I'm not sure that this is particularly interesting news. For starters, when "the government" wants to spy on you, they generally want to do so in such a way as to not reveal that they are doing so - using their own CA is a big tell that something fishy is going on (yes, only if you have the know-how and inclination to do so, but I'm thinking that this is probably the case for most people trying to keep secrets from the government).
No, if they want to hack your SSL comms, they aren't going to do it by using a MITM attack backed by a government-issued root CA, they are going to do it by gaining access to a "neutral" CA (such as Verisign), and obtaining the root certificate's private key. Now you would have a much harder time of figuring out that something has gone wrong, but then, if you're paranoid of the government spying on you, and you are using a CA other than one you own yourself, you've already lost the battle.
Trust is a Hard Problem(tm) to solve. Without using Certificate Authorities that you don't personally know, it is difficult to create a sufficiently trusted network. I think the best attempt at a description of such a system that I have seen is in Cory Doctorow's "Little Brother" (http://craphound.com/littlebrother/download/), but even there it seems to me that there were numerous problems for scaling, or even just avoiding invaders.
All of which is to say that certificate-based technology couple with CAs that you don't control is not a solution against state-level adversaries. Which in turn makes this entire article fear-mongering rather than a real discovery of a potential threat. In a more cynical mood, I might wonder about the author's motives, was this an attempt to distract away from the fact that the main CAs are not secure against state actors?
I agree, this is not really breaking news. The reality is that any company that wants to operate within the confines of the law can be compelled to work against its purported customers -- no one wants to go to jail because of your website.
One nit to pick: obtaining Verisign's root CA key isn't enough to decrypt traffic over the wire. That would just allow Uncle Sam to issue fake certs that appear to be from Verisign. I think that savvy users might still notice that their cert looks different now (fingerprint, expiration, other details), and put the pieces together. Maybe you use a CA whose root key hasn't been obtained yet. I highly doubt the NSA or whomever would let a fake but validly signed cert into the wild where it can be captured and used to prove their capabilities once and for all.
They might use such a cert in a controlled environment where they are going to seize the target's system in a few minutes, I suppose. Instead, what they really need is either a way to break 2048-bit RSA (not inconceivable) or a way to get your real cert's private key.
To your point about trust and CAs: I don't think it's truly a matter of trust. Verisign, GlobalSign, Digicert, Entrust, et. al. are all businesses. They are not inherently untrustworthy (nor trustworthy), they do what they must to be profitable and stay in business. It turns out that end user trust is substantially less important to that equation than remaining in compliance with the government of their host country.
I don't know how you solve that problem. The best thing about the early Internet was that, while heavily US-centric, it was often able to fly under the radar of government oversight and, to an extent, the rule of unpleasant laws. That's no longer possible. The Internet is a source of power and money, and now it has to contend with the oversight and regulation of thousands of governments doing what they do.
There isn't any way to solve it. People's fears about the PKI boil down to "if I trust anyone else at all, they might betray me". And yet using encryption without trusting other people is impossible. You aren't going to build your own computer from scratch, for example.
I think our industry needs to collectively move beyond "zomg CA's are pwned by governments". It's just unhelpful. Firstly there's no evidence it's true. A bogus cert would be strong evidence, documents from the Snowden archive talking about compromising CA's would be evidence ..... so far we have zilch.
But even if one day it does happen - what next? You end up down the "what if my CPU is backdoored" rabbit hole. Ultimately you have to ignore adversaries that have unlimited power and focus on the ones that do have limits. There's no other way to stay sane.
I agree with you, from a day-to-day standpoint there really is nothing to be done and little point in worrying about it. The only solution is to stop using technology, and that proposition isn't very attractive.
While the ideal solution is technical -- no one can see or interfere your stuff without your permission -- it isn't practical. Solving the problem with laws and societal pressure is more realistic, although still verging on impossible.
No, if they want to hack your SSL comms, they aren't going to do it by using a MITM attack backed by a government-issued root CA, they are going to do it by gaining access to a "neutral" CA (such as Verisign), and obtaining the root certificate's private key. Now you would have a much harder time of figuring out that something has gone wrong, but then, if you're paranoid of the government spying on you, and you are using a CA other than one you own yourself, you've already lost the battle.
Trust is a Hard Problem(tm) to solve. Without using Certificate Authorities that you don't personally know, it is difficult to create a sufficiently trusted network. I think the best attempt at a description of such a system that I have seen is in Cory Doctorow's "Little Brother" (http://craphound.com/littlebrother/download/), but even there it seems to me that there were numerous problems for scaling, or even just avoiding invaders.
All of which is to say that certificate-based technology couple with CAs that you don't control is not a solution against state-level adversaries. Which in turn makes this entire article fear-mongering rather than a real discovery of a potential threat. In a more cynical mood, I might wonder about the author's motives, was this an attempt to distract away from the fact that the main CAs are not secure against state actors?