[tialaramex]

One of the fun things that happens with HTTPS proxies is people desire a policy that only spies on some things people do, and the people making these middleboxes (who are concerned first and foremost with selling a product not with whether that product works or even if such a product could in principle work) are eager to offer that.

This can't work, but, having sold it/ bought it then there's a lot of pressure to make it work.

The best case scenario with such products is that some fraction of traffic is unmolested but the product owner policies do not actually control what that traffic is (which might surprise them and make their overall security policies ineffective but otherwise is no big deal)

The worst case is that in the attempt to do this "selective proxying" some or all traffic security is compromised. Non-participants aren't affected (except it might introduce denial of service) but active participants give up potentially all security. e.g. the company laptop that's configured to the trust the MITM proxy, might not only be uploading your bank password to some screen accessible by an entry level IT guy it might also just inadvertently remove the security of the bank connection altogether so that now random bad guys on the Internet can see everything, whoops.