What the Duck? Why an EU Proposal to Require "QWACs" Will Hurt Internet Security

It's become easier over the years for websites to improve their security, thanks to tools that allow more people to automate and easily set-up secure measures for web applications and the services they provide. A proposed amendment to Article 45 in the EU’s Digital Identity Framework (eIDAS) would roll back these gains by requiring outdated ideas for security and authentication of websites. The amendment states that “web-browsers shall ensure that the identity data provided using any of the methods is displayed in a user-friendly manner.” The amendment proposal emphasizes a specific type of documentation, Qualified Web Authentication Certificates, or QWACs, to accomplish this goal. The problem is that, simply put, the approach the amendment suggests has already been debunked as an effective way to convey security to users.

The Quacks in QWACs

QWACs use guidelines similar to Extended Validation (EV) certificates. Both are digital certificates issued to domain owners with an added process that establishes an identity check on the domain owner. This approach has been proven ineffective over the years.

For a short while, browsers made a point of showing EV certificates to the user, displaying the certificate details in green. They assumed that this clear marker would indicate more security for users. However, nefarious parties ended up obtaining EV Certificates and hosting phishing sites. This highlights that HTTPS—supported by certificates—establishes a secure connection between you and that website, but does not guarantee the website itself is storing or using the information you may submit to it ethically. Nor is it an assurance that a company's business practices are sound. That is what consumer protection laws are for.

Because emphasizing these certificates proved ineffective in helping user security, Chrome and Firefox in 2019 decided to no longer emphasize EV Certified websites in the URL bar. Safari stopped in late 2018. However, EV certificates are significantly more expensive and some Certificate Authorities (CAs) that sell them still inaccurately suggest that browsers emphasize EV certificates in their sales pitch for these products. Requiring that QWACs be displayed in the same fashion is just further pursuing the illusion that displaying identity information to the user will be worth the effort.

Potential Fowl Play with User Experience

Requiring browsers to trust these certificates by EU government-mandated CAs, could impact users outside the EU as well. Rather than improve security as intended, this would likely force the adoption of a security-hindering feature into the internet experiences of users within and outside the EU. People could be susceptible to poor response of security incidents with EU-mandated CAs, breach of privacy, or malware targeting.

It’s even been ludicrously suggested by Entrust (a CA) that any website that doesn’t use QWACs or EV certificates be flagged by the browser with a warning to the user when they submit data. Such a warning would make no sense, because standard Domain Validation (DV) certificates provide the same security for data in transit as EV does.

Trust Services Forum - CA Day 2021

Transport Layer Security (TLS) is the backbone to secure your connection to a website. When this occurs, it is called HTTPS. Think of it as HTTP(S)ecure.

Browsers have worked for years to show people that their connection is secure without confusing them. This proposal would undo much of that user education by potentially unleashing a flood of warnings for