of course carnivore has no problem decrypting SSL.
Source, please.
I do not think that carnivore is doing that, but SSL is not resistant to the man-in-the-middle attack. The problem here is in the lack of any useful certificate validation support. How many users actually check that site certificate indeed belongs to whoever is identified as the site owner on the Web pages? (Plus, it depends on the security of certification autority's private keys, their public parts being non-revokable, because they are bundled with browser software. I have a little doubt that it is all too easy for law enforcement to obtain these keys if they need to. Interests of my privacy definitely do not match interests of RSA Cert. Auth., Inc, a commercial entity. Of course, i have no proof that this happened, but I have no reason to trust that it didn't happen, too.) --vadim