Zscaler: Difference between revisions

Zscaler, Inc.
	Zscaler logo
Company type	Private
Industry	Anti-virus, Anti-spyware, Web filtering
Founded	2008
Headquarters	Sunnyvale, California, USA
Key people	Jay Chaudhry; K. Kailash
Website	www.zscaler.com

Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Inline

Revision as of 21:04, 1 April 2013

Zscaler,^[1] launched on August 4, 2008, provides an in-the-cloud security service for web traffic. The service offers SaaS protection against malware and enforce policies for outbound web traffic. The company was founded by Jay Chaudhry, a security industry professional and K. Kailash, former chief architect of NetScaler. Prior to Zscaler, Jay Chaudhry founded and funded several successful companies, including CipherTrust, AirDefense, CoreHarbor, Air2Web, and SecureIT. The company competes with similar services offered by Blue Coat Systems, Cisco, MessageLabs, Webroot and Websense.

Security Considerations and Controversy

The Zscaler service operates in part by having all web traffic to be managed sent through Zscaler owned and operated devices^[2]. In order to monitor or inspect secure (HTTPS) connections, Zscaler implements what is normally known as a Man-in-the-middle attack between the client and the HTTPS website^[3]^[4]. This implementation intercepts the SSL/TLS security certificate sent by the original web site, and replaces it with a certificate from Zscaler before forwarding it to the end user. The certificate falsely indicates that it is from the origin web site (through the certificate's Common Name field), but is in fact not associated with the site, and is signed by Zscaler's own certificate authority. By replacing the genuine certificate with their own, Zscaler is able to view and (optionally) manipulate all the content on both sides of the "secure" connection (i.e., data sent from the user to the site—such as login information—and data sent from the site to the user—such as webmail messages and bank statements).

Because the Zscaler certificates are not legitimately associated with the origin web site, most modern web browsers will not accept the Zscaler ceritifcate (i.e., it will not send any user data to the site using the Zscaler certificate). To get around this, the browser needs to be convinced to trust Zscaler's own certificate authority. On many systems, administrators can do this remotely and without the end user being aware of it^[5], leading to potential privacy and security concerns since users do not necessarily know that their encrypted web traffic is being decrypted and inspected by Zscaler devices.

References

External links

[1] ttp://www.zscaler.com/

[2] ttp://www.enterprisenetworkingplanet.com/datacenter/Zscaler-Cracks-Cloud-Security-3932516.htm

[3] ttps://www.mcnc.org/forums/ncren/web-security/z-scaler-certificate-error-messages-ipad

[4] ttp://zap.zscaler.com/certinfo.php

[5] ttp://technet.microsoft.com/en-us/library/cc754841.aspx

[1]

[2]

[3]

[4]

[5]

@@ Line 14: / Line 14: @@
 '''Zscaler''',<ref>http://www.zscaler.com/</ref> launched on August 4, 2008, provides an in-the-cloud security service for web traffic. The service offers [[SaaS]] protection against [[malware]] and enforce policies for outbound web traffic. The company was founded by Jay Chaudhry, a security industry professional and K. Kailash, former chief architect of NetScaler. Prior to Zscaler, Jay Chaudhry founded and funded several successful companies, including [[CipherTrust]], AirDefense, CoreHarbor, Air2Web, and SecureIT. The company competes with similar services offered by [[Blue Coat Systems]], [[Cisco]], [[MessageLabs]], [[Webroot]] and [[Websense]].
+==Security Considerations and Controversy==
+The Zscaler service operates in part by having all web traffic to be managed sent through Zscaler owned and operated devices<ref>http://www.enterprisenetworkingplanet.com/datacenter/Zscaler-Cracks-Cloud-Security-3932516.htm</ref>. In order to monitor or inspect secure ([[HTTPS]]) connections, Zscaler implements what is normally known as a [[Man-in-the-middle attack]] between the client and the HTTPS website<ref>https://www.mcnc.org/forums/ncren/web-security/z-scaler-certificate-error-messages-ipad</ref><ref>http://zap.zscaler.com/certinfo.php</ref>. This implementation intercepts the [[SSL]]/[[TLS]] security certificate sent by the original web site, and replaces it with a certificate from Zscaler before forwarding it to the end user. The certificate falsely indicates that it is from the origin web site (through the certificate's Common Name field), but is in fact ''not'' associated with the site, and is signed by Zscaler's own [[certificate authority]]. By replacing the genuine certificate with their own, Zscaler is able to view and (optionally) manipulate all the content on both sides of the "secure" connection (i.e., data sent from the user to the site&mdash;such as login information&mdash;and data sent from the site to the user&mdash;such as [[webmail]] messages and bank statements).
+Because the Zscaler certificates are not legitimately associated with the origin web site, most modern web browsers will not accept the Zscaler ceritifcate (i.e., it will not send any user data to the site using the Zscaler certificate). To get around this, the browser needs to be convinced to trust Zscaler's own certificate authority. On many systems, administrators can do this remotely and without the end user being aware of it<ref>http://technet.microsoft.com/en-us/library/cc754841.aspx</ref>, leading to potential privacy and security concerns since users do not necessarily know that their encrypted web traffic is being decrypted and inspected by Zscaler devices.
 ==References==