Yes in 2012 GCHQ installed black boxes in every uk isp that all internet must be routed through[1]. While no one knows what these boxes do, it was thought that they decrypt https requests and log the request header, which seems to be confirmed by snowden[2]. In 2016 the investigatory powers act is what gives them the legal authority to do it[3].
They have never claimed they send fake ssl packets to drop the stream but they have done it to me and the uk governments stance is kind of against modern tls greater than 1.2 which fixes the drop stream packet bug [4].
There is plenty more detail about what they are doing out there, search snoopers charter and GCHQ snowden to see what they have been doing and are now trying to make legal.
I thought the point of SSL was that a MITM couldn’t decrypt it? Unless they have the private key(s). (Or the ability to substitute their own keys, but that seems to get noticed fairly quickly and the relevant certificate authority gets rapidly shunned).
Yea but as you point out SSL is only as safe as the public key infrastructure it runs on. Backwards compatibilty is also an issue, afaik default setups below tls 1.2 can be degraded to the point where its only ~70bit encryption which can be broken by state actors.
I was told they have intermediate keys for certificate authorities(probably done legally with the ca permission), generate a new key signed with the real intermediate. This would be detectable as the cert fingerprint would be different from the legit legit one, while SSH checks for this by default SSL does not.
I have tried to detect the above and as far as I can tell they are not doing it, but I believe the people I heard more than I believe my ability to detect it.
They have never claimed they send fake ssl packets to drop the stream but they have done it to me and the uk governments stance is kind of against modern tls greater than 1.2 which fixes the drop stream packet bug [4].
There is plenty more detail about what they are doing out there, search snoopers charter and GCHQ snowden to see what they have been doing and are now trying to make legal.
[1] https://www.zdnet.com/article/u-k-spy-agencies-plan-to-insta... [2] https://www.theguardian.com/world/2013/sep/05/nsa-gchq-encry... [3] https://www.libertyhumanrights.org.uk/human-rights/privacy/s... [4] https://www.ncsc.gov.uk/blog-post/tls-13-better-individuals-...