[rocqua]

It could be shown client-side whether an SSL connection uses a locally installed root CA or a globally trusted CA.

This way, an employee could see whether their employer is MitM-ing their connection to FB / reddit.com / pornhub / their bank. Based on this, they could complain to their employer for unreasonable MitMing, and serve as a weak detection point for compromise of the company root CA.

[jrockway]

You can't trust your client. The IT department will just push a browser that says "you're using the root CA for this connection" while actually using the MITM CA.

Maybe you'll download your own Chrome, but that silently gives you their hacked version. The SHA256sum on their website has also been tampered with. Fine, you say, you'll download the source code and compile it yourself. But the compiler has been tampered with to detect when it's compiling Chromium, and adds the IT department's hacks.

You cannot trust a client you do not fully control.

[Dylan16807]

That's a separate issue, because a completely custom browser can intercept even without a MitM on the connection.

Sometimes you either have your own device or you trust your employer to not directly lie to you.