

Ask HN: NSA SSL Private Keys? - iSloth

So we know that the NSA are capturing the majority of internet traffic passing through the USA, currently it&#x27;s a bit more vage on how much access they have to the data&#x2F;servers of Facebook, Google, Twitter etc...<p>And a high percentage of the internet traffic these days it SSL encrypted, especially the more interesting traffic.<p>So what&#x27;s the chance that the NSA have Google&#x27;s, Facebook&#x27;s Private SSL keys? and their actually decrypting the mirrored internet traffic that we know their capturing?
======
lifeguard
The biggest risk is one of the X.509v3 certificates for various Certification
Authorities (CAs) is compromised.

[http://www.cyberciti.biz/faq/firefox-adding-trusted-
ca/](http://www.cyberciti.biz/faq/firefox-adding-trusted-ca/)

Discussion of SSL on cryptome: [http://cryptome.org/0005/ssl-
broken.htm](http://cryptome.org/0005/ssl-broken.htm)

~~~
tptacek
No, it's not; you can only use a compromised CA cert to MITM traffic, and if
you do that, the Chrome users who have Google's actual key identity pinned in
their browser will detect you doing that.

------
JoachimSchipper
Pretty much nil. The NSA isn't stupid; even in the (exceptionally unlikely)
case that they can just MITM any SSL connection without arousing suspicion in
even a well-monitored network, why would they reveal that? _Much_ easier to
just hack your computer/telephone/...

------
viraptor
More likely they have access to a trusted CA, or wildcard certificates that
they can use to apply MitM to specific traffic. Almost the same effect, but no
key stealing is necessary. (although that would require redirecting your
traffic rather than passive capture)

