Short story: SSL can only protect you from other peers on your network. An attacker simply intercepts your handshake, and pretends to be the site you intended to connect to. You will never have any idea if this happened. This attack isn't limited to just government actors, and can be performed by the 'generally curious' that have a lot of spare change on hand (which allows plausible deniability and outsourcing risk for (((state sponsored))) snooping programs). No VPN that uses SSL for tunneling actually provides any measure of security.
Background: Like most anti-government technologies (of which web traffic encryption was originally, a la (((Aaron Swartz))) ), they are eventually coopted, by marketing the backdoor (and the technology itself) via 'fear of thine neighbor' (or, in this case, fear of scammers). The whole system is predicated on trust (which is an inherently flawed concept), and uses a so-called 'chain of trust', based on entities called Certificate Authorities (CAs).
In essence, these CAs tell you that they certify a website is who they claim to be, and you trust them. The irony is that the very system designed to prevent MITM attacks (by non-state poor people) allows MITM attacks (by state actors/non-poor people).
The how: For state actors (or otherwise-(((sponsored))) actors), CA's will directly issue you certificates (i.e. Symantec. They've been caught multiple times, but nobody cares) - it usually also requires assistance from DNS servers, but these dragnets are entirely transparent and, for all practical purposes, impossible to detect.
For non state actors, you need to control an intermediate certificate. Since there are a metric assload of these, it is hard, but not impossible, for an end user know which ones are used maliciously and to manually distrust them. However, just like with state sponsored snooping, you will never know you are being attacked when the attack is in progress.
Why do these backdoors exist in the first place: On paper, because of something called CALEA, a law which literally compels all telecommunications providers to put backdoors (termed 'CALEA compliance solutions') in their systems for the government. These backdoors aren't exclusively for government use, of course, and they likely existed before the legislation that compelled them, but it is their excuse for now.
Why have I never found/seen/read about this before: Because they are smart. They named it 'SSL Inspection' (as opposed to 'SSL snooping', 'HTTPS spoofing', etc), which means you will never find it with a search engine unless you know exactly the right search terms to look for. It is a form of reverse-search engine optimization (rSEO).
Why does this matter?:
- Because no site you browse to on the clear web is safe from even your company IT department
- Because your VPNs are all based on HTTPS encryption, which is easily MITMed. Because even when you use HTTPS over HTTPS, state actors can still easily (i.e. with minimal computational power required) read everything sent over the tunnel.
- Because people still think that VPNs actually provide some measure of security from their governments (as I found out in the comments of this post when people kept asking for 'safe' VPNs)
Companies offering pre-packaged solutions for silently decrypting HTTPS tunnels:
- Fortigate (this page is literally an ad explaining why you should use SSL inspection)
- Z Scaler
- There are a ton of others, but you get the point.
Edit: OpenVPN, which drives most VPNs, uses SSL authentication, which is vulnerable. VPNs using IPsec are similarly vulnerable, but differs in details.
Edit: Guys, only inspection solutions that aren't their own CA need certs to be manually added. Any 'inspection' service provider who is also a CA (e.g. Verisign, Comodo, Globalsign et. al.) are their own CAs and don't need you to modify trust repos to work.