I wish cnet didn't write this article like they thought they were CNN or USA Today. What are we supposed to make of the phrase "master keys"? It doesn't seem like they are talking about root ca's. Is it really practical to try to collect and use all of the multitude of last link in the chain endpoint certificate keys? Those seem to change quite often and can be quite numerous. Demanding sub-ca or company wide middle chain keys would seem to be more manageable, but that would suggest that both they're really worried about people watching for signing chain anomalies since presumably they have at least a few root ca privates and that they are willing to sit in the middle rewriting traffic.
Perhaps this is a response to growing use of certificate pinning? Facebook apparently has joined google in using pins, and I was recently told that microsoft is enabling pinning as an option in EMET4. But if that was the issue, that would tend to suggest they had been previously accustomed to rewriting some of these providers traffic with unlikely root ca's, something which people have been keeping an eye out for and to my knowledge has never been caught in the wild.
Perhaps this is a response to growing use of certificate pinning? Facebook apparently has joined google in using pins, and I was recently told that microsoft is enabling pinning as an option in EMET4. But if that was the issue, that would tend to suggest they had been previously accustomed to rewriting some of these providers traffic with unlikely root ca's, something which people have been keeping an eye out for and to my knowledge has never been caught in the wild.