> pretty standard fare for a corporate firewall/proxy
It is? So corporations install something that infects your laptop and updates the root certificate every time Chrome or Firefox updates? Sounds extreme to me. Something the NSA might be able to do, but hopefully not my company.
It is and they do. You'll find many historical threads here discussing cases where interested parties were actively campaigning to thwart anti-MITM measures being added to TLS, because they broke their MITM attacks that their businesses depend on.
Nope, you can install additional certificate authorities in the system keychain on Mac, which Safari and Chrome both use. Commonly done on managed installs.
Other applications on mac/linux that use their own keystore like OpenSSL or Java will throw cert errors if you don't also install the CA in their keystores, but that could be scripted as well if it causes too much friction for users.
If you're in such an environment, the options are either install the CA or don't use anything that requires HTTPS ¯\_(ツ)_/¯
It is? So corporations install something that infects your laptop and updates the root certificate every time Chrome or Firefox updates? Sounds extreme to me. Something the NSA might be able to do, but hopefully not my company.