[bryanlarsen]

Jails can still use MITM monitoring proxies without disabling SSL: they just have to install certs on the machine.

[vbezhenar]

Does it work with sites like Google from Google Chrome where browser knows about their public keys? I think that this will be wide practice in modern browsers.

HSTS/HPKP headers could be stripped by proxy but preloaded public key list probably will require custom browser build.

[falcolas]

Yes, it does. Google intentionally adds exceptions from error reporting in the case a root CA was added to the OS.