Comment by nly

10 hours ago

It is of course inconceivable that the NSA do not have the private keys for dozens of browser trusted certificate authorities

That nonetheless doesn't help them unless they are doing active MITM. In order to do that they'd have to have at least some physical presence at Cloudflare or on the path to Cloudflare.

3 comments

nly

Reply
RealityVoid  9 hours ago

My understanding is that they tapped communication nodes before. I would be surprised if they can't tap the pipes to cloudflare.

  • fragmede  6 hours ago

    I mean, it is the CIA, but if you encrypt it before it leaves the box, and you're decent good with the key material, how are they going to get at it? Tapping the fiber then gets them encrypted flows, which isn't nothing, but, well, it would be surprising if they had access to the clear text.

    • wongarsu  4 hours ago

      Room 641A [1] would be an example of just renting a room in the DC, making it look as boring and nondescript as possible, tap the fiber lines and send a copy of all data to that room

      That requires cooperation from a couple people at the company. People that could do it for "patriotic duty", be payed off, simply be coerced, or be replaced by NSA agents (I wonder how many cloudflare employees are NSA plants?). If you want to go even more low-profile, tap the fiber lines a block further down outside the cloudflare PoP and use one of the above techniques to get the key material

      Even if it takes the NSA a decade to get an NSA agent hired and moved up in the organization until they have a vector to extract private keys that's still an incredible return on investment

      1: https://en.wikipedia.org/wiki/Room_641A