See Law Enforcement Appliance Subverts SSL
"The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there."
“If company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,”
I have limited exposure if somebody gets my credit card. But I also use Firefox for online banking and filing tax returns. Are there any practical (i.e. not for people wearing tin foil hats) precautions I can take to reduce my risk? The article mentions that one of the trusted root authorities in Firefox was caught last summer secretly uploading spyware onto 100,000 customers’ Blackberrys.
New Research Suggests That Governments May Fake SSL Certificates (from EFF) states: "These attacks are not technically difficult; surveillance companies like Packet Forensics sell tools to automate the process, while security researchers like Moxie Marlinspike have publicly released tools that do the same. All that's needed to make the attack seamless is a false certificate."
"Soghoian and Stamm also observe that browsers trust huge numbers of CAs — and all of those organizations are trusted completely, so that the validity of any entity they approve is accepted without question. Every organization on a browser's trusted list has the power to certify sites all around the world. Existing browsers do not consider whether a certificate was signed by a different CA than before; a laptop that has seen Gmail's site certified by a subsidiary of U.S.-based VeriSign thousands of times would raise no alarm if Gmail suddenly appeared to present a different key apparently certified by an authority in Poland, the United Arab Emirates, Turkey, or Brazil. Yet such a change would be an indication that the user's encrypted HTTP traffic was being intercepted.