> This reduces the MITM to the initial handshake.

Mostly. No matter much you trim your certificate chain, there's nothing preventing Google/your bank/Amazon/etc from sharing their private key with, say, Uncle Sam. However, the backdoor admin access that the gov't gets to sites like TwitterFace and Gmail probably makes that a pointless effort.

Confidentiality/Authenticity are pretty much impossible to guarantee unless you control everything on both ends.

Um, that's not MITM then is it?

I mean yes, if you're paranoid enough you probably should build an underground bunker in the mountains and grow your food, but objectively there is a huge security difference between whatever shenanigans a trusted partner may be up to and a large body of auto-trusted with potentially leak able-to-who-knows-where subcerts.

Makes you wonder what actually happened with TrustWave (there's obviously more to it than "Oh, this was an ethical dilemma so we stopped."). Probably their customer found a way into the intermediate CA private key and was being naughty with it.

What I think sparked Mozilla is TrustWave's claim that this kind of thing is widespread and commonplace among CA's. That's shouldn't surprise anyone, though.

Chrome already has a mechanism to detect a MITM for Google's servers by embedding those servers' public keys into Chrome itself.

Of course, that doesn't stop a company from placing locally-trusted rogue certificates on computers they control, overriding Chromes public-key pinning check. But it means that they can't MITM a connection from your personal laptop when you're on their network.

They can do public-key pinning like Chrome does (for example, they embed the "mail.google.com" public key into Chrome itself, and verify that it's the certificate you're TLS'ing to.

I can not understand why, in Microsoft's blog post, they posted a Quality 20% JPEG of their new logo (http://windowsteamblog.com/cfs-filesystemfile.ashx/__key/Com...). It's compressed so much that there's a slight green hue around the blue borders.