Re: ISP's are the keyholders
Funny how it's doable in practice. It's detectable*, if you know what you're looking for - and thankfully browsers have stepped this up a little - but proxying TLS connections in this fashion is absolutely possible. The key is to control the entire negotiation process instead of trying to intervene in one that's already started.
You can not simply insert yourself mid stream to an extant session. You can, however, cause the client to negotiate the TLS connection with your MITM proxy while your proxy negotiates a TLS session with the target site.
All the client traffic goes from the client to you whereupon you decrypt, sniff the traffic and forward on down the next TLS session to the target site.
Yes, it requires that you have a certificate that the client trusts. And ideally you would be able to spoof the site in question with this cert so that if your client thinks they are contacting bob.com they don't end up with a trusted cert from proxysrus.com.
But this is really just a discussion about root certification trusts at this point, and we all know that the entire cert authority system is pretty broken.
So I'm back to: if you can insert yourself between the two endpoints you can MITM TLS connections. It takes some effort, some creativity and some illegality, but it's absolutely doable. Innumerable corporate security products rely on exactly this, as do various state-level spying initiatives.
The difference between them is merely how they go about obtaining trusted root cert status.
*A great tool for this is the add-on Cert Patrol for Firefox. It will let you see when certs for a site have changed, even if they're "valid" re: root certs. Of course, a lot of companies with large infrastructures change certs regularly, or even deploy multiple valid certs from multiple valid providers! This practice makes MITM attacks all the more viable, especially for large/popular sites, and it also makes it harder to detect in practice because you become immune to Cert Patrol warnings after a few days.