Different phylosophy: why block VPNs when you can monitor them. Most Root CAs are in US.

Certificate transparency is mandatory in browsers; interception certificates appear in certificate logs to be accepted. Have you found one?

Edit: OCSP has been ended.

He might be referring to OCSP. Browsers ping CAs by default, revealing to them the sites that are visited.

	▲	arcfour 2 days ago \| parent [-]
		OCSP is very much on the way out, this is hardly true anymore; although some things still check OCSP, many things do not.