There’s
danger ahead
Theme parks are great – but only if you trust they’re secure. The same is true for the internet. A new EU law would make website security weaker by imposing QWACs and expose users to more cyber risks.
But a critical vote in the European Parliament has averted this threat for now.
Please find
more info here.
WHY ARE
QWACs
A PROBLEM?
When using the internet, your browser protects valuable information you send to websites. The first draft of eIDAS forced browsers to accept QWACs – lower-security standard website certificates and providers that issue them. This would lower the bar for protection and open up users to possible malicious attacks and online crime.
Update 29/02/2024: After two years of review by EU legislators, critical changes in the law were approved in a vote in the European Parliament. This means EU citizens can continue to safely browse the web, provided the law is implemented correctly.
Keep the internet safe.
We can change article 45.2.
Why is Mozilla fighting for web security?
Read More
How web
security works
Read More
QWACs
Read More
Why QWACs
are not secure
Read More
Electronic Identification
Read More
Discover how QWACs
can put you at risk
What are QWACs?
How eIDAS 45.2 may harm internet users
How QWACs harm
online rights
Cybersecurity and Individuals
The Geopolitical Impact
Stay in the know
Keep on top of news related to eIDAS and QWACs.
Why QWACs are not secure
When you see the padlock on the left side of the URL bar in the browser, you know your connection with the website is fully secure.
Supporting QWACs will mean that browsers will have to support providers that issue them without independently vetting their security practices. This would mean they could appear as being safe, even if they’re not due to being compromised by malicious actors. Forcing browsers to support these insecure certificates and the providers that issue them will make the internet less safe for users.
How web security works
Browsers use encryption to protect user data from cybercriminals when they navigate online (e.g. when sending credit card details to Amazon.) But people also need assurance that they are sending data to the correct domain (e.g. “amazon.com.”) If someone sends their credit card details to a cybercriminal instead of an online marketplace, encryption doesn’t protect them from harm.
That’s where ‘website certificates’ come into play. They allow a website to prove that it controls the domain name that the person has navigated to. The organisations that issue websites with these certificates, namely ‘certificate authorities’, are a critical part of the security process. If they mis-issue certificates to bad actors, the consequences for consumers can be catastrophic.
To keep people safe, browsers ensure that only certificate authorities that maintain high standards of security and transparency are trusted in the browser. They also continuously monitor and review the behaviour of certificate authorities and take prompt action to protect individuals in cases where a trusted certificate authority has been compromised.
Why Mozilla is fighting for web security?
Private companies can be either part of the problem or part of the solution. Mozilla has supported and collaborated with the EU’s efforts to instill more responsibility online and protect citizens from illegal activity.
We support EU regulatory efforts because we believe more needs to be done across the online ecosystem, and companies in particular need to step up. All browsers must play a part to protect users and keep the internet safe.
Unfortunately, as currently drafted, article 45.2 stops us from doing that. Our proposed solution to avert future harm is to amend this legislation so that it doesn’t establish a limitation on cybersecurity. In practice, this means ensuring browsers can continue to block certificate authorities that don’t meet security standards. As a result, this will keep potential malign actions at bay while also continuing to protect users’ data and privacy.
QWACs
(Qualified website authentication certificates)
Let’s say you want to access a particular website. Your browser must check the site is actually what it claims to be, and not an attacker intercepting the traffic on the network. Without this check, data and privacy is at risk. Details such as passwords, credit cards, names, addresses, and message content can be stolen and shared, creating significant harm, online and off.
Major browsers use independent policies and vetting practices to certify only safe sites and block suspicious activity. Now imagine if some of those protections disappeared and your browser let you surf websites that were leaking your information due to unsafe connections.
That’s what new EU legislation is proposing by insisting QWACs become the new standard.
Electronic Identification
Authentication and Trust services (eIDAS)
But one of its proposed articles – article 45.2 – would force internet browsers to use qualified website authentication certificates (QWACs), which have a lower bar for security than other website certificates. That opens users up to big risks.