Er... yes. That's how nearly all web security products work. The only way for them to monitor (and filter) HTTPs content is the MITM + fake cert. This is done everywhere: from that websense or bluecoat proxy appliance at the office, to the boxes by someone like a Sandvine doing DPI on telco core networks.<p>Of course, this is unacceptable - but there are very few alternatives. For the record, we - rawstream - don't do this as its crazy to compromise security like this. So we had to find other means.
Found this from this[0] post, which contains the second part[1]<p>[0]<a href="https://news.ycombinator.com/item?id=9643857" rel="nofollow">https://news.ycombinator.com/item?id=9643857</a><p>[1]<a href="https://itnerd.wordpress.com/2015/05/21/avast-responds-to-my-post-about-their-anti-virus-product/" rel="nofollow">https://itnerd.wordpress.com/2015/05/21/avast-responds-to-my...</a>