Forged Certificates are not the Problem
There have been a number of occurrences where forged web certificates have been employed, usually by foreign Governments, to impersonate well-known and popular web services. In a few instances, hackers have also obtained fraudulent certificates, in an effort to distribute signed malware. All of these bad certificates have been discovered fairly quickly with minimal consequences.
However, the ability of NSA, and maybe certain other nation states intelligence agencies, the problem has shift. NSA can steal a duplicated of the real certificate and deploy it on one of their proxy servers, making for a very effective man-in-the-middle, with no means of detection and full capability to decrypt all encrypted 2-way traffic between any client and the impersonated server. How is this possible? They steal the private key for the server and then copy the server certificate and install it on their proxy. It is highly likely that the private key can even be extracted even when a Trusted Processing Module (TPM) is in use.
Protection of Web Server Keys
A Certificate Authority server uses a special external hardware security module that provide additional protections beyonsd those available to a TPM, especially when coupled with correct operating procedures. These specialized modules are rarely used on web servers, though some that are used exclusively for payment processing may use a specialized version of this hardware. However, a web server could easily make use of a smartcard and an external card reader, where all encryption using the server key is done on the smartcard. The load for this on a web server using Perfect Forward Security should not be too heavy.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.