In the case of Netronome's SSL Inspector, if the device replaces bankofamerica.com's server certificate in the SSL handshake, the new certificate does _not_ have CN=bankofamerica.com. It is also not signed by a root CA. Hence, Alice should be fully aware of the man-in- the-middle and could choose whether or not to send confidential data on that SSL connection.
In contrast, the article about Packet Forensic's device implies that the man-in-the-middle can possess a private key and certificate with CN=bankofamerica.com. Matt Blaze seems to imply that this is already happening. I have not seen a confirmation of such a case. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
