But a MitM exploit is an active attack that requires control of a network over which the traffic passes, and it is detectable (for the specific case of Chrome and Google sites, trivially so).
Access to the master keys for a SSL/TLS session isn't like that at all. They could retroactively capture, archive, and decrypt any traffic to the site at all with nothing but the undetectable network taps we already believe they have.
That said: the linked article is talking about "legally" compelling Google et. al. I don't think that's the only tool in the box. Surely someone at each of these companies has access to the private keys and can be coerced via an appropriate bribe (which at the scales we're talking about could be staggeringly large!) or blackmail attempt to provide it "illegally".
> Access to the master keys for a SSL/TLS session isn't like that at all. They could retroactively capture, archive, and decrypt any traffic to the site at all with nothing but the undetectable network taps we already believe they have.
They can't in every case, especially for Google, who use a newer SSL that supports perfect forward secrecy. You are completely correct in the differing magnitudes of attack detectability though.
I believe that Google has changed them several times even in the last few years though, so it could be that even they don't have access to the old static keys anymore.
Yes, but if caught Mr. Rogue Employee Who Wants To Get Rich would now be facing federal felony charges (or state felony charges, if FedGov declines to prosecute). I suppose anything is possible, but Google employees in positions of high trust tend to be very well-compensated, and presumably the company has thought of this threat post-China intrusions and adopted the appropriate countermeasures.
Also, as another comment points out, Google uses PFS, so Apple, Yahoo, Microsoft, etc. are better targets for this type of insider attack.
Access to the master keys for a SSL/TLS session isn't like that at all. They could retroactively capture, archive, and decrypt any traffic to the site at all with nothing but the undetectable network taps we already believe they have.
That said: the linked article is talking about "legally" compelling Google et. al. I don't think that's the only tool in the box. Surely someone at each of these companies has access to the private keys and can be coerced via an appropriate bribe (which at the scales we're talking about could be staggeringly large!) or blackmail attempt to provide it "illegally".