NSA might have also corrupted US Certificate Authorities

[infested999]

We know about the wiretapping but I never thought of it like this.

FISA requires all SSL Certificate Authorities (RapidSSL/VeriSign) to cooperate with what they want. This means that the NSA could have created/modified SSL certificates however they like.

If they can do this, that means they could do an SSL man-in-the-middle attack without the (this connection is insecure) warning in your browser, correct?

[mmeijeri]

Correct.

[01BTC10]

https://www.grc.com/fingerprints.htm

[infested999]

https://www.grc.com/fingerprints.htm

It says:

But IF this SSL page was intercepted, its certificate fingerprint will HAVE TO BE DIFFERENT since authentic SSL certificates are impossible to perfectly duplicate.

But they can perfectly duplicate VeriSign/RapidSSL/etc. certificates because they have access to their systems.

[Littleshop]

https://www.grc.com/fingerprints.htm

It says:

But IF this SSL page was intercepted, its certificate fingerprint will HAVE TO BE DIFFERENT since authentic SSL certificates are impossible to perfectly duplicate.

But they can perfectly duplicate VeriSign/RapidSSL/etc. certificates because they have access to their systems.

Not exactly.  GRC is right if there is no cooperation between the intercepted site and the interceptor.  Examples:

Bitcointalk has brand X SSL. 
interceptor has control over brand X SSL authority
Bitcoin talk has still used its own private key that is unknown to EITHER brand X SSL or the interceptor.  The fingerprint would be different.

Google has brand X SSL
interceptor has control over brand x SSL authority
Google GIVES interceptor private key*
The interceptor now has identical fingerprint.

* with this level of cooperation, interceptor could get all the data needed from Google alone without control over SSL authority.