Zscaler 中级证书 [英] Zscaler Intermediate Certificate
问题描述
我们公司最近实施了 Zscaler 代理过滤,我刚刚了解到它使用推送到我们所有机器的根证书来伪造 SSL 证书,以对我们的流量进行 mitm 过滤.我个人对此并不满意,但我们做了很多敏感的工作,所以我不会抱怨.
Our company recently implemented Zscaler proxy filtering, which I just learned uses a root certificate pushed out to all of our machines to forge SSL certificates for mitm filtering of our traffic. Personally I'm not happy about this, but we do a lot of sensitive work, so I'm not going to complain.
但现在我注意到他们似乎并没有始终如一地这样做.例如,如果我在工作网络上访问 Facebook,该证书是由 ZScaler 中间根 CA 签署的,这显然意味着它已被泄露.但是如果我去,比如说,我的银行,它说它是由威瑞信签署的.我是否正确地认为这意味着银行连接尚未被拦截并且仍然是端到端加密的?
But now I'm noticing they don't seem to be doing it consistently. For instance, if I go to Facebook on the work network, the certificate is signed by ZScaler Intermediate Root CA, which clearly means it's been compromised. But if I go to, say, my bank, it says it's signed by Verisign. Am I right in thinking that means the bank connection has not been intercepted and is still end to end encrypted?
推荐答案
Zscaler 允许管理员配置哪些站点/域/类别将或不会被解密以供检查.听起来您的管理员已禁用金融类别中的 SSL 解密网站,因此您银行的流量不会被解密,而 Facebook 的流量会被解密.
Zscaler allows the administrator to configure which sites/domains/categories will or will not be decrypted for inspection. It sounds like your admins have disabled SSL decryption sites in the finance category, and thus traffic to your bank is not being decrypted, whilst traffic to Facebook is.
就确定哪些流量被解密和未被解密而言,您是完全正确的 - 检查 SSL 证书,如果它是由 Zscaler 证书签名的,那么流量就是中间人.如果它是由任何其他证书(包括 Verisign/etc)签名的,那么它就不是中间人.
As far as determining which traffic is and is not being decrypted you are exactly right - check the SSL certificate and if it's signed by the Zscaler certificate then the traffic is being Man-In-The-Middle'ed. If it's signed by any other certificate (including Verisign/etc) then it's NOT being MITM'ed.
这篇关于Zscaler 中级证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
