I think the best apps are yet to be written. I recently wrote a blog post (<a href="http://ledgersmbdev.blogspot.com/2013/06/tangent-design-thougths-about-next-gen.html" rel="nofollow">http://ledgersmbdev.blogspot.com/2013/06/tangent-design-thou...</a>) outlining ways I thought the SSL PKI could be tweaked to make it quite resistant to this sort of eavesdropping.<p>It is still on the HN new feed, if folks want to discuss technical details, but the reason I want to mention it here too is that key management is very hard in a case of resisting surveillance. The current PKI ideas place too much trust in third party certificate authorities (meaning the government can easily pull off man in the middle attacks with the help of network providers if they want, even without your keys), and because each negotiation occurs without context of past ones, there is no way to detect such behavior other than "the CA said watch out" or "this certificate isn't even plausible." Of course you can solve these by enforcing that everyone on your network uses th same local CA that you control but that breaks as soon as you want to talk to someone outside.<p>Building a PKI that can resist such efforts is not trivial and it involves challenging our assumptions. Until we do so however, we will run into all kinds of problem. I may be being paranoid, but it seems like this is a good time to be paranoid.<p>One of the things that SSH gets right is that it takes a diachronic approach to key validation. We should be building this in everywhere and alerting on key changes, while providing a way to ensure that keys can be safely and securely changed without having errors.