WhatPulse Forums
client 3.0 behind sniffing corporate proxy cannot pulse - Printable Version

+- WhatPulse Forums (http://whatpulse.org/forums)
+-- Forum: Support (/forumdisplay.php?fid=38)
+--- Forum: Client software (/forumdisplay.php?fid=58)
+--- Thread: client 3.0 behind sniffing corporate proxy cannot pulse (/showthread.php?tid=7910)



client 3.0 behind sniffing corporate proxy cannot pulse - drdamour - 01-04-2021 06:16 PM

upgraded to the 3.0 client and now i can't pulse get an error dialog that sys "SSL Connection to website failed! this could be our fault, but it could also be a proxy trying to peek into our communication. Please disable the proxy, if that's the case".

obviously i can't disable the proxy (zscaler).

seems like the client may not trust my root certificates maybe?

i tried manually setting the proxy as well, but zscaler uses a redirect auth method so ti's kind of a mess. are there more detailed logs i can look at?


RE: client 3.0 behind sniffing corporate proxy cannot pulse - smitmartijn - 01-06-2021 11:57 AM

Hi,

Unfortunately, this is expected behaviour when there's a man in the middle between the client and our website. While I know some organisations like to snoop into their employees traffic, there's no work around for this. I suggest using portable mode or pulsing when you're not connected to the corporate network.


RE: client 3.0 behind sniffing corporate proxy cannot pulse - drdamour - 01-21-2021 10:19 PM

(01-06-2021 11:57 AM)smitmartijn Wrote:  Hi,

Unfortunately, this is expected behaviour when there's a man in the middle between the client and our website. While I know some organisations like to snoop into their employees traffic, there's no work around for this. I suggest using portable mode or pulsing when you're not connected to the corporate network.



ok..did something change in v3 from v2...i used to be able to send it through fiddler and it'd work.


RE: client 3.0 behind sniffing corporate proxy cannot pulse - Bloopy - 01-28-2021 08:03 AM

I have the same problem due to Zscaler and I'd like to understand more about it. If I can browse secure websites without a problem, how does WhatPulse work differently such that the connection can't be secured?

I can't disable Zscaler, but I do have local administrator access so I can install other certificates and things like that. Or WhatPulse could have another layer of encryption on top of the one being snooped. Kind of like what Chinese people need to access things blocked by the Great Firewall.


RE: client 3.0 behind sniffing corporate proxy cannot pulse - smitmartijn - 02-02-2021 11:12 AM

The client makes sure the connection is not tampered with, before trusting the website. This is done to prevent people from snooping in and using that to cheat the system (it's happened).

I recommend using portable mode (https://help.whatpulse.org/kb/client/portable-mode) to take your client home with you and pulse there. Or, log off from the corporate VPN before pulsing.


RE: client 3.0 behind sniffing corporate proxy cannot pulse - Bloopy - 02-04-2021 04:35 AM

I already understood that much. What I'm trying to get at is, what part of the connection indicates that it's tampered with? Certificates somehow? A particular type of proxy behaviour? I'm trying to narrow down what element I need to look at more closely to see if I can do anything about it.

Even when Zscaler is not authenticated to the corporate network, internet traffic still goes through its proxy. That's what I meant when I said I can't disable it. I will of course look at using portable mode when I realise for sure that there's nothing else I can do. Cool

I still think double encryption is a legitimate solution that you could look into. The snooping app would just see gibberish if the WP client applies its own encryption that no proxy knows about.


RE: client 3.0 behind sniffing corporate proxy cannot pulse - Bloopy - 06-16-2021 01:32 AM

I finally stopped procrastinating and used my personal laptop to pulse my work stats. I don't use that laptop for anything else at the moment so it's a little inconvenient to get it out, but it's good to know it works.

One thing I noticed is that I can't browse to http://www.ssh.com on my work laptop. For a while it was giving the error "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" in Firefox. So I wonder if that means some websites are preventing the same kind of snooping. I guess more websites will eventually adopt the same level of security and Zscaler's methods will become unworkable...