Comment by hulitu
13 hours ago
> Particularly after Edward Snowden's 2013 revelations about mass surveillance, running an unencrypted protocol started to feel more and more like bad practice.
As far as i understood, NSA has access to the encrypted communication on the internet so all bets are off. They '"collaborate" with certificate issuers, they monitor all big internet nodes in the "west" and all relevant software is produced in their jurisdiction.
The certificate issuer doesn't have access to the underlying private keys, so while getting a fake certificate may be useful for MITM [0], undermining the certificate authorities doesn't actually allow spying on traffic that uses the genuine certs, no matter how corrupt the CA is.
There is such a thing as overestimating the power of the NSA, if the spooks actually had undermined the system to that degree they wouldn't need to lobby for all the surveillance bills that keeps popping up.
[0] And you can't get a fake certificate either without it being visible in the certificate transparency logs, or being an obvious fake since it is absent in those logs.