Browser Makers and EU Face Off Over QWACs

A European effort to wrest greater control over the infrastructure underpinning internet encryption has some security experts warning about degraded website security.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

The European Union is on the cusp of approving a revised identity framework intended to digitize access to key public services for the majority of Europeans by the start of the next decade (see: European Digital Identity Bill Heads to Final Negotiations).

A section of the nearly complete update to the electronic identification and trust services regulations – better known as eIDAS – imposes a different kind of identity requirement onto web browsers. The goal, say proponents, is to increase online trust by requiring web browsers to display the identity of the organization that owns the site. That would be done by having browsers accept web certificates issued by entities designated by European governments as qualified trust service providers.

The certificates themselves are known as qualified website authentication certificates, or more commonly, QWACs, pronounced the way a duck would say it.

Underneath the arguments of proponents and critics lies ultimately a clashing set of assumptions about the function of web certificates. Proponents say they should be able to guarantee a website is trustworthy. For critics, the icon only means the connection is encrypted.

Quack! There’s a QWAC in the Root Store

Ordinary web users rarely pause to consider web certificates, but they’re a cornerstone of online security. They’re responsible for encrypting traffic as it lurches across the internet, making it safe for e-commerce sites to…