I take your point. I was thinking in terms of both legs being HTTPS or HTTPS+VPN, as we do for our customers with when we set up reverse proxies to their application servers. I wouldn’t go as far as calling it an attack though… negligent homicide? I also disagree with your unqualified usage CDN; CDNs in general have no need to MITM traffic; they have their own domain names and certificates (Though have I seen more often sites giving their CDNs subdomains, presumably for same-origin reasons). DDOS Protection like Cloudflare is a special beast.
CA cert and HTTP proxy settings installed in my browser using FoxyProxy, so what gets sent to the proxy depends on a whitelist. The proxy takes HTTP CONNECT requests and checks the domain and port against its own whitelist; if the domain isn’t on the whitelist it gets tunneled. If it is on the list the socket is wrapped in an SSL layer (adding the domain and re-signing the certificate if necessary) and fed back into the HTTP proxy. I make no effort to keep the SSL library up-to-date.
