Only if the victim trusts the attacker's certs, right?
That said, Comcast is big enough that it might be in cahoots with at least one less-than-scrupulous CA (or might even be a CA; I don't follow these sorts of things closely enough).
Mozilla would kick Comcast out of the root CA list pretty fast.
Finally, there is certificate transparency logs, you can set CT headers on your site to require the certificate to be in CT logs.
Then you can monitor if anyone's creates certificates for your domain. And updated clients can validate that certificates is in the CT logs.
HTTPS is pretty robust these days. There's still a few corner cases around SNI, but that only leaks what host your visiting, wouldn't allow injection -- and specs are slowly closing those holes too.
Is there a published list of Root CA fingerprints a specific version of OS or browser is supposed to have that I can compare to? In other words, how can one tell if their browser/OS is not compromised with undesirable Root CAs.
> That said, Comcast is big enough that it might be in cahoots with at least one less-than-scrupulous CA (or might even be a CA; I don't follow these sorts of things closely enough).
The moment that was discovered, the CA would stop being a trusted CA.
There's a lot more appetite these days for enforcing requirements on CAs, ever since CT started going down the road towards mandatory, and ever since misbehaving CAs started getting forced to implement it immediately. Intentionally MITMing TLS on the broader Internet the way this thread is talking about would be a fairly quick death sentence.
Also, given the existence of Let's Encrypt, there's much less reason to be using a paid CA, and planned migration to a new CA provider isn't too much to ask. There'd likely be some work within browsers to provide clear error messages, and sites would need some amount of time to migrate, but I think we're talking days-to-weeks before there's a warning banner on the sites and months at most before the CA is dead.
That said, Comcast is big enough that it might be in cahoots with at least one less-than-scrupulous CA (or might even be a CA; I don't follow these sorts of things closely enough).