top | item 43395399

(no title)

rorychatt | 11 months ago

> why that's a bad idea

Given that traffic inspection for user and service proxies rely on MITM traffic inspection for many forms of IPS/IDS beyond basic SNI signature detection - I'd love to hear more!

I'm not necessarily suggesting it should be mandatory - I remember the pain of introducing Zscaler about a decade ago and the sheer number of windows apps that simply broke, leaving a trail of complex PAC files - but not enough to warrant off the solution.

I would assume the half way house would be to leave Name Constraints off your offline CA, maintain (at least) one intermediary with constraints turned on for regular certificate lifecycle management for internal certs, and a dedicated intermediary that is only used to generate the MITM certs?

discuss

sebazzz|11 months ago

ZScaler is an absolute horror for a software developer also in charge of ops.

rorychatt|11 months ago

I found things got a lot better when the proper apis and terraform zpa/zia coverage happened

Still many foot guns, but I’ve much the same feelings for most of the tooling in the proxy/vpn space.