If I had to design a system to break TLS (and I had the authority of a secretive government agency), selected MITM attacks would be exactly what I would use.
Large-scale MITM attacks, i.e. ones against a huge section of the population, really have a lot of disadvantages. First, there are always cautious people who check certs religiously, sometimes with browser addons to help (in fact I see that peterwwillis linked to some below). So, if you execute a large-scale MITM effort, you run the risk of being discovered. Note that if the NSA can compel Google to turn over its secret key(s), this isn't an issue, but I am operating under the assumption that we don't want to give away our MITMing easily.
Second, broad MITMs require a lot of resources to be effective. To MITM all of Google's traffic requires network capacity equivalent to Google's, no small thing (though I suspect very much within the power of the NSA if it were deemed necessary). There's a lot of data on the internet at any one time.
Third, the fact that you must have physical servers on physical networks sitting between Google and the target means that the MITM server's IP address will be the one that targeted clients appear under. That is, if you have a single server MITMing thousands of requests, all of them will appear from the same IP address. That's another risk of being discovered if the MITM is too broad and the servers are too beefy. Although, this assumes that people on the other end are doing some sort of analytics --- maybe not true. But intel agencies are pretty paranoid, so whatever.
Fourth, it still pretty much gets the job done anyway, with less cost: passively sniff traffic for, say, DNS requests to resolve suspicious domains, or plaintext connections that have suspicious contents. Passive sniffing requires less computational power than actual MITMs, and it can be done without raising any red flags. Plus, even if you miss someone suspicious, just get a NSL for Google to hand over all the data anyway in the worst case.
Fourth, if an investigation ever were launched about my breaking of TLS, targeted attacks look great. See, we don't target the American people --- only specific connections that are "suspicious" are targeted. Broad-scale MITMs seem very illegal-wiretap-y, but the targeted connections look very legitimate, at least in comparison.
So, these reasons are why I've always held the belief that the government is not executing large-scale MITM/dragnet collection of encrypted communications ... and hence TLS is effective, so long as you're not the one being targeted.
If a MITM attacker is confident they control all paths between a server and a victim, they need not alter IP addresses on packets in transit. To pull this off, the attacker must be near the victim (e.g. compromise a broadband router), thereby reducing the number of targets, or near the server (e.g. compromise every link into a multihomed datacenter), thereby reducing the number of sites intercepted.
Large-scale MITM attacks, i.e. ones against a huge section of the population, really have a lot of disadvantages. First, there are always cautious people who check certs religiously, sometimes with browser addons to help (in fact I see that peterwwillis linked to some below). So, if you execute a large-scale MITM effort, you run the risk of being discovered. Note that if the NSA can compel Google to turn over its secret key(s), this isn't an issue, but I am operating under the assumption that we don't want to give away our MITMing easily.
Second, broad MITMs require a lot of resources to be effective. To MITM all of Google's traffic requires network capacity equivalent to Google's, no small thing (though I suspect very much within the power of the NSA if it were deemed necessary). There's a lot of data on the internet at any one time.
Third, the fact that you must have physical servers on physical networks sitting between Google and the target means that the MITM server's IP address will be the one that targeted clients appear under. That is, if you have a single server MITMing thousands of requests, all of them will appear from the same IP address. That's another risk of being discovered if the MITM is too broad and the servers are too beefy. Although, this assumes that people on the other end are doing some sort of analytics --- maybe not true. But intel agencies are pretty paranoid, so whatever.
Fourth, it still pretty much gets the job done anyway, with less cost: passively sniff traffic for, say, DNS requests to resolve suspicious domains, or plaintext connections that have suspicious contents. Passive sniffing requires less computational power than actual MITMs, and it can be done without raising any red flags. Plus, even if you miss someone suspicious, just get a NSL for Google to hand over all the data anyway in the worst case.
Fourth, if an investigation ever were launched about my breaking of TLS, targeted attacks look great. See, we don't target the American people --- only specific connections that are "suspicious" are targeted. Broad-scale MITMs seem very illegal-wiretap-y, but the targeted connections look very legitimate, at least in comparison.
So, these reasons are why I've always held the belief that the government is not executing large-scale MITM/dragnet collection of encrypted communications ... and hence TLS is effective, so long as you're not the one being targeted.