Pardon me for being cynical about this, but from what we've heard about NSA hacking and industry collaboration I would say it's highly likely that a large number of the Certificate Authorities themselves are compromised by the NSA or GCHQ and so it renders the question moot.4 Certificate Authorities control > 90% of the market 3 of them based in the US and 1 in the UK. With access to the CA's keys they can sign any number of certificates they want.
Yes, but using a counterfeit certificate requires a much more active, targeted, and potentially-discoverable attack.
With a counterfeit cert, you could pretend to be a target's email host, for example. But you'd need to be an active man-in-the-middle, and you'd only see information during the sessions you actively hijack. The target, or anyone else you mistakenly man-in-the-middle, might notice the changed certificate/authority, thus sounding alarms or clamming up.
If exploiting heartbleed, in contrast, you'd be taking arbitrarily-many random samples of the email host's private memory, in a manner that even the email host's typical logging would not notice. Over time, you'd likely get many login credentials, app and SSL session keys, and possibly even the site's authentic certificate private key – that's something that even a faithless Certificate Authority can't cough up. (They can certify a fake private key... but they don't have their customer's true private keys.) At that point, unless PFS is enabled, all past and future SSL sessions could be decoded via passive eavesdropping.
So if you had a choice between several collaborating CAs or most of the internet running buggy OpenSSL, you'd pick the buggy OpenSSL. And if you had both, you might very well use the heartbleed bug more often, because it's both less detectable and more likely to offer bulk data for analysis.
My CA can create "twin-me" cert that can be used in future to impersonate me in an active, targeted attack.
Heartbleed can obtain my keys that can be used to passively decode traffic that they recorded a long time ago; and they can do that as random untargeted fishing on scale.
Pardon me for being realistic, but I would say exactly the opposite. If the CAs were compromised, that would be the biggest story by far in Snowden's documents, and it would have appeared in the newspapers by now.
I would say they are compromised just by watching Moxie Marlinspike's presentation about the shitty state of CAs and how he was able to find signing certs just laying around in unprotected directories https://www.youtube.com/watch?v=Z7Wl2FW2TcA
The Snowden documents (that have been released) were actually very light on technical information. The real details of how BULLRUN works are probably compartmentalized to a very small group of people and not accessible to a random sysadmin.
So it is entirely possible that CAs have been compromised and Glenn Greenwald and the rest of those with the Snowden cache have no idea.
As I commented yesterday on HN, if this ever came to light, it would be the Internet's version of a "Lehman Brothers" style collapse.
Thinking about it more, it would actually be awesome. The cabal of CAs would fall and hopefully a bulletproof distributed system model would eventually replace this snakeoil industry.
