Re: The UK government?
correction of response B)
The Ohio news reports today that the new NSA Bluffdale Utah data-centre will not be used for spying on (US) email. ...so that's OK then.....I guess they'll just be using their PCIe gen3 GPU Appliance crates to mint Bitcoins?
http://www.dispatch.com/content/stories/national_world/2013/04/16/nsa-utah-facility-not-for-spying-on-email.html
meanwhile I forgot to mention SSL, and FF; personally - and I speak for myself here - I tend to use Chrome more as FF doesn't handle SSL certificates in the most trustworthy way - Mozilla might have suffered 'Market Capture' and a very tight/protected/extensionified Chrome is safer to use?
http://blog.malwarebytes.org/intelligence/2013/02/digital-certificates-and-malware-a-dangerous-mix/ describes the use of a poisoned pdf file to download from a cloud a ten megabyte banking-attack trojan, all software was digitally signed using a valid digital certificate. The fake Brazilian company that recently bought the signing certificate from DigiCert previously used another fake company in November 2012 for similar attacks. Presumably they will attack again now that their second certificate has been revoked. Online crime is lucrative and low-risk for the attackers.
Trust and Security of the entire internet is based on Netscape's invention of SSL. Proving that our current X.509 Browser/Certificate Authority SSL trust-relationship is broken is data gathered by the SSL Observatory and others, particularly http://www.ccssforum.org/malware-certificates.php where 124 fake no, Real CA signing certificates have been used by malware authors.
As any certificate can be used to sign any domain, (e.g. TurkTrust signing *.google.com recently) the PKI infrastructure is just as secure as its weakest link, and the weakest links are not secure (in absolute context they are mostly but not completely secure) The 124 real certificates were purchased over 2.5 years.
So that's a background level of around 60 certificates a year purchased fraudulently - out of millions used mostly correctly. To this can be added the numbers of stolen SSL certificates (hundreds to unknown, maybe thousands) and the 'Nation State' 'misuse' of SSL proxy certificates to which only South Korea has officially admitted but is widespread (millions), and increasing with the greater use of national DPI/Proxy systems. So the odds to be hit hard by targeted malware that bypasses current OS & Browser & AV detection are slightly better than winning a lottery - but with worse results!
Crypto academics currently claim privately that the Certificate Authorities and Browser manufacturers live in a state of capture, neither wishing to change a lucrative revenue model, the faults are known, but are ignored by most Browser organisations. Trust in the current Certificate Authorities and Browser implementation is misplaced. Their industry body "CABForum" seems to have been designed to resist change, and simply enforce their 1990 model of security.We are 20 years beyond Netscape in terms of threats and challenges!
CA/Browser Forum "a voluntary online security standards organisation" (public is not allowed to participate) Members are here <https://www.cabforum.org/forum.html> Apple, Google, Microsoft, Opera, Mozilla + certificate authorities
Slow change maybe coming to the CABForum? http://www.darkreading.com/security/news/240005230/ca-browser-forum-s-mandated-royalty-free-intellectual-property-policy-change-spurs-entrust-to-withdraw-from-organization.html This article explains why Entrust has recently withdrawn from CABForum, apparently over IPR issues but mostly quote "many smaller, unproven CAs are empowered with issuing digital certificates that could very well jeopardize the trust and security of the entire Internet. Entrust can't support this position."
When the No.2 Certificate Authority is saying that things might be bad - I'd tend to agree with them!