Does this require a writeable, user-accessible file on the computer where the browser is installed? (versus, e.g., a gateway computer the user controls that can run openssl, the proxy, tcpdump and the packet filter)

If yes, how would the NSS solution work if the user is browsing from a device that hides and even tries to deny the user access to the filesystem, like one of today's smartphones or tablets?