> One big question is why they didn’t just get a CA to make them their own.
Isn't this because if they did, they could be detected by any user? And the CA could lose their CA status in browsers for improperly issuing a certificate?
There's that, but there also the lazyness angle. Why go with a complicated, detectable technical solution when you can send out a NSL and have someone else do the heavy lifting for you? I strongly suspect Lavabit's reaction wasn't in any way expected.
You're right, but if even one person uses certificate pinning, they could make a post somewhere saying "hey, Lavabit's SSL certificate just changed, any thoughts?" and others may suspect that something fishy is going on. Especially if it were to occur after the NSA leaks.
If you're referring to an MITM attack, then the attacker could intercept the connection (establishing SSL under its own certificate) only when attacking the specific target. The target himself would need to notice that the certificate fingerprint changed.
Isn't this because if they did, they could be detected by any user? And the CA could lose their CA status in browsers for improperly issuing a certificate?