[vidarh]

However that requires a compromised client, a compromised cert, or a compromised ca. While all of those are possible, they do substantially raise the bar in terms of who may have the capabilities.

It's a classic tradeoff in terms of who you care about being secure against and how badly you want it.

[c22]

If the client is compromised then the mitm can be performed on the client itself. And barring that wouldn't the cert or the ca have to be compromised in order to intercept the message at all?

[nitrogen]

If the original message is delivered via SMTP, it's supposedly fairly easy to force unencrypted SMTP if you have a MITM. Then you can just rewrite the URL in the message to a domain for which you have a valid cert, or rewrite it to use http instead of https and intercept/proxy the http requests.