Hi,
Is it possible for end user to know that their https/ssl traffic is being monitored/inspected using zscaler? If yes then how?
If they’re savvy enough to see the server certificate has been replaced by zscaler’s on the webpage, sure.
If you’re talking SSL decryption, then you would see your company’s very when you go to various HTTPS sites. They could use a Zscaler cert, which would indicate ZIA, or they could use their own internal very which could work for any number of technologies that rely on SSL decrypt.
If you just mean in general, having ZCC or a system PAC sending traffic to ZIA would be the most common way. But if you’re at a site that uses GRE/IPSEC they may not need anything on your local machine.
What are you looking to do?
Just to be clear - even if the traffic is not decrypted (certificate presented by browser is the original one as others have pointed), a log of you accessing the website, how much data you sent and received and a few other parameters are still recorded. What is not being scanned by security and DLP policies is actual session content - content of files or data you might have uploaded/downloaded. Also worth to note that even if the session is decrypted and the files are being scanned, no file or form actual content is logged by Zscaler with few exceptions (zero day malware matched by sandbox or DLP policies for sensitive uploads).
so in this case can we safely assume that if the server certificate isn’t being changed then ssl inspection isn’t happening between the user and the server?
This would be my answer too. If it’s the site’s cert and not Zscaler, then it’s likely not inspected.
This is almost true. If you are savvy enough to notice the MITM cert/technique means that is is possible that your normal encrypted traffic _may_ be being monitored but without understanding the backend configuration of it all the end user won’t really know what you are doing with the traffic. You may be decrypting, enforcing DLP, etc. but in reality all that they may know is that there is a probability the traffic may be being monitored.
Another thing - for traffic not decrypted - the admin won’t know the true object / full url. They’ll just know the domain/host you hit.
For example, admin will see google.com and not google.com/someSearchString.
in this case if the certificate presented by the browser is original can we safely assume that it is not being SSL traffic isn’t being inspected/decrypted? or are there some new methods which can show the user original certificate but still inspect decrypt the traffic? i know this is stupid question as it would break the whole SSL concept but just asking.
second question is when a user tries to access for example https://facebook.com and ssl inspection is not happening on zscaller even in that case zscaler will know user is trying to access facebook.com using SNI in the certificate right but will the zscaler know what sub urls or directories or pages being accessed inside that session? does SNI also contain the whole URL which we usually see in the browser address bar?
Yes, that can be assumed as long as it’s the genuine certificate from the web server. There can always be another MITM other than Zscaler, but the same rule applies that it will be some certificate other than the “real” one issued by digicert, entrust, verisign, etc
Ohh that’s exactly what i put as my second question. but what if for example google uses some sub domain for that somesearchstring then zscaler would know right? like when you go to google.com and then start searching and for search to happen google directs that thing to some sub domain like search.google.com then SNI would be changed to this? and zscaler would at least know then user first went to google.com and then they searched something because they went to search.google.com later?
No new method. Original certificate means traffic is not decrypted. But Zscaler will still know you accessed the domain Facebook.com and how much data roughly you transacted (bytes, number of requests etc) - just not what exact URLs as that falls under the encryption layer and of course no scanning of GET / POST, files or otherwise.