This should probably be a series. How many times have you read an article written by a "specialist" in some domain that you happen to know a bit about, only to realise that it's crap ? Crap that many people will read and believe.
Today I was sent this post titled "How the NSA, and your boss, can intercept and break SSL" by Steven J. Vaughan-Nichols. The short answer is: No.
This is what he writes: There are many ways to attack SSL, but you don't need fake SSL certificates, a rogue Certification Authority (CA), or variations on security expert Moxie Marlinspike's man-in-the-middle SSL attacks. Why go to all that trouble when you can just buy a SSL interception proxy, such as Blue Coat Systems' ProxySG or their recently acquired Netronome SSL appliance to do the job for you? The less short answer is: Because you'd have to install your appliance's CA on every system you'd like to snoop on. That's not even the most complicated part, you'd also have to make sure to only intercept traffic through your proxy that originates from browsers that trust your CA. Because all the others will get a scary warning, and among them someone might actually have a clue.
In simpler terms, root CAs don't magically get installed to everyone's browser just because you throw money at BlueCoat.
A well worded comment on his article explains this to him. Yet the author did not correct his post, meanwhile some comments reply with even more crap. (If you managed to get certificates signed by a trusted CA then you don't need Bluecoat).
What you'd actually need: fake SSL certificates, a rogue Certification Authority (CA), or variations on security expert Moxie Marlinspike's man-in-the-middle SSL attacks.
Steven J. Vaughan-Nichols, your article is crap. Good Day... .. . I said Good Day !!!