[mike_hearn]

Bear in mind they don't actually need to hack or coerce a CA to get them to issue a fake cert. CAs check ownership of a website by either sending an email or doing a regular HTTP request to the website i.e. doing the sort of request that QUANTUM is very good at intercepting and redirecting.

In other words the NSA could MITM the CA<->website connection and get themselves a cert issued in the regular manner.

However I do not believe they are doing this at any meaningful scale, and possibly not at all. It's clear from the Snowden archives that they focus almost exclusively on malware. That has a lot of advantages for them over creating fake SSL certs.

Also bear in mind that certificate transparency is a multi-year plan to prevent secret issuance of certificates. So there is effort being done to reveal such attacks even before they are happening. Not too shabby!