Many corporations do this on their networks so that they can inspect traffic for security purposes and outbound loss prevention. It's not uncommon today and seems to be gaining in popularity.
Edit: I don't mean to imply that it's the right or the wrong thing to do (it probably depends on the situation). Just stating what I have seen in industry.
That communication belongs to the company, the session is work product on a company owned device. Feels squeamish if you didn't think about it that way, but is implied by almost every employment agreement.
This is quite different than the AV vendor who does not own your communication from your own device.
I still wish most companies knew/had a better "best practice" than just MITM interception certificates, because that is potentially brittle and is an threat to corporate security. If you already have all of your machines MITMed, then an attacker could gain access to the existing MITM certificate and who would ever know.
I know I'm a relative minority in the corporate IT world, but as a software developer downloading/uploading dependent libraries or the outputs of my development issues, corporate MITM interception certificates absolutely scare me for my personal threat model and the threat model of the projects that I work on.
It is. I do work in a Fortune 500 occasionally, and have to use their MITM gateway (websense SSL intercept).
They haven't yet fixed the internal cert to not use SHA-1.
If you're using something other than a corporate windows desktop + browser, you have to install the root certificates manually.
They have to make manual exceptions for sites that do certificate pinning. When they miss a site, it creates issues. Github is broken for me...I have to use crazy workarounds.
If there were a movement to enable certificate pinning everywhere, it would be very disruptive for the Corporate MITM vendors.
Edit: They also have irritating "content filters". So, if I'm tasked to research options for a project, like say a VPN, I can't search from their network. It blocks pages talking about VPNS because there's a policy to block "websense proxy avoidance".
Similar anecdote: an internal intercept certificate that Firefox outright refused to install to a trusted store because the cert seemed suspicious/insecure. (Not caught by corporate IT because of a Chrome monoculture, which is a different problem.)
As someone who's worked on corporate web proxies, I can also tell you there's usually someone who knows what they're doing administering them. Besides the "implied consent" of being on an employer network, you also have people at the company who know how to ensure bad SSL from the proxy -> website will not be permitted.
If the MITM function of bitdefender isn't advertised, how can anyone consent to it, or knowlegably ensure it's still enforcing connection resets on bad SSL certs?
Edit: I don't mean to imply that it's the right or the wrong thing to do (it probably depends on the situation). Just stating what I have seen in industry.