Description of the issue:
I do not know if i am allowed to post this but I read more and more about it and I’m very concerned.
As of a few days ago the eIDAS2.0 law was accepted in the GB and the entire EU.
It will take a while but after several months, products created or distributed in GB and the EU will be forced to add a root certificate (or several) to comply with EU Regulations. Browsers (and every application with a browsing ability) will be forced to swap certificates without user knowledge (example it shows Verified as Let’s Encrypt with thumb print ZZZZZ, a request is made at random and says Verified as Let’s Encrypt with thumb print XXXXX). This is all for user security.
As the law currently states “browsers are not allowed to mention suspicion of tampering or inform the user in any way”.
This is very concerning since it is a government sanctioned MITM.
How will this affect GB/EU citizens from braves POV?
Brave is a company that is located in San Fransisci, California, United States but to distribute the Browser through public channels (be it a website, or store on a mobile device) they will have to adhere to laws (Similar to GDPR).
As a citizen of GB im much more concerned with the fact that any country in the EU can MITM ANY HTTPS connection with a faux (often not secure) certificate, instead of worrying about Brave receiving “very minimal, if any, data”.
Could any of the devs please give a statement about this since it is a big deal.
Please do not say it is only “opt-in”. It is opt-in until the technology shows to be effective, this is always the case.
Steps to Reproduce (add as many as necessary): 1. 2. 3.
Have a look at
https://www.idcentral.io/blog/understanding-the-eus-eidas-2-0-implications-for-identity-verification/ (minimal info, showing how lawmakers think)
https://www.techradar.com/computing/cyber-security/eu-eidas-vpns-wont-protect-europeans-privacy-if-law-passes-experts-warn (a more honest and critical warning about the law in general)
Expected result:
Since this looks nice at first sight but is a security issue of huge proportions.
That Brave to allow a (US) or (EU) version to be available for download.
Platforms that do not have a way in which this directly possible through the OS/Store. To have a (US) and (EU) download available through, as example, APK on both the brave site and github.
Operating System and Brave Version(See the About Brave
page in the main menu):
Every OS.
Additional Information:
See description.
Please advice and give some information. The law is in effect. I receive requests from various concerned users in both GB and the EU.