> 1. (users having confidential information the org does not want to leak)
> computers with access to such information should not be internet-
> connected; keep on reading...
You're living in lala-land
> 2. yes, caching proxies are pretty much dead.
ROTFL. The biggest thing that happened Internet-side those past years are smartphones, and if you think ISPs let them connect to the Internet without proxyfication, you're naïve
> 3. blocking ports does not work; one can always put one tunnel inside
> another (some years ago, a coworker had a simple http-80-GET/POST tunnel
> installed connecting his machine to his home machine, and from there, he
> was free). And THAT is why I said in #1 above that computers with
> confidential information should not be internet-connected.
It worked well-enough for years. Perfect security does not exist. This is no reason to give up on security (and if not: live by your ideals and post you CC number and passcode everywhere since CC processor security is not perfect)
> 4. I didn't understand what you meant with this; what can phishers and
> spammers do with https that they can't do with http?
Once a crypto tunnel is established there is no reason to rely on urls to transmit information. Most spam/phishing detection software relies heavily on url patterns to catch it
> you introdute a SPOF because if one pwns the proxy, you have the entire
> organization open to phishing and spoofing addresses (*).
Why do you assume proxy operators can not operate compute farms like everyone else?
Besides: mail already works hop-to-hop. I don't see the defenders of https purity complain smtps and imaps are unsecure
> You open yourself and your organization to millions of dollars in
> liability by MITMing https because you can be inadvertently opening a
> backdoor to secure, money-transacting websites.
Straw-man argument. Find us a single case when that happened. Leaks by naïve users, or infection via network accesses, OTOH, are to common to be even reported anymore.