Sure - but from the (to be taken with appropriate credibility rating) WikiPedia page for BlueCoat:
"Blue Coat products are primarily used by enterprises, schools, hospitals, governments, and public agencies to block malware and malicious threats, control access to applications and content in the workplace, surveillance, censorship, and improve the performance of network applications."
I'm resigned to acknowledging that if the NSA (GHCQ/ASD/insert-local-equivalent at least for five-eyes nations) wants to investigate _me_ specifically, I'm fucked and my only option is to not use the internet (or telephones or mail or or or).
I'm not (yet) prepared to give up and hand that level of access to my digital life to enterprises, schools, (most bits of the) government, or public agencies.
Ok, so if your adversary is your employer or your school, you are presumably using a network not controlled by you, in which case your endpoint ought to already be a VPN.
A good number of employer or school-provider devices will have their own certificates preinstalled anyway.
I'm good with my work or school owned/issued device trusting a root cert installed by that device's owner.
I'm _not good with a school or employer's network being able to generate arbitrary certs for my email, bank, social networks, etc - WITHOUT ME KNOWING ABOUT IT ON MY PERSONAL DEVICES... Sure, MitM me if it's your network - but I 100% should be able to rely on my browser on my device reliably being able to tell me "You're attempting to visit https://mybank.com, but the certificate identifies it as mybank.suspiciouscorp.net Continue anyway (not recommended): [OK] [Hell no!]"
What if the site they're connecting to has a problem with that? If I for example serve E-Healthcare records, and have an agreement that a given person that I have vetted has access to them, I might have a problem with your unvetted IT staff having access but how would I know?
I agree that people running the network have the right to run it as they want.
But if an attack can work on you using my network, it is also an attack that works on me surreptitiously rerouting your traffic onto my network. Basically undoing HTTPS.
Also, what I'm talking about (MITM proxy on a private network), it's not sneaky -- you will get unsigned cert warnings. If you are using an employers device, you won't see warnings, but can examine the SSL certificate. You should also assume that you are being monitored.
No you wont. Bluecoat now has a CA Cert root key signed by Symantec. If they issue a .google.com or .gmail.com ssl cert you will _not_ get an unsigned cert warning.
And explain to me how to connect to, say, my internet banking without using "a private network"? Every single hop between my house(or my phone) and my bank is a piece of network owned by some company or other. "Use your own network" is meaningless in the context of connecting to any hardware you don't own yourself.
As a private network owner, I see risk in uncontrolled SSL.
If you provide a publicly accessible "Guest" network isolated from my corporate or private resources, that I agree that it's unreasonable to intercept TLS sessions.
If you are on my network, which exists to serve my constituents with a personal device, I have every right to or even have a duty to ensure that you aren't threatening the overall integrity of the private network. Whether that be exfiltrating data, bringing in malware, etc.
In 2016, the answer to this issue is really simple -- bring your own cellular service.
The objection is not to controlling TLS on a private network. The objection is to using a method that can silently intercept connections to devices you don't administrate.
If someone doesn't want to install the root cert, then "use your own network" is a perfectly fine response.
If someone is upset that the TLS security model is broken in half, then "use your own network" is not a valid response.
And what do I do when you get a job at my cellular provider, and decide that my internet banking or healthcare website connections might be me "exfiltrating data" and you choose to take it upon yourself to inspect the contents of those connections just in case I'm somehow "threatening the overall integrity of the cellular provider's network"?
All sysadmins have nation-states as their threat model (or at least they should have it). If spy agencies can in any way leverage your network, then you're an automatic target.
With a nation-state adversary, you really need to be manually verifying certificate hashes that have been securely communicated to you out of band.