Saturday, June 22, 2019

SSL Inspection and alternatives

Hi All,

We use Zscaler to perform SSL inspection, and basically, some sites are now using PKP and it if the client is using the Zscaler certificate, we're kinda stuck, as the site doesn't really work.

Zscalers solution is to disable SSL inspection on those domains:

https://help.zscaler.com/zia/public-key-pinning-and-zscaler

I was wanting to know, would replacing Zscaler (for specific sites or as a whole) with a proxy work?

As the proxy could establish the connection with the site in question (using the correct certificate), request and scan the data, then it would establish another SSL connection back to the client, and pass the data along?

This is the only solution I can think of that would be acceptable, as it allows us to scan the data for malware, and also allows us to measure it to see what is being sent or done.

Thanks heaps.



No comments:

Post a Comment