Opened 7 months ago
Closed 7 months ago
#17257 closed defect (wontfix)
ChimeraX https requests fail at University of Washington due to ZScaler network security
Reported by: | Tom Goddard | Owned by: | Tom Goddard |
---|---|---|---|
Priority: | moderate | Milestone: | |
Component: | Input/Output | Version: | |
Keywords: | Cc: | chimerax-programmers | |
Blocked By: | Blocking: | ||
Notify when closed: | Platform: | all | |
Project: | ChimeraX |
Description
Isabelle Phan of UW reported AlphaFold fetch gets an ssl certificate verification error in ticket #17223.
The problem is that UW uses ZScaler, a network security company, to filter network traffic and the ZScaler root certificate needs to be installed to make SSL and TLS connections. But ChimeraX uses Python certifi for certificates instead of the system certificates and so the ZScaler certificate is not available. I believe this will cause all https requests made by ChimeraX to fail, e.g. PDB fetch, EMDB fetch, web services.
The ZScaler web site describes this problem and the specific steps to try to add their certificate to dozens of applications that use their own certificate store.
https://help.zscaler.com/zia/adding-custom-certificate-application-specific-trust-store
Should we do anything about this?
On the one hand the havoc caused by ZScaler filtering is UW's problem if they decide to use it. On the other hand UW probably has hundreds of ChimeraX users and I would think their use of ChimeraX would be crippled by this problem.
Change History (3)
comment:1 by , 7 months ago
comment:2 by , 7 months ago
I believe this is only a problem on Macs because Python uses OpenSSL, and Apple doesn't support OpenSSL. See https://stackoverflow.com/questions/40684543/how-to-make-python-use-ca-certificates-from-mac-os-truststore for a discussion and possible workarounds.
comment:3 by , 7 months ago
Resolution: | → wontfix |
---|---|
Status: | assigned → closed |
Isabelle explains in ticket #17223 that the problem is with a Mac used at Seattle Children's hospital, not at University of Washington. I don't think we should worry about this case unless these nefarious ZScaler man-in-the-middle methods that allow ZScaler to snoop on all your supposedly end-to-end encrypted network traffic becomes more common. God help us if that laughable destruction of end-to-end encryption in the name of "security" comes to pass.
Here is a description of ZScaler's approach to circumvent end-to-end encryption.
https://geekingfrog.com/blog/post/corporate-man-in-the-middle
I'll ask Isabelle on ticket #17223 if she knows if other ChimeraX users are afflicted with the ssl errors.