Comment Re:Network-based IPS and IDS are obsolete (Score 1) 60
Sure it can. You just push a new root certificate to your devices and intercept away.
Issuance of a bogus certificate to fool one of the parties to a SSL conversation is called a Man-in-The-Middle attack which is fraudulent conduct; pushing a fraudulently issued a certificate document claiming to be the other party and that this false thing was the other party's key.
This is nothing to base a security model on, as the attack actually compromises encrypted data --- the parties to a legitimate conversation have no way of knowing who the "security appliance" will be leaking the sensitive information contained in their encrypted conversation to.
Whoever put the code into production should be going to jail. There is no mitigating circumstance against falsely issuing a certificate and presenting it claiming to be someone else's domain name.
It doesn't matter whether you are a global CA, an Enterprise CA, or someone's given you a locally trusted root... anyone doing such is going to be going to jail, and again, nothing to base an IPS or IDS on.