CA Compromise MITM Attacks

It's worse. A compromise of any certificate authority will do this.

The attacker needs to generate a new cert that the client trusts. This is easy on a corporate network where you can force users to trust a private CA. Unlikely to happen with a US ISP, but possible if someone hacks the CA (eg DigiNotar) or the CA hands out unconstrained certificates to someone who acts badly (eg CNNIC).

Sure, but if they've MITM:ed your trusted certs, aren't you already boned in so many ways?

The thing with certificate is that you have to trust that the certificate authorities won't sell (or give) fake certificate to ISP or government. If they do so, the ISP can MITM you.

You're thinking too small scale.Certificate Authorities are almost certainly compromised. Why bother with one at a time when you can just force the vendor to hand the keys to the castle over? Sign your own certs, MITM anyone you want.

Yes, and with those scenarios if your root certificate has been maliciously modified https isn't going to save you either

Yes: assume one of the thousands of CAs you trust has been compromised by NSA.

If I know Let's Encrypt's secrets, and I control your network, I can set up a valid certificate on my server and MitM you.

Yes and no.At a basic level, yes, any CA can issue a certificate which can be used to launch a MITM attack. We trust that the CAs don't do this. If they're caught, the browser industry tends to revoke their CA status -- which is pretty bad for the CA's business model.That said, the CAs have been under increased scrutiny lately, and browsers are starting to build additional protections against this kind of thing:- Certificate pinning (HPKP) allows sites to restrict which c

Only if you have a cert that the browser trusts for that domain. If a CA was found to be illicitly minting certs, browsers and operating systems would untrust them. All their certs would stop working. Their business would be ruined.