I was in this session and the biggest take away I had was that the ACLU and Snowden believe a technical solution is possible to end mass surveillance, but they aren't concerned with individual targeted surveillance. I think this was a good way of framing the discussion with actionable steps like PFS, end to end encryption (Snowden name checked Whisper Systems), FDE, SSL everywhere, not storing data forever, etc. The ACLU seemed to think that pressure can be brought on big companies to at the bare minimum require SSL immediately makes mass surveillance more difficult.
SSL only makes mass surveillance difficult for the people who can't lean on a CA. I somehow suspect that if the NSA decided it wanted to, it could get itself an intermediate cert that it could use to MITM SSL sessions.
I don't think they need to get one; Take a look at the CAs are in your browser. Do you implicitly trust all of those organizations and governments? It doesn't matter if you do as your browser already does.
Obviously, if they can install additional Root CAs, they have enough access to do absolutely anything as your user on your maxhine, including installing trojaned versions of all your apps. That isn't the issue gp was discussing.
Is it possible to "double up" on certificates somehow so that a service can offer certificates from 2 or more Certificate Authorities simultaneously. The goal here would be to get a certificate from CA A that might be compromised by global persistent threat X, but not global persistent thread Y, and another certificate from CA B that might be comprimised by global persistant threat Y, but not global persistent threat X. e.g. using a certificate from an American CA and a Russian CA simultaneously would likely only expose you if both the Americans and Russians cooperate to eavesdrop on you.
I kinda see what you're getting at, but that wouldn't fix anything. If I interpret what you want correctly, you basically want a cert that is dual-signed by multiple CAs which would be under different political jurisdictions. It's a clever idea, but it's not really usable. Clients validate that they trust a member in the signing chain, not all members in the signing chain, so as soon as the browser encounters a signing authority that it trusts, it will trust the cert.
Furthermore, this wouldn't really stop a bad actor from getting a cert signed by a third CA which your browser trusts and MITMing it to you, unless you're cert pinning, which practically nobody is because it comes with a tremendous list of user experience issues.
Probably not on a massive scale, given scans, pinning, and pin violation reports.
Real-world MITM attacks involving certificate misissuance have already been caught by these means (mostly by Google, which is putting the most effort into it).
