All the devs at my company kind of hate it because it's always breaking stuff. I think it's cool in theory, but they have basically zero automated support on how to get the certificate installed.
They have manual instructions on how you add the certificate to the Java key store, and NPM key store, and the python key store, and the OS key store, etc...
And my whole thing is: won't malware use those same key stores? Won't malware detect that the certificate isn't passing and then just default to HTTP?
Oh it's definitely security theater, and it also wastes a ton of time as you describe, figuring out how to add certs or use a proxy in various pieces of software.
Back when I had a corporate job, I think at least 50% of my value to the company was that I knew how to get around Zscaler when necessary. Nothing particularly clever, just secretly using a proxy on some random server in our data center that happened to have unfiltered access to the Internet - which seemed like more of a potential security issue than anything Zscaler solved, but oh well.
Yeah I find Zscaler to be a nuisance - my company has done a reasonable job in getting it to work seamlessly but there are two things that make my life difficult.
One is that for some reason different operating systems have different configs (not sure is this is just how my company has done it or whether it's for a reason), but it's meant that more than a few times some very mundane features in internal tools have been broken because development and testing happens on Mac but the end users are on Windows. The other is that IP address whitelisting is super painful because someone in security needs to do something to proxy the real IP address to your application, otherwise the IP address you see is the one for Zscaler's IP address, and Akamai plus Zscaler leads to even more confusion when trying to diagnose a firewall issue.
IDK about whether it's security theater or how secure it is, but the software is fucked. I'm glad I'm not forced to use it (yet?), it hasn't worked right in forever and I really don't want to go to IT only to get blocked websites because they're content that my corporate overlords don't want people to look at during work hours (it's video games, not porn).
One of my team colleagues solved this one at hacklu. It was a wild ride from what I heard.
Does anyone else like Zscaler?
All the devs at my company kind of hate it because it's always breaking stuff. I think it's cool in theory, but they have basically zero automated support on how to get the certificate installed.
They have manual instructions on how you add the certificate to the Java key store, and NPM key store, and the python key store, and the OS key store, etc...
And my whole thing is: won't malware use those same key stores? Won't malware detect that the certificate isn't passing and then just default to HTTP?
I'm starting to think it's security theater.
Oh it's definitely security theater, and it also wastes a ton of time as you describe, figuring out how to add certs or use a proxy in various pieces of software.
Back when I had a corporate job, I think at least 50% of my value to the company was that I knew how to get around Zscaler when necessary. Nothing particularly clever, just secretly using a proxy on some random server in our data center that happened to have unfiltered access to the Internet - which seemed like more of a potential security issue than anything Zscaler solved, but oh well.
Yeah I find Zscaler to be a nuisance - my company has done a reasonable job in getting it to work seamlessly but there are two things that make my life difficult.
One is that for some reason different operating systems have different configs (not sure is this is just how my company has done it or whether it's for a reason), but it's meant that more than a few times some very mundane features in internal tools have been broken because development and testing happens on Mac but the end users are on Windows. The other is that IP address whitelisting is super painful because someone in security needs to do something to proxy the real IP address to your application, otherwise the IP address you see is the one for Zscaler's IP address, and Akamai plus Zscaler leads to even more confusion when trying to diagnose a firewall issue.
IDK about whether it's security theater or how secure it is, but the software is fucked. I'm glad I'm not forced to use it (yet?), it hasn't worked right in forever and I really don't want to go to IT only to get blocked websites because they're content that my corporate overlords don't want people to look at during work hours (it's video games, not porn).