Qualified website authentication certificates: EU plan to boost web security
published on 12.05.2022
The European Commission is planning to require the consumer-friendly display of qualified website authentication certificates (QWACs) in internet browsers. While browser developers are warning that this measure would weaken online security, this is not the case. In fact, QWACs increase consumer protection and strengthen European digital sovereignty.
Fierce debate on QWACs
With the introduction of the Regulation on electronic identification and trust services (eIDAS) in 2014, the European Commission established the legal framework for secure, reliable electronic communication. In June 2021, the European Commission put forward an amendment to the eIDAS Regulation which, among other things, involved strengthening qualified website authentication certificates.
In the past, web browser developers have refused to recognise QWACs and display them in their browsers. This is why the European Commission is now seeking in this new amendment to obligate browsers to accept QWACs and make them visible to users – with an eIDAS electronic seal, for example.
This obligation has attracted criticism, such as from browser developers and the Electronic Frontier Foundation (EFF). Critics argue that implementing QWACs would erode the privacy of users and enable increased monitoring of encrypted internet traffic.
“If this point of view becomes prevalent, then large browser developers like Google and Mozilla will be able to continue expanding their market power. And what will suffer here? European digital sovereignty and the construction of a digital trust space in Europe”, argues Dr Kim Nguyen, Managing Director of D-Trust, the trust service provider of the Bundesdruckerei Group.
Why the criticism is not convincing
European Signature Dialog, an Allianz European trust service provider, grappled with the arguments. “Critics point to apparent technical weaknesses of QWACs and extrapolate consumer-protection concerns from these, but these arguments aren’t convincing and suggest misunderstandings and over-simplifications”, Kim Nguyen explains.
First point of criticism: Identity-verification certificates would not increase internet security. Here, critics point to alleged practical experience with EV Certificates, which are technically equivalent to QWACs. Yet the opposite is true: According to a study by RWTH Aachen, over 99% of phishing attacks in 2018 occurred via websites not secured with EV certificates.
QWACs contain identity and communication information which is checked in advance by an independent third party, the qualified trust service providers. This enables internet users to be sure that the website they are visiting is operated by a real, trustworthy person or organisation.
Second point of criticism: Browsers are supposed to mark the trust service providers and the issued certificates as trustworthy without separate, individual verification. Bypassing the browser’s verification system puts security in the public TLS system at risk. This is a serious misunderstanding: The intent is for browsers to support the list of qualified trust service providers (EU Trusted List) and recognise the QWACs associated with this. In Europe, qualified website authentication certificates are subject to a standardised, multilevel, state-controlled auditing and supervisory system. Only then is it possible for a qualified trust service provider to operate and be included in the EU trust list.
Third point of criticism: Critics fear that the obligatory display of certificates will create a precedent with unforeseeable consequences. This could encourage authoritarian regimes to force their citizens to accept special certificates in order to monitor their internet activity. Such measures contradict the idea of a European digital trust space. Instead, with the eIDAS regulation, the EU has established a certificate supervision system with strict rules and governance guidelines. For example, qualified trust service providers are subject to extensive security requirements and liability rules, both of which are regularly monitored by national supervisory authorities. This means that there is no reason for the distrust shown by the browser developers.
Why QWACs are important for Europe’s digital sovereignty
The criticism directed at QWACs is not convincing. In fact, there are substantial arguments in favour of the obligatory display of qualified website certificates.
QWACs help to expand the European digital trust space
Qualified website authentication certificates are an important EU standard for the infrastructure of the digital European Single Market. Their acceptance, along with the associated EU Trusted Lists, ushers web browsers into the European trust space with uniform standards, certification processes and supervisory authorities. Without these kinds of EU standards, large IT providers outside the EU are able to abuse their dominant position and then unilaterally determine and enforce the rules for internet security. The Federal Cartel Office shares this fear and recommends European regulations within the framework of the eIDAS Regulation.
QWACs help protect consumers and data
The General Data Protection Regulation (GDPR) requires website operators to be clearly identified if personal data are being collected on the website. Websites with verified identities also offer greater protection for consumers. This was made very clear by the cases of fraud in the Coronavirus emergency aid applications in spring 2020. By creating fake websites, fraudsters were able to get hold of the necessary application data, which they used to submit applications on the genuine websites and take the money to which others were entitled.
QWACs boost Europe’s digital sovereignty
As the European standard, QWACs are an important building block of the European trust space. They are very well integrated into the time-tested European auditing structure and regulatory oversight system. There is a functioning market for trust services, and QWACs are already well established, such as with the implementation of the PSD2 payment directive in the financial sector. All of this reduces dependency on tech corporations, thereby strengthening Europe’s digital sovereignty. The digital association Bitkom backed this view in its position paper entitled “Website authorisation certificates for strengthening European sovereignty” (in German).
“QWACs integrate browsers into the European trust space. They increase online security and consumer protection by protecting against data theft”, Kim Nguyen stresses.
In the press release “How certificates secure websites” (in German), you can find more information on the various TLS certificate types and an infographic.