… but they are not the only one.
This morning, I was working at a client premises, and when I logged into my Google Apps mail account, Firefox greated me with the you-are-connecting-to-an-untrusted-https-web-site banner.
After checking the certificate, I noticed it was in fact issued by Fortigate/Fortinet.
That's what we call a Man-In-The-Middle (MITM) attack: you seat in the middle and pretend to be the person someone is trying to reach, and can therefore eavesdrop on their data/credentials/etc. in clear form.
Well, at least they where using a self-signed certificate, that was not recognized by a root CA. But what if they add such a certificate ? I remember seeing an article about such equipments, that have valid certificate, and can therefore silently snoop on any HTTPS communication, without ever noticing it.
Does this renders HTTPS completely useless ? Who will really disable the renegade root CA in their browser, and manually check and setup trusted certificates one-by-one for the websites they visit ?
Finally, this issue is perhaps one of the oldest in human behaviour: trust.