SSL Inspection

I use Zwift on my work laptop for several reasons—performance, convenience (all my Bluetooth devices like the trackpad and earbuds are connected), and access to corporate webinars or recordings that I watch while riding/exercising, especially when I’m catching up on work. However, with the increasing emphasis on cybersecurity, enhanced security measures recently broke Zwift. This may also highlight some changes the Zwift team might want to consider in the app.

For example, SSL Inspection is becoming more common in corporate environments, and once it was implemented on my network, Zwift stopped working:

[11:37:34] [ECONOMY] login request with use_computed=true, recompute=false
[11:37:35] [ERROR] Curl error: [60] 'SSL peer certificate or SSH remote key was not OK' for: GET https://us-or-rly101.zwift.com/api/auth
[11:37:35] [ERROR] Error finding authorization server: [30] SSL peer certificate or SSH remote key was not OK
[11:37:35] [ERROR] Could not attend to access token [27] Could not acquire access token because credentials are missing
[11:37:36] [ERROR] Failed to get telemetry config

After investigating with the security team, they identified the issue as being related to “certificate pinning” on the Zwift authentication server. Their feedback was:

“This is a well-known scenario. SSL decryption won’t work if the server uses certificate pinning for security, especially for authentication traffic. In such cases, we allow a bypass, but Zwift is using /api/auth, which makes it hard to bypass only specific endpoints and may force us to bypass the entire wildcard domain.”

I’m aware that some might suggest “just don’t use Zwift on your work device,” but that’s not a realistic solution. Instead, Zwift’s configuration might need to evolve in line with modern cybersecurity practices. Interestingly, other indoor cycling apps didn’t experience this issue, which makes me wonder if there’s an opportunity for Zwift to review its implementation.

Agreed and thanks for raising this topic. I just cancelled my subscription this week because I can no longer use it for this reason.

Using Zwift on my work laptop wouldnt even be allowed by my company and Zwift is absolutely correct by using certificate pinning their client-server-connections… certificate pinning is used to decrease the chance of a man-in-the-middle attack (which basically is what security appliances are doing in work environments to inspect SSL traffic). Blaming this on Zwift and wanting them to decrease security seems well, weird. A lot of services use certificate pinning, so many security appliances come with pre-configured exclusion lists. If your company won’t add zwift domains there, you are simply out op luck. Certificate Pinning and SSL Inspection | Zscaler

@Holger_Wachter thanks for reply and the zscaler link. It’s not something that I had considered and to be honest, I should have looked into the response from the cyber team a little more.

Being a network admin myself I usually don’t use SSL inspection at my customers since it involves a lot auf licensing costs to enable the features on the security appliances and / or endpoints and you also need enough IT-personnel to troubleshoot. But in the case of Zwift maybe your company IT can make an exception. I see SSL inspection usually only used in bigger corporations with stricter security measures and enough IT personnel to handle the troubleshooting. But for smaller companies, its usually not worth the hassle.