9

Our company recently implemented Zscaler proxy filtering, which I just learned uses a root certificate pushed out to all of our machines to forge SSL certificates for mitm filtering of our traffic. Personally I'm not happy about this, but we do a lot of sensitive work, so I'm not going to complain.

But now I'm noticing they don't seem to be doing it consistently. For instance, if I go to Facebook on the work network, the certificate is signed by ZScaler Intermediate Root CA, which clearly means it's been compromised. But if I go to, say, my bank, it says it's signed by Verisign. Am I right in thinking that means the bank connection has not been intercepted and is still end to end encrypted?

TBridges42
  • 1,849
  • 1
  • 19
  • 29
  • 5
    This question appears to be off-topic because it is not about programming. See [What topics can I ask about here](https://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Information Security Stack Exchange](http://security.stackexchange.com/) would be a better place to ask. – jww Jun 27 '14 at 22:42

1 Answers1

12

Zscaler allows the administrator to configure which sites/domains/categories will or will not be decrypted for inspection. It sounds like your admins have disabled SSL decryption sites in the finance category, and thus traffic to your bank is not being decrypted, whilst traffic to Facebook is.

As far as determining which traffic is and is not being decrypted you are exactly right - check the SSL certificate and if it's signed by the Zscaler certificate then the traffic is being Man-In-The-Middle'ed. If it's signed by any other certificate (including Verisign/etc) then it's NOT being MITM'ed.

Doc
  • 236
  • 2
  • 8