I'm no expert in this, and I'd like your input: How well is the SSL certificate infrastructure protected? Could the NSA obtain the SSL certificate of let's say, mail.google.com? Or, even worst, could they get their hands on the certificates of a CA? If so, they could intercept almost any communication over HTTPS by using a man-in-the-middle attack, right?
Yes.<p>The NSA can go to any provider and say "We want your private cert. Also you're not allowed to tell anybody about this. Because terrorism."<p>If your site is externally hosted, they can go to your hosting provider and take your private cert without you ever knowing.<p>This private cert will let them decrypt any TLS/SSL traffic they may have captured in the past.[1]<p>They can also MITM any TLS/SSL connection if they have their hands in a single root CA.[2]<p>[1]PFS can prevent this, but only Google and Bloomberg use it right now. See (<a href="http://en.wikipedia.org/wiki/Perfect_forward_secrecy" rel="nofollow">http://en.wikipedia.org/wiki/Perfect_forward_secrecy</a>).<p>[2]Certificate pinning can prevent this, but only Google and MS use it right now. See (<a href="http://security.stackexchange.com/questions/29988/what-is-certificate-pinning" rel="nofollow">http://security.stackexchange.com/questions/29988/what-is-ce...</a>) and (<a href="http://tack.io/" rel="nofollow">http://tack.io/</a>).
The SSL infrastructure is protected only by the shaky assumption that "all CAs are responsible and would never create a certificate for anyone but the true owner of the domain."<p>Here is a list of root CAs in Firefox: <a href="https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dGx0cGFObG9QM192NFM4UWNBMlBaekE&single=true&gid=1&output=html" rel="nofollow">https://docs.google.com/spreadsheet/pub?key=0Ah-tHXMAwqU3dGx...</a><p>Not just NSA, but <i>all</i> of those organisations can create a valid SSL certificate for mail.google.com, and your browser would accept it silently.