Comment by tonyplee
12 years ago
BTW, a much simpler way to get the SSL keys is to send someone (or teams) to be employed by Google. (Like another big country probably did a while back.)
Once inside, put a few webcam, physical/virtual key logger, a few line of code, (checkin code with extra ",", "=" instead of "==" in the right place - just like a post about Linux security Kernel hack a while back.) and the jobs are done.
> BTW, a much simpler way to get the SSL keys
SSL keys are not the target, the data is the target. SSL keys change over time, and you still need to monitor the actual encrypted data; tapping the data where its sent in cleartext is actually simpler, if you have the capability to do it, than infiltrating a spy into the dev team, having them compromise the system without being detected, getting the SSL keys, and monitoring all the encrypted comms.