How can end-users detect malicious attempts at SSL spoofing when the network already has an authorized SSL proxy?

How can someone be expected to browse securely in this environment?

You can't really. If there's an official MITM proxy and it's not your network, just don't do anything you don't want the network admins to be able to see. Use your own personal connection to connect to sites with personal accounts.

With all certificates being signed by the proxy, how can I validate that the website isn't additionally being spoofed by some other third-party?

I think it's fair to assume that the proxy itself, when it makes the connection to the actual website, does check the validity of the certificate against a list of CAs it was configured with (probably that of the OS it's running on).

I'm worried that there might come a time where Firefox is also configured to ignore these spoofed certificates. How can I prevent my browsers (Firefox, et. al.) from accepting these certificates?

The trend has always been to increase the awareness about invalid certificates in Firefox.

In Firefox, you can disable certain CAs by going into Options -> Advanced -> Encryption -> View Certificates -> Authorities. Then, use "Edit trust" (or delete a CA cert). You're likely to find the CA cert installed within this institution. You can also review the exceptions in the "Servers" tab, if any.

Why do browsers allow this function? It would seem almost more sensible to completely disable HTTPS than to allow such a false sense of security as this. Is this not a major security issue - that the browser accepts seemingly-legitimate certificates even though they are not the ones provided by the websites?

You're misunderstanding whose responsibility it is to ensure trust. Browsers are just there to use a list of trusted anchors. Whilst they often come with a default list, it's up to the machine's administrator (and/or the user) to check for the list of CAs they want to trust. (There's a slight exception to this with EV certificates, although it's not without its own set of problems.)

If you have a doubt regarding which CA is being use, click on the lock icon or blue/green bar (depending on the browser), you should be able to see the security details. Compare it with what you see using a machine you trust on a network you trust.

If you don't trust which CA certs are installed on the machine, don't use it. More generally, this boils down to this: don't use a machine you don't trust.


You might be interested in Certificate Patrol:

https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/

It tracks which certificates you have seen before and warns you if they have changed prematurely. Of course, you could also just not install the company's root certificate in the first place.