This paper introduces the compelled cer-
ti�cate creation attack, in which government
agencies may compel a certi�cate authority to
issue false SSL certi�cates that can be used by
intelligence agencies to covertly intercept and
hijack individuals' secure Web-based commu-
nications. Although we do not have direct ev-
idence that this form of active surveillance is
taking place in the wild, we show how prod-
ucts already on the market are geared and mar-
keted towards this kind of use|suggesting such
attacks may occur in the future, if they are
not already occurring. Finally, we introduce
a lightweight browser add-on that detects and
thwarts such attacks.
