Why can't the NSA just force a web PKI cert provider to create a fake certificate for them?
We know from the Lavabit case that once you start keeping private keys away from the feds they start making problems for you. Prove to me that every single root your browser trusts is not compromised.
Who says they don't? TAO - tailored access operations - is known to intercept physical delivery and re-solder chips onto hardware to get access. It is all a question of "how much do you spent on a specific target".
However every such change could tip the target off: if you replace the certificate and the target knows the key of the cert they expect, that will tip them off. Now a lot of these tools are about mass surveillance and big data: collecting metadata about everyone, not about some well defined target, then run big data analysis on it to discover targets. Like you have one person who is flagged and they talk a lot to this "HackerNews-Server" and so all others who talk to that server get an increase in score and now multiple of those people have a score above a treshhold and get flagged. Can't do that if you don't spy on everyone.
But they can't run active intrusion against every civilian ever without exploding costs and high chance of being detected.
These kinds of attacks are usually run by a major threat actor (i.e. nation state), targeted, and not run at large scale.
Certificate transparency is unlikely to help in this case. Key pinning was the more secure option.
For some issues see:
They maybe don't even need to force them. There are plenty of certificate authorities. Just look at your browsers list of trusted CAs or even worse the big number included in Android.
You can assume that some of those are at least in bed with TLAs or can't withstand an attack for stealing the keys.
There are hundreds of those.
If only one is compromised an attacker could issue valid certificates for whatever website you visit. They maybe not going to risk a root CA but there are plenty of intermediate ones. Some are directly controlled by states, so no reason to compromise anyone.
We know from the Lavabit case that once you start keeping private keys away from the feds they start making problems for you. Prove to me that every single root your browser trusts is not compromised.