It is secure as a man-in-the-middle attack. He doens't have to act as a proxy, but if he can capture and reconstruct the end results of the transmitted data.. it's not all that secure. It's because the key creation, unless cert's are used on the client end, are negotiated, the negotiation can be replayed. If a client and a server both have cert's, then they'll use PKI... similar to GPG/PGP in effect.