There are 270+ CAs out there. All the NSA has to do is compromise the CA cert keys of one of them and they can then generate their own valid certs, completely disconnected from CT. All CT tells you is somebody goofed, was tricked into issuing a cert, or an account was compromised and an attacker generated a cert. In other words, not-super-advanced attacks.
The NSA have plenty of tricks. They intercept devices being shipped around the country/world, they tap cables, they dig into airgapped networks, they compromise satellites, they compromise the internal networks of the world's biggest corporations. They've been doing this for decades. If we don't believe they can compromise one organization out of 270...
> and they can then generate their own valid certs, completely disconnected from CT
Aren't browsers now requiring that certificates from many CAs (if not all of them) are submitted to CT before they are accepted as valid by the browser? That is, a certificate without an attached CT proof, even if it has a valid signature from the CA, will be treated as invalid.
(However, given what's being talked about (MITM of software update servers), this might be enough if the libraries being used by the software updater are not as strict as the browsers, and don't require an attached CT proof.)
The NSA released a who-knows-how-many-day in crypto32.dll to Microsoft recently that allows one to bypass app/driver EC certificate verification. It’s
called CVE-2020-0601.
My assumption is that they had it for years and released it for patching the moment they detected anyone else using it.
It’s not TLS, but it’s close. I still think they’d be bad at their job if they didn’t have some method of getting valid certs, and I don’t think they are bad at their job. With bulk collection they may be able to spoof replies to LE DNS verification. There are lots of avenues.
Is there any evidence of this? With certificate transparency being mandatory a few years ago, you'd think that the NSA would be caught at least once.