> Some of the top-level indicators are surprisingly healthy. HTTPS adoption has taken off like a rocket, driven in part by Google’s willingness to use it as a signal for search rankings — and the rise of free Certificate Authorities like LetsEncrypt. It’s possible that these things would have happened eventually without Snowden, but it’s less likely.
> End-to-end encrypted messaging has also taken off like a rocket, largely due to adoption by WhatsApp and a host of relatively new apps. It’s reached the point where law enforcement agencies have begun to freak out, as the slide below illustrates.
The engineering and technology culture around security and product development has certainly changed. The IETF even adopted "Pervasive Monitoring Is an Attak"[1] as a best current practice.
Let's Encrypt brought TLS to the masses, browsers are bringing focus to sites still not using transport encryption, https is a signal for Google ranking.
That had nothing to do with Snowden and everything to do with Firesheep. I remember people panicking when Firesheep came out, and that lead to the whole "we should all be using TLS" thing.
That's non-targeted attacks. Nothing stops the targeted attacks.
Sure, they might not be able to listen in on those https connections, but if they wanted to attack/listen to this Joe Smith over here, they are more than capable, and still do it.
More SSL traffic gets terminated at CF, AWS & Co. Build a data center next door, mail them the NSL and off you go. Much easier than running covert operations hooking into lots of CIX and providers world wide.
I always assumed Let's Encrypt was an NSA front so that they can decrypt most of the https traffic.
Remember just after the Snowden revelations all the 3 letter agencies were very worried about https adoption rising, then their concerns suddenly disappeared.
However I have no idea how encryption works so maybe my hunch is stupid (I remember that the NSA impersonated a certificate authority for that purpose).
> However I have no idea how encryption works so maybe my hunch is stupid
Your words, not mine.
The person who created Let's Encrypt started it as his thesis in college. From there he received assistance from the EFF, some of its staff, and a few other volunteers. None of them are anonymous, all working in the space before Let's Encrypt. It's fully open source and there are no backdoors in TLS encryption.
I think you don't understand how certificates are created. You never have Let's Encrypt create a private key for you. You do it yourself, and LE just gives you a signed proof it acknowledged the new cert.
You'd need to issue a fake certificate to do a MITM attack, they wouldn't be able to decrypt existing traffic without issuing one, which would be noticed by someone watching. Key pinning would have helped with that but it was mostly used to accidentally lose your keys and lock people out of your server.
