Jump to content

Zscaler

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Bmearns (talk | contribs) at 21:04, 1 April 2013 (Added section about security and privacy considerations). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Zscaler, Inc.
Company typePrivate
IndustryAnti-virus, Anti-spyware, Web filtering
Founded2008
HeadquartersSunnyvale, California, USA
Key people
Jay Chaudhry
K. Kailash
Websitewww.zscaler.com

Zscaler,[1] launched on August 4, 2008, provides an in-the-cloud security service for web traffic. The service offers SaaS protection against malware and enforce policies for outbound web traffic. The company was founded by Jay Chaudhry, a security industry professional and K. Kailash, former chief architect of NetScaler. Prior to Zscaler, Jay Chaudhry founded and funded several successful companies, including CipherTrust, AirDefense, CoreHarbor, Air2Web, and SecureIT. The company competes with similar services offered by Blue Coat Systems, Cisco, MessageLabs, Webroot and Websense.

Security Considerations and Controversy

The Zscaler service operates in part by having all web traffic to be managed sent through Zscaler owned and operated devices[2]. In order to monitor or inspect secure (HTTPS) connections, Zscaler implements what is normally known as a Man-in-the-middle attack between the client and the HTTPS website[3][4]. This implementation intercepts the SSL/TLS security certificate sent by the original web site, and replaces it with a certificate from Zscaler before forwarding it to the end user. The certificate falsely indicates that it is from the origin web site (through the certificate's Common Name field), but is in fact not associated with the site, and is signed by Zscaler's own certificate authority. By replacing the genuine certificate with their own, Zscaler is able to view and (optionally) manipulate all the content on both sides of the "secure" connection (i.e., data sent from the user to the site—such as login information—and data sent from the site to the user—such as webmail messages and bank statements).

Because the Zscaler certificates are not legitimately associated with the origin web site, most modern web browsers will not accept the Zscaler ceritifcate (i.e., it will not send any user data to the site using the Zscaler certificate). To get around this, the browser needs to be convinced to trust Zscaler's own certificate authority. On many systems, administrators can do this remotely and without the end user being aware of it[5], leading to potential privacy and security concerns since users do not necessarily know that their encrypted web traffic is being decrypted and inspected by Zscaler devices.

References

  1. ^ http://www.zscaler.com/
  2. ^ http://www.enterprisenetworkingplanet.com/datacenter/Zscaler-Cracks-Cloud-Security-3932516.htm
  3. ^ https://www.mcnc.org/forums/ncren/web-security/z-scaler-certificate-error-messages-ipad
  4. ^ http://zap.zscaler.com/certinfo.php
  5. ^ http://technet.microsoft.com/en-us/library/cc754841.aspx
Retrieved from "https://en.wikipedia.org/w/index.php?title=Zscaler&oldid=548209422"