This is a clever attack in several ways. If you can create and get a program/device to accept a false signing certificate, you bypass having to break a company’s encryption altogether. The program trusts your fake certificate and creates a secure connection to your backend, using your encryption, thinking it’s transmitting information back to the targeted company. Also, analytics data doesn’t have to be sent and received in real time, so a significant delay in gather and receive times may not tip off the targeted company to the attack.

None of this is a walk in the park, but it’s something like ten orders of magnitude easier than breaking the targeted company’s encryption stream on a live session to seamlessly hack it in real time, which is the sort of God-level hacking limited to those with NSA-level computing power, or fictional characters. ...

That Zuckerberg himself is (allegedly) directly implicated in deliberately breaking federal law is pretty breathtaking. He could be looking at serious jail time. Or would be, if he weren’t such a big Democratic Party Donor.