One of my team colleagues solved this one at hacklu. It was a wild ride from what I heard.
prettyStandard 3 hours ago [-]
Does anyone else like Zscaler?
All the devs at my company kind of hate it because it's always breaking stuff. I think it's cool in theory, but they have basically zero automated support on how to get the certificate installed.
They have manual instructions on how you add the certificate to the Java key store, and NPM key store, and the python key store, and the OS key store, etc...
And my whole thing is: won't malware use those same key stores? Won't malware detect that the certificate isn't passing and then just default to HTTP?
I'm starting to think it's security theater.
streptomycin 58 minutes ago [-]
Oh it's definitely security theater, and it also wastes a ton of time as you describe, figuring out how to add certs or use a proxy in various pieces of software.
Back when I had a corporate job, I think at least 50% of my value to the company was that I knew how to get around Zscaler when necessary. Nothing particularly clever, just secretly using a proxy on some random server in our data center that happened to have unfiltered access to the Internet - which seemed like more of a potential security issue than anything Zscaler solved, but oh well.
Cthulhu_ 1 hours ago [-]
IDK about whether it's security theater or how secure it is, but the software is fucked. I'm glad I'm not forced to use it (yet?), it hasn't worked right in forever and I really don't want to go to IT only to get blocked websites because they're content that my corporate overlords don't want people to look at during work hours (it's video games, not porn).
All the devs at my company kind of hate it because it's always breaking stuff. I think it's cool in theory, but they have basically zero automated support on how to get the certificate installed.
They have manual instructions on how you add the certificate to the Java key store, and NPM key store, and the python key store, and the OS key store, etc...
And my whole thing is: won't malware use those same key stores? Won't malware detect that the certificate isn't passing and then just default to HTTP?
I'm starting to think it's security theater.
Back when I had a corporate job, I think at least 50% of my value to the company was that I knew how to get around Zscaler when necessary. Nothing particularly clever, just secretly using a proxy on some random server in our data center that happened to have unfiltered access to the Internet - which seemed like more of a potential security issue than anything Zscaler solved, but oh well.