[peripitea]

I'm confused as to how what you're saying or what parent is saying would work. The trusted CAs live on your computer, and should not be susceptible to tampering by your ISP. And how can your ISP or corporate network set up an HTTPS proxy like you're suggesting without triggering a warning to the user that they are not connecting to the SSL certificate's specified domain?

Is there something about SSL/TLS that I'm fundamentally misunderstanding?

[enginous]

Nope, you're right. The ISP would have to install the CA certificate on every device on the network, which is a nontrivial task.

Furthermore, if the ISP has done that, they don't need you to go through a proxy. Your connection is already going directly through them.

Edit: However (as you can see by some of the responses in this thread), there's certainly the possibility that your ISP itself is an actual certificate authority recognized by browsers. That scenario is indeed quite worrying.

[marbletiles]

It's also a pretty trivial task if you control the user's routers and can give them installation disks to make "the internet work". As corporate and university wifi shows, people will willingly accept new certificates required to join hotspots; they'll also do it on their desktops without blinking.

[enginous]

Indeed, although I don't agree "internet-enabling software" is trivial in terms of engineering and support costs, considering the range of devices today. But mostly I just wanted to clarify on the point that interception is not fully transparent: that the ISP does need to compromise every device that connects to the network.

But I do agree with your original point that to the extent possible, there should be legislation (if there isn't already) against intercepting TLS-encrypted connections of ISP customers, in cases where the ISP is also a browser-approved CA or is actually willing to distribute its own CA cert.