[XorNot]

Which would be trivial if they had agreements with the various mostly US providers to quickly get man-in-the-middle signed keys from their CA's.

Although this seems like it would be quick to spot since if you were watching certificate fingerprints change then you'd see the switchover and switchback.

[Amadou]

I use the Cert Patrol plugin ( http://patrol.psyced.org/ ) and I've noticed periods of a few days to a week where SSL certs on major sites like google have changed rapidly. Usually they were all from the same authority so I didn't think much of it. But now I am even more paranoid. Thanks man.

[toyg]

Me too, I stopped using that plugin because Facebook and Google would constantly change their certificates, so I'd end up just clicking OKOKOKOK, never looking at the certificate, defeating the whole point.

At the time, I assumed it was just a snag with the umpteen layers of caching and content-distribution networks that they must be using. Now it looks quite a bit more sinister.

[sitkack]

Could you make a showhn or maybe just reply with a pastebin of security/privacy tools you would recommend?

[ryanmolden]

Yeah, I know nothing about this area (so this is just speculation, ignore it as such if you wish), but it seems getting a firehose feed of all traffic would be easier and less exposure prone, than getting every ISP to allow a MITM and having absolutely no one in the computer security industry notice. Don't get me wrong, I would prefer a MITM, at least then you know they haven't broken crypto that is widely believed secure, the alternative is a bit scarier :)