>> Wonder what has replaced “Xkeyscore” given the wide adoption of TLS.
A nationwide invisible firewall, with man in the middle decryption and permanent storage of all unencrypted data. All run by the major backbones and ISPs.
Start an NSA cutout called Cloudflare. Configure sites to use an SSL/TLS connection to Cloudflare, then a separate SSL/TLS connection from Cloudflare to your actual machine. Then have the marketing team call it "Strict" encryption. Make it free so everyone uses it.
It is also a lot easier since ceetificate pinning has fallen out of favor. Many sites use LetsEncrypt. The Certificate Authority system itself is not reliable.
In a way it is the perfect solution from a Govt perspective. Other countries have systems at this scale and larger. China for example.
What makes the CA system reliable is browsers insisting on Certificate Transparency before trusting a cert. If an attacker creates an evil cert by stealing the ACME verification traffic, there's a permanent record of it. Big corps can monitor the ledger to see what certs have been handed out to their domains.
A nationwide invisible firewall, with man in the middle decryption and permanent storage of all unencrypted data. All run by the major backbones and ISPs.