Dubious advertising for useless eIDAS certificates
Some providers are using the hype surrounding eIDAS certificates to advertise unnecessary and expensive certificates.
(Bild: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Some certificate providers are exploiting the uncertainties surrounding the recently adopted EU regulation on electronic identification, authentication and trust services (eIDAS) to sell customers unnecessarily expensive certificates. In the legislative process, the question of whether web browsers such as Chrome, Edge, Firefox, Opera and Safari should be forced to recognise certain qualified certificates for website authentication was controversial until the very end.
These so-called Qualified Website Authentication Certificates (QWACs) require government root certificates to be anchored in web browsers. This should be viewed critically, especially if browsers do not have the legal freedom to reject such certificates: in 2020, for example, the government of Kazakhstan forced such a certificate on its citizens in order to be able to read their data traffic. Following massive criticism from academics and civil rights activists, the EU legislators included passages in the ratified version that stipulate that the industry's established security rules and standards can be adhered to. Although these clarifications are mainly only found in the recitals and not in the actual legal text, they largely satisfied clear critics such as Mozilla. For the most part, everything should therefore remain the same for browser manufacturers and users.
Lousy marketing trick
Certificate providers are hardly happy about this, as they naturally want to sell certificates in order to earn money. Free certificates, especially from Let's Encrypt, have massively restricted this business model and QWACs could revive it. However, some providers are not entirely clean in their advertising. heise online has received an email from a provider in which it wants to use uncertainties in the legal field for its own purposes.
For example, it says: "As you may already know, the EU has introduced a legal framework known as eIDAS". To then continue: "If you have not yet switched to eIDAS, the changeover on your own can be a bit of a headache ... but that's exactly where we can help you! We want to make sure you comply with local regulations."
However, since nothing has changed in this regard, no changes are necessary. Website operators can continue to rely on free certificates; eIDAS certificates do not provide any comprehensible advantages. To put it clearly: These eIDAS certificates that are now being advertised only cause effort and costs, but do not provide any additional benefits for the majority of server operators.
(dmk)