• DangerousInternet@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      Seems like they want browsers could accept websites own certificates, which leads to a problem, where websites can see all your secure data, which is not that easy with current root certificates system. I could not understand why everyone so concerned, as browsers would notify about it, so you could decide if you need to visit such site or not. Currently such verification is done with extensions and if some bad site (or good) asks to access your tokens/keys you see it. Maybe they want it build-in and no notifications, but that is absurdly dumb and breaks all the security.

      • Ferk@kbin.social
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        1 year ago

        Will you be notified and asked permission before the page is loaded?

        I mean, even for self-signed/invalid certificates, most browsers allow you to optionally access the page anyway… it’ll show some error page first, but it’ll allow you to load it if you explicitly request to continue in the error page itself, right? and you’ll get an eye-catching red icon indicating the website is untrusted… why can’t browsers implement something similar to that? Just use a different icon and a different page/dialog to opt-in on first visit. Something that isn’t as strong as the error page, but that makes it clear to the user which organization/government is responsible for authorizing the access.

        But then again… why not simply have that website registered under .id.eu (for example) and have the EU use that DNS for registering/signing subdomains using eIDAS certificates? then there would be no risk for it to potentially poison other top-level domains if it’s compromised. And imho, it would be great if when a citizen gets their eIDAS certificate it comes with a personal domain that they can freely use.

        I feel I’m not fully understanding here neither what exactly is being asked nor the purpose for asking it.
        Is there some more clear and unbiased information on this? …the way they wanna call it “secret” is also very confusing to me, that smells of FUD… in which way is it “secret”? are there no public details about the request? “secret legislation” feels almost like an oximoron. I feel that what they want to say is that the controversial sections were introduced very late in the process, following some closed-door meetings, but that’s no the same thing as the legislation being “secret”…