A digital certificate, or website certificate, ties the website server’s name (like “europa.eu”) to a cryptographic key. The server can then use that key to prove its identity to the browser. That way, the browser knows it has connected to the server identified in the certificate and can encrypt the connection.

When you see the padlock on the left side of the URL bar in the browser, you know your connection with the website is fully secure.

Supporting QWACs will mean that browsers will have to support providers that issue them without independently vetting their security practices. This would mean they could appear as being safe, even if they’re not due to being compromised by malicious actors. Forcing browsers to support these insecure certificates and the providers that issue them will make the internet less safe for users.

Browsers use encryption to protect user data from cybercriminals when they navigate online (e.g. when sending credit card details to Amazon.) But people also need assurance that they are sending data to the correct domain (e.g. “amazon.com.”) If someone sends their credit card details to a cybercriminal instead of an online marketplace, encryption doesn’t protect them from harm.

That’s where ‘website certificates’ come into play. They allow a website to prove that it controls the domain name that the person has navigated to. The organisations that issue websites with these certificates, namely ‘certificate authorities’, are a critical part of the security process. If they mis-issue certificates to bad actors, the consequences for consumers can be catastrophic.

To keep people safe, browsers ensure that only certificate authorities that maintain high standards of security and transparency are trusted in the browser. They also continuously monitor and review the behaviour of certificate authorities and take prompt action to protect individuals in cases where a trusted certificate authority has been compromised.

It is critical that online users can enjoy trust and security online where their data cannot be accessed by bad actors. At Mozilla, we believe we can help keep the internet safe by raising safety barriers and constantly improving our technology.

Private companies can be either part of the problem or part of the solution. Mozilla has supported and collaborated with the EU’s efforts to instill more responsibility online and protect citizens from illegal activity.

We support EU regulatory efforts because we believe more needs to be done across the online ecosystem, and companies in particular need to step up. All browsers must play a part to protect users and keep the internet safe.

Unfortunately, as currently drafted, article 45.2 stops us from doing that. Our proposed solution to avert future harm is to amend this legislation so that it doesn’t establish a limitation on cybersecurity. In practice, this means ensuring browsers can continue to block certificate authorities that don’t meet security standards. As a result, this will keep potential malign actions at bay while also continuing to protect users’ data and privacy.

Every website must present a digital security certificate. Qualified website authentication certificates, or QWACs, are a type of certificate that can be issued by providers who don’t meet security standards established by browser root store programs (link).

Let’s say you want to access a particular website. Your browser must check the site is actually what it claims to be, and not an attacker intercepting the traffic on the network. Without this check, data and privacy is at risk. Details such as passwords, credit cards, names, addresses, and message content can be stolen and shared, creating significant harm, online and off.

Major browsers use independent policies and vetting practices to certify only safe sites and block suspicious activity. Now imagine if some of those protections disappeared and your browser let you surf websites that were leaking your information due to unsafe connections.

That’s what new EU legislation is proposing by insisting QWACs become the new standard.

eIDAS is an EU regulation that established a framework for electronic transactions. An inspired idea, to improve the user experience and increase security at the same time.

But one of its proposed articles – article 45.2 – would force internet browsers to use qualified website authentication certificates (QWACs), which have a lower bar for security than other website certificates. That opens users up to big risks.