Zscaler is awful. It installs a root cert to act as a man-in-the-middle TCP traffic snooper. Probably does some other stuff, but all you TLS traffic is snooped with zscaler. It is creepy software, IMO.

> installs a root cert

Wow, I didn't know that, but you're right. It even works in Brave, which I wouldn't have expected:

    % openssl x509 -text -noout -in news.ycombinator.com.pem 
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                6f:9e:b3:95:05:50:6e:4d:03:d6:0b:a9:81:8c:2f:c3
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscalertwo.net) (t) 
            Validity
                Not Before: Jul 13 03:45:27 2024 GMT
                Not After : Jul 27 03:45:27 2024 GMT
            Subject: C=US, ST=California, L=Mountain View, O=Y Combinator Management, LLC., CN=news.ycombinator.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (2048 bit)

It seems to hijack the browser somehow, though, because that doesn't happen from the command line:

    % openssl s_client -host news.ycombinator.com -port 443
    CONNECTED(00000005)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
    verify return:1
    depth=0 C = US, ST = California, L = Mountain View, O = "Y Combinator Management, LLC.", CN = news.ycombinator.com
    verify return:1
    write W BLOCK
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=Mountain View/O=Y Combinator Management, LLC./CN=news.ycombinator.com
       i:/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
     1 s:/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2

Ah, yeah, they gave us zscaler not too long ago. I wondered if it was logging my keystrokes or not, figured it probably was because my computer slowed _way_ down ever since it appeared.

Zscaler sounds like it would be a web server. Just looked it up: "zero trust leader". The descriptiveness of terms these days... if you say it gets installed on a system, how is that having zero trust in them? And what do they do with all this nontrust? Meanwhile, Wikipedia says they offer "cloud services", which is possibly even more confusing for what you describe as client software

Somebody upthread pointed out that it installs a root CA and forces all of your HTTPS connections to use it. I verified that he's correct - I'm on Hacker News right now with an SSL connection that's verified by "ZScaler Root CA", not Digicert.

ZScaler has various deployment layouts. Instead of the client side TLS endpoint, you can also opt for the "route all web traffic to ZScaler cloud network" which office admins love because less stuff to install on the clients. The wonderful side effect is that some of these ZScaler IPs are banned from reddit, Twitter, etc, effectively banning half the company.

Zero trust means that there is no implicit trust whether you’re accessing the system from an internal protected network or from remote. All access to be authenticated to the fullest. In theory you should be doing 2FA every time you log in for the strictest definition of zero trust.

There is a NIST paper on it. It's requirement for government systems after they suffered major breaches.

https://www.nist.gov/publications/zero-trust-architecture

Now check how many zero trust companies have offering that remotely compare to that.

It’s a tool to “zero trust” your employees

They are a SASE provider, I am assume they offer a beyond Corp style offering allowing companies to move their apps off a private VPN and allow access on the public internet. Probably have a white paper on how they satisfy zero trust architecture.

I certainly would have zero trust in a system that man in the middles all my traffic