Comment by dragonwriter

> BTW, a much simpler way to get the SSL keys

SSL keys are not the target, the data is the target. SSL keys change over time, and you still need to monitor the actual encrypted data; tapping the data where its sent in cleartext is actually simpler, if you have the capability to do it, than infiltrating a spy into the dev team, having them compromise the system without being detected, getting the SSL keys, and monitoring all the encrypted comms.