC in the Root Store
Ordinary web users rarely pause to consider web certificates, but they're a cornerstone of online security. They're responsible for encrypting traffic as it lurches across the internet, making it safe for e-commerce sites to collect payment cards and for medical patients to share sensitive data with hospital patient portals.
Users know when a website has a valid web certificate because next to the URL in the browser address bar, there's a lock icon. Web certificates implement the technology behind the "s" in the https protocol, which stands for "secure."
A QWAC would go a step beyond how browsers currently display web certificates by including website ownership data. The proposed eIDAS regulation says browsers would have to display that data in a consistent, user-friendly manner, along with the lock icon.
For the small subset of web users who do regularly think about web certificates, the subject is marked by fiery debates over whether an organization can be trusted as a "root" issuer of certificates for the four major root stores in the world - Microsoft, Google, Apple and Mozilla. That world is haunted by the 2011 example of now-defunct certificate authority DigiNotar, which folded after hackers penetrated its root certificate infrastructure to issue rogue certificates later used to enable a man-in-the-middle attack against Gmail accounts held by hundreds of thousands of Iranians.
Whoever issues certificates can potentially see the encrypted information criss-crossing the internet. For the four major root stores, trust doesn't come easy. Under the revised eIDAS proposal, browsers would have to accept QWACs issued by organizations designated by European Union governments as a qualified trust service provider.
The European Union "is 27 member states, some of them big, some of them small. All of those 27 will basically have the power to say, 'This small firm in Bulgaria should now be trusted by the whole internet,'" said a senior certificate security executive who requested anonymity in exchange for frankness.
Google, Apple and Mozilla have actively lobbied against the proposal, and Mozilla in particular has become the public face of opposition. Mozilla has painted a worst-case scenario of mandatory QWACs, stating they could be used to give false credibility to phishing websites and facilitate man-in-the-middle attacks.
Mozilla's main objection is the mandatory inclusion of QWACs "into browser root stores without any check that they meet our best-in-class cybersecurity standards and open root store inclusion process," Udbhav Tiwari, head of global product policy at Mozilla, told Information Security Media Group.
Not every web certificate expert thinks it's the end of the world for browsers to accept QWACs. Designation as an organization that can issue the certificates requires entities to undergo rigorous audits, said Dean Coclin, a senior executive with DigiCert and current chair of the CA/Browser Forum. "Why should they not trust someone who's undergone the exact same audits that the browser trusted list goes through?"
The anonymous senior certificate security executive has less confidence in the bureaucratic process of QTSP selection. Nationally designated supervisory bodies - organizations that grant entities the ability to issue QWACs - vary in capability and staff. "Small certificate authorities in Europe will hide behind their supervisory body," the executive said. "Security on the internet should be independent from politics."
When the eIDAS update left the European Parliament for a final round of talks between it and the European Council, negotiators put in language they hoped would mollify browser makers. The requirement to accept QWACs wouldn't stop them from revoking the certificates of a bad issuer, compromise language states - so long as measures such as revocation "are duly reasoned." The proposal as it stands now would also require browser makers to notify European authorities, in language that close observers say would be codified into a dispute resolution mechanism.
Critics are unimpressed. "It's still not good. We shouldn't be compromising security," said Jon Callas, director of public interest technology at the Electronic Frontier Foundation.
Return of the EV Certificate?
Opponents' objection go beyond root store inclusion. Some dislike the very concept of having a browser display website ownership information via a web certificate. It's an idea that's better in theory than in practice, said EFF's Callas.
The web certificate world already tried out the concept by issuing "extended validation" certificates. For a decade up until around 2019, major browsers detecting an EV certificate would display some variation of a green-colored indicator to tell users that the website owner had gone through an additional layer of verification. Some browsers turned the entire URL bar green, while others settled for a green-colored lock icon. EV certificates still exist, but determining whether a website owner paid for one requires poking further into certificate data than most users are willing to go.
EV certificates "were expensive and they basically didn't work. They worked in a bunch of simple cases, but they didn't work across the board," said Callas. One problem, he said, is that not every organization name is unique, especially on the global internet. Users might visit a website with an EV certificate and still be on the wrong site.
Researchers have shown how naming collisions could be exploited by bad actors through typosquatted sites displaying an EV certificate.
Proponents counter with other research finding that correctly faking an existing organization to get an EV certificate is difficult and that EV certificates sites have low rates of phishing sites.
The verdict of browser makers was that the EV green glow ultimately wasn't useful. In a 2019 blog post explaining its decision to stop prominently displaying EV certificates, Google said users simply didn't pay attention to it.
Critics also raise technical objections to QWACs, saying the European specification for binding identity to encryption certificates overlooks how websites load pages. Modern, large websites with subdomains don't use just one certificate but many certificates. Obtaining multiple QWACs, and then obtaining new QWACs again should the site configuration change, will be a challenge, they say - particularly given the restrictions of designated trust providers' ability to automatically approve new certificates.
The technical specification is also incompatible with antivirus scanning that intercepts website certificate encryption, critics say.
Browser makers have proposed an alternate technical specification dubbed nt-QWAC but it has yet to get buy-in from European authorities. "Again, this boils down to browsers not wanting to associate certificates with identity, only with a domain," said DigiCert's Coclin.
Given that the European Parliament and the European Council - a body of government ministers from European Union member nations - have each signed off on mandatory QWACs, the final statute is all but guaranteed to include them. For critics and opponents alike, the next round of conflict will come with the implementation regulations setting out the rules for browsers in a QWAC-filled world.