My favorite are the ones that re-sign connections without ever verifying that the original connection was signed by a legitimate authority.

I encountered an interesting one at $bigcorp which required everyone in the corp to install shady certificates, and which would then inject <script> tags in all HTTP responses, including in XML and JSON REST responses. That was fun to debug.

It's pretty common for these devices to require you to install their generated CA cert on every machine in the corporation. Administrators deploy it to the domain with a group policy object IIRC.

Firefox users end up having to install it by hand, or else every website comes up as "you are being attacked by a MITM!!!!", which is technically true.

Sadly this also puts laptop users in the situation that they always need to vpn to the office otherwise sites that use HSTS will break either when on or outside the corporate networks, depending on when you visited the site first.

HSTS allows self signed certs as long as the cert is manually installed to the OS trust store for exactly that reason.

Okay. Does that also hold when only the CA is installed? On my machine both Safari and Chrome prevent loading google and stackoverflow because when accessing them through the corporate proxy I get a certificate which is signed by the corporate inspection gateway ca.

It works for me. Install the resign CA cert as a trusted CA and the page will load just fine.

Click on the padlock in Firefox and hit the right arrow next to the domain and it will even say "Verified by: [your corp]"

Training is expensive and people will still click on ransomware payloads. Security appliances outsource blame.