[CydeWeys]

Not without throwing cert errors on every site I visit.

The only way they can MITM me is if they compromise my PC as well and install their root CA.

[tomjen3]

To connect to the internet you must install comcast internet-enhancing-certificate. It's the only way to make all websites secure by default™

No reason to compromise when you can force the user.

[eyuelt]

Ah. True, my mistake.

[toyg]

... or rather get an intermediate certificate from one of the umpteen root CAs your operating system embeds by default.

Is VeriSign going to refuse a certificate to AT&T?

[snowwrestler]

Verisign will happily issue a certificate to AT&T for a domain that AT&T controls.

Verisign will not issue a certificate to AT&T for google.com--no matter how nicely AT&T asks.

[geofft]

Yes, and furthermore there's a very good reason to believe that this claim is true: as soon as they do, every copy of Chrome behind AT&T's network will go and snitch to Google, who will promptly investigate and get Verisign in deep trouble.

Here's what happened when Symantec issued fake Google certificates last year:

https://googleonlinesecurity.blogspot.com/2015/09/improved-d...

https://googleonlinesecurity.blogspot.com/2015/10/sustaining...

"Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in [annoying certificate warnings, just like self-signed certs]."

And that was just the work of a couple of employees who were inappropriately testing their issuance system and weren't even intending to attack anything. They got fired, which I expect is also a big part of why Google's response was so light.

http://www.symantec.com/connect/blogs/tough-day-leaders

[notatoad]

>Is VeriSign going to refuse a certificate to AT&T?

I certainly hope so.