Also, hardware HSM is vulnerable to the "SSL added and removed here! :-)" attack, is it not?
"Dear Mr. Levison, remember that law about pen registers that you clearly hadn't heard off last time around? Well, now that you understand them, please install a pen register on the other side of your fancy FIPS 140-2 hardware security device, and have it send us everything in .pcap format. You don't need to reconfigure your HSM for this, and in fact any attempt to do so is now tampering with evidence in a federal investigation. Cheers, the FBI."
"Dear Mr. Levison, remember that law about pen registers that you clearly hadn't heard off last time around? Well, now that you understand them, please install a pen register on the other side of your fancy FIPS 140-2 hardware security device, and have it send us everything in .pcap format. You don't need to reconfigure your HSM for this, and in fact any attempt to do so is now tampering with evidence in a federal investigation. Cheers, the FBI."