Estonia Is Enhancing the Security of Its Digital Identities

Estonia is upgrading the security of ID cards and digital IDs used by citizens, residents and e-residents. A new certificates update has been developed based on advanced elliptic-curve cryptography, which is more secure and faster than the SSL certificates previously used. From a report: This certificate update will protect users from a potential security vulnerability that the Estonian government announced last month had been identified by a group of security researchers. It has now been confirmed that the vulnerability is contained in software that had previously been installed on the embedded chip used in ID cards around the world, including those issued by Estonia between 16 October 2014 and 25 October 2017. Although the problem is international, minimising the risk and developing a solution has been a top priority for Estonia since the government was informed. However, there has still been no reported incidents of any Estonian digital ID or ID card being misused in the way described by the researchers. Considerable resources and expertise would be required for this so the risk for most people affected has always been low.

Impressed

[EndlessNameless]

That is a remarkably fast response to a systematic vulnerability by the government.

Assuming this is related to the recently disclosed Infineon vulnerability, less than a month has lapsed between public disclosure of the vulnerability and a formal announcement of their affected assets and remediation process.

I have seen places that would take twice as long just to figure out what is affected in the first place.

Re:Impressed

That is a remarkably fast response to a systematic vulnerability by the government.

The response is very fast, but the execution of this update is not very well done. First they announced of the vulnerability and that the government is working on a fix, but basically claimed this is not serious enough to affect their digital plans. Then after two months of complete silence they suddenly sent an email (on October 31st) saying that people need to renew their private keys ASAP and all certificates will be revoked "early November", meaning the card most likely will stop working on an unspecified date very soon, just a few days after the notice.

This would all be fine, except that since October 31st their key renewal server has been continuously down under too heavy load and it has practically been impossible to renew the private keys. This is no wonder, since they put pressure on people to do this update ASAP and even those who would otherwise not be hurried are now trying to update. This means that if they stick with their plan it is quite likely that many people will be denied access to many government services, all just because their systems cannot take the load.

In addition to all this, the new ECC certificates do not work on Mac OS X except using Firefox, and they say some December 15th update of Firefox will break them on Firefox as well. The official response is to download the current Firefox and keep it outdated during December to be able to access the systems on Mac, which is not very good idea considering there can be other exploits out there. There are no technical details of what exactly is causing the Firefox regression or why the ECC certificates do not work, therefore even capable people cannot look into this and create own builds of Firefox that would continue to work.

In general, it seems Estonian government is able to move really fast with their electronic services, but it is partly because the solutions they put out seem a bit half-assed. I guess this is all because they have an election coming, and all you need to vote is one of these electronic ID cards and its PIN codes. Russian intelligence is surely very interested to affect the Estonian election (check the map if you are interested in why), and people at the Estonian government must have been crapping their pants this one or two months.