cloudflare is an entity that you can choose to trust with your data. It's not any different than how your hosting provider/cdn can "MITM" you as well. The issue people are having with this regulation is that the government is forcing you to trust some unrelated party.
You are forced to trust cloudflare too as you can't do business without DDoS protection anymore. I'd prefer such trust to be rooted in my (EU) jurisdiction.
>You are forced to trust cloudflare too as you can't do business without DDoS protection anymore
At best, you're "forced to trust" a DDoS protection vendor, not cloudflare specifically. I'm sure there are DDoS protection vendors that are "rooted in [...] (EU) jurisdiction". Also, switching between such vendors is pretty trivial, much easier than trying to trying to lobby the government into stopping surveillance.
If you can't even name one example without extensive research then it's likely not so trivial. And where you get the firm conviction that both cloudflare and existing CA's aren't tapped already?
But my argument against this regulation isn't that "all governments are evil, corporations are good", it's that with respect to certificate authorities, corporations are largely doing a pretty good job, in contrast to governments who are pushing encryption backdoors. If google/mozilla/apple are abusing their position and harming users through their CA programs, then I might consider regulation. But for now it looks like a power grab.
Again, how can you so sure google/mozilla/apple are doing a good job when they are not transparent or accountable to public? We have no idea so we happily live in illusion that they aren't pushing anything nefarious. Whereas the public lawmaking in democracies is messy, fueled by outrage and visible special interests.
>Again, how can you so sure google/mozilla/apple are doing a good job when they are not transparent or accountable to public?
I can be sure they're doing a good job, because I can see them doing a good job, and have no reason to believe they're suppressing any bad news. Are you making a theoretical argument here? In other words, are you simply claiming that the current state of affairs is bad because google/mozilla/apple can go rogue and do bad things?
>We have no idea so we happily live in illusion that they aren't pushing anything nefarious
This sounds like argument from ignorance. ie. "we have no idea whether they're not pushing anything nefarious, therefore we should assume they're pushing something nefarious". If you think they're acting nefariously, by all means mention it here. Don't go beating around the bushes with vague accusations that they might be doing something bad, and use that to justify the government stepping in.
But vague accusations of government doing something bad are okay?
Yes I am simply claiming that the current state of affairs is bad because google/mozilla/apple can go rogue and do bad things. I'm not claiming they necessarily are. But history teaches us that great power brings corruption, they aren't so much different from Microsoft some decades ago.
> But vague accusations of government doing something bad are okay?
The government's past and current push to ban encryption (or similar efforts) aren't "vague".
>Yes I am simply claiming that the current state of affairs is bad because google/mozilla/apple can go rogue and do bad things. I'm not claiming they necessarily are. But history teaches us that great power brings corruption, they aren't so much different from Microsoft some decades ago.
You have to trust the browser makers regardless. If you want to prevent browser makers from going rogue (eg. sending your browsing data directly to them), you'd need far more comprehensive regulation than this. The only thing this does is force your browser to trust additional set of entities. In that respect, this legislation is quite pointless, because we haven't seen browser makers unfairly exclude upstart CAs. I suppose the regulation might be worth keeping around just in case, but I'm not really convinced of the cost/benefit. As I see it the benefit is that if browser makers decide to go rogue and exclude new CAs, this will allow EU and/or member states to issue their own certificates. The downside is that EU and/or member states can issue TLS certificates to MITM connections. Am I missing anything?
As much as I despise Cloudflare, at least in Germany the pandemic has shown that authorities can't be trusted with data even if taken with the best of intentions.
