How the EU created Electronic Invoices without considering Security (god2025)

Chaos Computer Club - recent events feed

תוכן מסופק על ידי CCC media team. כל תוכן הפודקאסטים כולל פרקים, גרפיקה ותיאורי פודקאסטים מועלים ומסופקים ישירות על ידי CCC media team או שותף פלטפורמת הפודקאסט שלהם. אם אתה מאמין שמישהו משתמש ביצירה שלך המוגנת בזכויות יוצרים ללא רשותך, אתה יכול לעקוב אחר התהליך המתואר כאן https://he.player.fm/legal.

11d ago 27:51

MP4•בית הפרקים

Companies within the European Union are increasingly required to be able to issue and process electronic invoices according to EU standards. For example, since January 2025, companies in Germany have been required to support electronic invoices in B2B contexts. While it is desirable to standardize invoice data formats, the EU standards have severe problems. They are overly and needlessly complicated, and security was not given much consideration. An unfortunate design choice to use a problematic "standard" (XSLT 2/3) only supported by a single implementation with inherent security problems makes security vulnerabilities in electronic invoicing software even more likely. The EU standard allows multiple redundant XML data formats to encode electronic invoices. XML processing has several well-known, inherent security problems, most notably file exfiltration via XML eXternal Entity (XXE) attacks. It appears that XML security was not considered during the creation of these standards. Neither the standardization documents nor the information found on various government and EU web pages contain any information about avoiding XML security flaws. Therefore, unsurprisingly, security vulnerabilities in software processing these electronic invoices are very common. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de

3332 פרקים

#Technologie #Ccc Congress Hacking Security Netzpolitik #CCC media team #Video