TransIT AI

Proxy & TLS inspection

Transit AI’s desktop app talks to Transit AI Cloud over HTTPS for sign-in and AI requests. On most networks that’s a direct, encrypted connection. On a corporate network that inspects TLS traffic, here’s exactly how Transit AI behaves — and the one setting that lets you change it.

What TLS inspection is

Many enterprise networks run TLS inspection (also called SSL inspection or “break-and-inspect”) — a firewall like FortiGate, Palo Alto, or Zscaler that decrypts outbound HTTPS to scan it, then re-encrypts it on the way out. It does this by presenting its own certificate, signed by a certificate authority (CA) your IT team has installed on every managed machine. Your browser already trusts that CA — it’s why HTTPS sites keep working behind the firewall.

Transit AI works on inspected networks by default

By default, Transit AI trusts your operating system’s certificate store — the same set of trusted authorities your browser uses. Because your IT team has installed the corporate inspection CA there, Transit AI honors it automatically. A few things follow from that:

  • No configuration needed for the common case (transparent, inline inspection). Transit AI connects to Transit AI Cloud normally and the firewall intercepts the flow the same way it does for your browser — there are no proxy settings to enter.
  • It behaves like the rest of your machine on that network. If your browser reaches the internet there, Transit AI does too.
  • Your SSH connections are unaffected. Connections to your network devices use a separate trust model (host-key trust on first use) and don’t go through Transit AI Cloud, so TLS inspection and the Strict TLS setting below never touch them.

What inspection means for your data

A TLS-inspection proxy can read the traffic it decrypts. For the connection to Transit AI Cloud, that includes:

  • the prompts Transit AI sends to the AI — which contain the device output you’ve shared with it, and
  • your own AI provider key, if you use Bring Your Own Key (it travels inside the request).

This is expected and normal on a corporate-managed network — it’s the trade-off your organization has already made for every tool on the machine. Transit AI states it plainly in Settings → Network so you’re never surprised. (Transit AI Cloud itself never logs prompt or completion content — see the Security model. The point here is only that an inspecting proxy between you and the cloud can read what it decrypts.)

Strict TLS — refuse inspection

If you’d rather Transit AI never let an intermediary decrypt its cloud traffic, turn on Strict TLS in Settings → Network.

  • Off (default). Trust your OS certificate store — works on inspected networks, honoring the corporate CA.
  • On. Trust only the built-in public certificate authorities. A corporate inspection certificate isn’t among them, so Transit AI refuses the connection rather than let it be decrypted.

Strict TLS is a deliberate refusal, not a warning you can click past: with it on, Transit AI will not connect on an inspected network — that’s the point. It takes effect after you restart the app, and it changes only the connection to Transit AI Cloud. Your SSH device connections are unaffected either way.

”Transit couldn’t verify the server’s certificate”

If the account area shows this message, Transit AI didn’t trust the certificate it was offered. The fix depends on your situation:

  • On an inspecting network, Strict TLS on. That’s the intended behavior — Strict TLS is refusing the inspection. Turn it off in Settings → Network if you want to connect here.
  • On an inspecting network, Strict TLS off. The corporate CA isn’t in your operating system’s trust store. On a managed machine, ask IT to deploy it (it’s the same certificate your browser needs); on your own machine, install it into the system trust store.
  • On a normal network. This is unusual and worth a second look — it can mean something is intercepting your connection that you didn’t expect. Don’t dismiss it; verify the network you’re on.

Explicit proxies

Most inspection is transparent — the firewall sits inline and needs nothing configured on your end. Some organizations instead route internet access through an explicit proxy (a fixed proxy address, sometimes handed out by a PAC file). If that’s your network, Transit AI needs to be told the proxy address: set the HTTPS_PROXY environment variable for the app (and NO_PROXY for any hosts that should bypass it). A dedicated proxy field in Settings → Network is planned for a future release.