[nitrogen]

Mass surveillance can probably be turned into mass MITM. As tptacek said, intercept mail, alter link to point to attacker-owned server or account, proxy messages via the original link. An intermediate Rails developer could put it together with a couple of gems.

[vidarh]

However that requires a compromised client, a compromised cert, or a compromised ca. While all of those are possible, they do substantially raise the bar in terms of who may have the capabilities.

It's a classic tradeoff in terms of who you care about being secure against and how badly you want it.

[c22]

If the client is compromised then the mitm can be performed on the client itself. And barring that wouldn't the cert or the ca have to be compromised in order to intercept the message at all?

[nitrogen]

If the original message is delivered via SMTP, it's supposedly fairly easy to force unencrypted SMTP if you have a MITM. Then you can just rewrite the URL in the message to a domain for which you have a valid cert, or rewrite it to use http instead of https and intercept/proxy the http requests.