upgraded to the 3.0 client and now i can’t pulse get an error dialog that sys “SSL Connection to website failed! this could be our fault, but it could also be a proxy trying to peek into our communication. Please disable the proxy, if that’s the case”.
obviously i can’t disable the proxy (zscaler).
seems like the client may not trust my root certificates maybe?
i tried manually setting the proxy as well, but zscaler uses a redirect auth method so ti’s kind of a mess. are there more detailed logs i can look at?
Unfortunately, this is expected behaviour when there’s a man in the middle between the client and our website. While I know some organisations like to snoop into their employees traffic, there’s no work around for this. I suggest using portable mode or pulsing when you’re not connected to the corporate network.
I have the same problem due to Zscaler and I’d like to understand more about it. If I can browse secure websites without a problem, how does WhatPulse work differently such that the connection can’t be secured?
I can’t disable Zscaler, but I do have local administrator access so I can install other certificates and things like that. Or WhatPulse could have another layer of encryption on top of the one being snooped. Kind of like what Chinese people need to access things blocked by the Great Firewall.
The client makes sure the connection is not tampered with, before trusting the website. This is done to prevent people from snooping in and using that to cheat the system (it’s happened).
I already understood that much. What I’m trying to get at is, what part of the connection indicates that it’s tampered with? Certificates somehow? A particular type of proxy behaviour? I’m trying to narrow down what element I need to look at more closely to see if I can do anything about it.
Even when Zscaler is not authenticated to the corporate network, internet traffic still goes through its proxy. That’s what I meant when I said I can’t disable it. I will of course look at using portable mode when I realise for sure that there’s nothing else I can do.
I still think double encryption is a legitimate solution that you could look into. The snooping app would just see gibberish if the WP client applies its own encryption that no proxy knows about.
I finally stopped procrastinating and used my personal laptop to pulse my work stats. I don’t use that laptop for anything else at the moment so it’s a little inconvenient to get it out, but it’s good to know it works.
One thing I noticed is that I can’t browse to www.ssh.com on my work laptop. For a while it was giving the error “Error code: SSL_ERROR_NO_CYPHER_OVERLAP” in Firefox. So I wonder if that means some websites are preventing the same kind of snooping. I guess more websites will eventually adopt the same level of security and Zscaler’s methods will become unworkable…
