I still wish most companies knew/had a better "best practice" than just MITM interception certificates, because that is potentially brittle and is an threat to corporate security. If you already have all of your machines MITMed, then an attacker could gain access to the existing MITM certificate and who would ever know.
I know I'm a relative minority in the corporate IT world, but as a software developer downloading/uploading dependent libraries or the outputs of my development issues, corporate MITM interception certificates absolutely scare me for my personal threat model and the threat model of the projects that I work on.
It is. I do work in a Fortune 500 occasionally, and have to use their MITM gateway (websense SSL intercept).
They haven't yet fixed the internal cert to not use SHA-1.
If you're using something other than a corporate windows desktop + browser, you have to install the root certificates manually.
They have to make manual exceptions for sites that do certificate pinning. When they miss a site, it creates issues. Github is broken for me...I have to use crazy workarounds.
If there were a movement to enable certificate pinning everywhere, it would be very disruptive for the Corporate MITM vendors.
Edit: They also have irritating "content filters". So, if I'm tasked to research options for a project, like say a VPN, I can't search from their network. It blocks pages talking about VPNS because there's a policy to block "websense proxy avoidance".
Similar anecdote: an internal intercept certificate that Firefox outright refused to install to a trusted store because the cert seemed suspicious/insecure. (Not caught by corporate IT because of a Chrome monoculture, which is a different problem.)
I know I'm a relative minority in the corporate IT world, but as a software developer downloading/uploading dependent libraries or the outputs of my development issues, corporate MITM interception certificates absolutely scare me for my personal threat model and the threat model of the projects that I work on.