Comment by MichaelGG
11 years ago
The NSA can do this, yes. But, any CA that issues a fake CA for Google will be found out rather quickly, and then will get blacklisted and lose business.
So while the NSA can technically do that, they only get a few shots cause each one has a high chance of burning the CA.
For lesser sites and narrow targets, this may not be true.
This is precisely the problem with centralized security authorities. As we've seen a state actor can easily force a central authority to share it's private key, thereby granting the state actor the ability to untraceably create it's own certificate chains.
It would also have to control the wire for the attack target, but via wire tapping laws that is already a solved problem. Because they control the connection of the attack target, I don't see how the fact that the certificate chain was compromised would ever become public knowledge.
Web of trust was designed to address the central authority weakness, but itself apparently has scalability issues, although I'm unclear on why.
Google is indeed in a (unique) good position to detect and possibly prevent a fake certificate, but we don't know if that's what they want or whether they can be coerced to cooperate. Millions of other websites are not protected in the same way.