Q: You're a smart black-hat. How do you quickly and easily break into a HTTPS secure connection?
A: You don't. You attack the underlying HTTP instead. It's a softer target.
"People only encounter HTTPS via HTTP, so maybe we can think about starting by attacking HTTP," he said. "Normally, if we're doing man-in-the-middle attacks against SSL, we go straight for SSL, straight after that connection. But if SSL depends on this other protocol, why don't we look at that first?"