The Atlantic Wire spoke by phone with the Electronic Frontier Foundation's Micah Lee, who previously helped us put together our guide to hiding from the NSA. In that guide, Lee warned about man-in-the-middle attacks, but pointed out (as he did on Friday) that it was hard to do such things at a wide scale. Unlike other forms of surveillance, MITM attacks are generally (but not necessarily) detectable.

To understand why, we need to get a little more into the details. When a user requests information from Google, Google uses secure-sockets layering (or SSL) to protect the data. That SSL requires bits of data called "keys" in order to encrypt the conversation; those keys are certified as valid — as being from Google — by a certificate authority. In order to carry out the attack, Lee explains, "the attacker would make their own SSL key and their own certificate and get an authority to sign the certificate." In other words, they need someone to provide the technical validation that the SSL key the NSA is using is from Google, even though it isn't. (There are exceptions, which we'll get to below.) There are hundreds of certificate authorities, and it only takes one to sign off on a false certificate to undermine the system.

This is why it's hard to bring the attack to scale, though. The NSA can't easily do this with everyone if it's using a forged certificate, because the certificate used for the SSL is public information. If you've been communicating securely with Google for months and then suddenly the certificate changes, you may be subject to a man-in-the-middle attack. There are enough technically-savvy people in America to detect that change, as Lee notes.

So what can you do to protect yourself? Lee offered a few suggestions. As part of our original guide to foiling surveillance, he offered the EFF's SSL Observatory. It tracks the SSL certificates being used to encrypt traffic on the web and — while it doesn't do this yet — can in the future warn you of such certificate changes. Lee also suggested Convergence, a plug-in for Firefox that replaces the closed certificate system. As we noted in our coverage of how the NSA compromised encryption, using open source tools (like Convergence) instead of closed ones (like the certificate authorities) allows review by multiple parties of what's happening. It's Jane Jacobs applied to tech: more eyes make safer neighborhoods.

Another option: Glenn Fleishman, a journalist who writes about technology, wrote a prescient article in the wake of the NSA encryption revelations. In it, he discussed certificate authority, and recommended the Perspectives Project, which similarly offers a plug-in allowing you to trust only certificate authorities you trust, or authorities those you trust trust.

If you don't use Firefox, another option: Google Chrome. Lee and Fleishman both note that Chrome includes "certificate pinning." Lee explains: "It hard-codes certificates for google.com and other domain names [in the browser]. … So if you're using chrome and you get a man-in-the-middle attack by the NSA, Chrome knows what certificate to trust."