What you say is very true, however when you say that SSL prevents MITM attacks, you are assuming that “their browser” always lives entirely within the device.
If their browser has code operating on the device and in the cloud, then their browser won't generate certificate warnings because there isn’t a man-in-the-middle between their browser and the site, there’s a man-in-the-middle between the device in your hands and the site.
It would be insecure against Amazon snooping or modifying the communication, but still generate the appropriate warnings about bad certificates.
I think the answer is, run “off-cloud” when you want privacy from Amazon.
Yes, I hadn't considered that possibility. The picture in my mind was some sort of hybrid operation where some of the work was offloaded, in which case you would still have to properly support device-to-site SSL links.
So I guess the issue of privacy still remains up in the air. I was hoping to be an early adopter of this, but I think I'll wait to see how the SSL via Silk situation pans out before putting down cash.
If their browser has code operating on the device and in the cloud, then their browser won't generate certificate warnings because there isn’t a man-in-the-middle between their browser and the site, there’s a man-in-the-middle between the device in your hands and the site.
It would be insecure against Amazon snooping or modifying the communication, but still generate the appropriate warnings about bad certificates.
I think the answer is, run “off-cloud” when you want privacy from Amazon.