[indigochill]

This has me curious (as a complete crypto noob): how would one defend against such a MITM attack in general?

Only send messages to vendors with known "trusted" keys and don't trust new keys? So in general, use a trusted channel for key exchange separate from the communication channel so that a MITM needs to control both channels?

[bahjoite]

Correct. This is what the PGP "web of trust" is supposed to assist with: a trusted key is either one which you have verified, in person, as belonging to your correspondent, or one which has been signed by a number of other correspondents whom you trust to verify keys (and whose keys you have verified in person).

[kogepathic]

> So in general, use a trusted channel for key exchange separate from the communication channel so that a MITM needs to control both channels?

Yes, this is how PGP verification is supposed to take place.

Someone sends you their public key, and then you meet them in person to verify it.

Of course, nothing stops the government from sending an agent to meet you, but it does raise the effort required to MITM substantially.

[theEXTORTCIST]

Using a standard channel for public key exchange is half the battle. The other half is using a trusted channel to verify the public key does indeed match the public key you were originally sent. "Trusted channel" can be broadly interpreted (and is also often subject to tampering as well)