[samwillis]

If they had compromised root keys, then they still need to MITM the connection in order to provide a fake certificate. This would be detectable, and there has been no evidence of it happening, so I'm sceptical its happened in any significant way. If it was widespread, and not just very targeted, we would know about it.

A government agency using a root key, and getting spotted, would be disastrous for everyone, themselves included. So, if they do have them, and I think you are probably right to assume they do, they would only use them as a last resort in incredibly extreme cases. It would not surprise me if they have have them but have never used them.

[tailspin2019]

> ... they still need to MITM the connection ... and there has been no evidence of it happening

Because the parent you're replying to seems to be talking about any/all governments rather than just the UK, and I'm guessing your statement here was 'scoped' to the UK only - I think it's important to point out that this absolutely HAS happened on multiple occasions outside of the UK.

https://en.greatfire.org/blog/2013/jan/china-github-and-man-...

https://www.eff.org/deeplinks/2011/05/syrian-man-middle-agai...

https://www.eff.org/deeplinks/2011/08/iranian-man-middle-att...

[tialaramex]

Only one of those links, the Iranian one, dated 12 years ago, is about a case where there was MITM with a bogus but valid certificate. The Chinese and Syrian cases are just straight MITM, a somewhat knowledgeable teenager could do that, and to the extent it'd work you should focus on things that's solve for the "knowledgeable teenager" case not the "What if state actors with unlimited resources target me?" case.

Twelve years ago is a different era, no Blessed Methods, no Certificate Transparency, pinning was new, which is why they got caught.

[jjoonathan]

Yes, and they don't need to decrypt everything because of how good metadata is. Remember: we kill people based on metadata.