> all major browsers are developed by entities based in the US, that are therefore subject to National Security Letters
Those browsers are Open Source. (Well, Firefox is, and Chrome's core is even though Chrome isn't). If they tried to ship a MITM-enabling mechanism it'd be obvious.
> I mean sure, you have to accept the government of Greece's certificate because they're the legitimate authority
They're not the authority for arbitrary domains on the Internet, no. Only domains that have requested a certificate through that CA. This is what Certificate Transparency is for. If a Certificate Transparency log shows a CA (governmental or otherwise) issuing a certificate for somecompany.example, and the entity controlling somecompany.example didn't request that certificate, that CA has some explaining to do, and if the answer isn't "here's exactly what happened and how we'll make sure it can never happen again", the likely outcome is that browsers will stop trusting that CA.
The point of CT is that you can't silently issue MITM certificates without permanently burning an entire CA to do it.
Those browsers are Open Source. (Well, Firefox is, and Chrome's core is even though Chrome isn't). If they tried to ship a MITM-enabling mechanism it'd be obvious.
> I mean sure, you have to accept the government of Greece's certificate because they're the legitimate authority
They're not the authority for arbitrary domains on the Internet, no. Only domains that have requested a certificate through that CA. This is what Certificate Transparency is for. If a Certificate Transparency log shows a CA (governmental or otherwise) issuing a certificate for somecompany.example, and the entity controlling somecompany.example didn't request that certificate, that CA has some explaining to do, and if the answer isn't "here's exactly what happened and how we'll make sure it can never happen again", the likely outcome is that browsers will stop trusting that CA.
The point of CT is that you can't silently issue MITM certificates without permanently burning an entire CA to do it.