Comment by treebeard901
Comment by treebeard901 a day ago
It is also a lot easier since ceetificate pinning has fallen out of favor. Many sites use LetsEncrypt. The Certificate Authority system itself is not reliable.
In a way it is the perfect solution from a Govt perspective. Other countries have systems at this scale and larger. China for example.
What makes the CA system reliable is browsers insisting on Certificate Transparency before trusting a cert. If an attacker creates an evil cert by stealing the ACME verification traffic, there's a permanent record of it. Big corps can monitor the ledger to see what certs have been handed out to their domains.