Zscaler is awful. It installs a root cert to act as a man-in-the-middle TCP traf...

commandlinefan · 2024-07-19T18:57:30 1721415450

> installs a root cert

Wow, I didn't know that, but you're right. It even works in Brave, which I wouldn't have expected:

    % openssl x509 -text -noout -in news.ycombinator.com.pem 
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                6f:9e:b3:95:05:50:6e:4d:03:d6:0b:a9:81:8c:2f:c3
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscalertwo.net) (t) 
            Validity
                Not Before: Jul 13 03:45:27 2024 GMT
                Not After : Jul 27 03:45:27 2024 GMT
            Subject: C=US, ST=California, L=Mountain View, O=Y Combinator Management, LLC., CN=news.ycombinator.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (2048 bit)

It seems to hijack the browser somehow, though, because that doesn't happen from the command line:

    % openssl s_client -host news.ycombinator.com -port 443
    CONNECTED(00000005)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
    verify return:1
    depth=0 C = US, ST = California, L = Mountain View, O = "Y Combinator Management, LLC.", CN = news.ycombinator.com
    verify return:1
    write W BLOCK
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=Mountain View/O=Y Combinator Management, LLC./CN=news.ycombinator.com
       i:/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
     1 s:/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2