Opened 7 months ago

Closed 7 months ago

#17257 closed defect (wontfix)

ChimeraX https requests fail at University of Washington due to ZScaler network security

Reported by: Tom Goddard Owned by: Tom Goddard
Priority: moderate Milestone:
Component: Input/Output Version:
Keywords: Cc: chimerax-programmers
Blocked By: Blocking:
Notify when closed: Platform: all
Project: ChimeraX

Description

Isabelle Phan of UW reported AlphaFold fetch gets an ssl certificate verification error in ticket #17223.

The problem is that UW uses ZScaler, a network security company, to filter network traffic and the ZScaler root certificate needs to be installed to make SSL and TLS connections. But ChimeraX uses Python certifi for certificates instead of the system certificates and so the ZScaler certificate is not available. I believe this will cause all https requests made by ChimeraX to fail, e.g. PDB fetch, EMDB fetch, web services.

The ZScaler web site describes this problem and the specific steps to try to add their certificate to dozens of applications that use their own certificate store.

https://help.zscaler.com/zia/adding-custom-certificate-application-specific-trust-store

Should we do anything about this?

On the one hand the havoc caused by ZScaler filtering is UW's problem if they decide to use it. On the other hand UW probably has hundreds of ChimeraX users and I would think their use of ChimeraX would be crippled by this problem.

Change History (3)

comment:1 by Tom Goddard, 7 months ago

I'll ask Isabelle on ticket #17223 if she knows if other ChimeraX users are afflicted with the ssl errors.

comment:2 by Greg Couch, 7 months ago

I believe this is only a problem on Macs because Python uses OpenSSL, and Apple doesn't support OpenSSL. See https://stackoverflow.com/questions/40684543/how-to-make-python-use-ca-certificates-from-mac-os-truststore for a discussion and possible workarounds.

comment:3 by Tom Goddard, 7 months ago

Resolution: wontfix
Status: assignedclosed

Isabelle explains in ticket #17223 that the problem is with a Mac used at Seattle Children's hospital, not at University of Washington. I don't think we should worry about this case unless these nefarious ZScaler man-in-the-middle methods that allow ZScaler to snoop on all your supposedly end-to-end encrypted network traffic becomes more common. God help us if that laughable destruction of end-to-end encryption in the name of "security" comes to pass.

Here is a description of ZScaler's approach to circumvent end-to-end encryption.

https://geekingfrog.com/blog/post/corporate-man-in-the-middle

Note: See TracTickets for help on using tickets.